Re: [PATCH kvmtool 4/5] Makefile: Mark stack as not executable

[Alexandru Elisei <alexandru.elisei@arm.com>]

Hi Martin,

On Tue, Jan 18, 2022 at 12:12:02AM +0200, Martin Radev wrote:
> This patch modifies CFLAGS to mark the stack explicitly
> as not executable.
> 
> Signed-off-by: Martin Radev <martin.b.radev@gmail.com>
> ---
>  Makefile | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/Makefile b/Makefile
> index f251147..09ef282 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -380,8 +380,11 @@ DEFINES	+= -D_GNU_SOURCE
>  DEFINES	+= -DKVMTOOLS_VERSION='"$(KVMTOOLS_VERSION)"'
>  DEFINES	+= -DBUILD_ARCH='"$(ARCH)"'
>  
> +# The stack doesn't need to be executable
> +SECURITY_HARDENINGS := -z noexecstack
> +
>  KVM_INCLUDE := include
> -CFLAGS	+= $(CPPFLAGS) $(DEFINES) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g
> +CFLAGS	+= $(CPPFLAGS) $(DEFINES) $(SECURITY_HARDENINGS) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g

I used scanelf to check that the final binary has the stack marked as
executable. For arm and arm64 I got this:

$ scanelf -e lkvm
 TYPE   STK/REL/PTL FILE
ET_DYN RW- R-- RW- lkvm

which as far as I can tell means the stack is not executable.

For x86:

$ scanelf -e lkvm
 TYPE   STK/REL/PTL FILE
ET_DYN RWX R-- RW- vm

which means the stack is executable. Digging further, it looks like there
are two objects which are missing the .note.GNU-stack section,
x86/bios/entry.o and x86/bios/bios-rom.o. I suggest you try to fix the
source files for those two objects before adding the flag to gcc. I used
the Gentoo wiki [1] to diagnose the problem, in case it's useful to you.

[1] https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart

Thanks,
Alex

>  
>  WARNINGS += -Wall
>  WARNINGS += -Wformat=2
> @@ -582,4 +585,4 @@ ifneq ($(MAKECMDGOALS),clean)
>  
>  KVMTOOLS-VERSION-FILE:
>  	@$(SHELL_PATH) util/KVMTOOLS-VERSION-GEN $(OUTPUT)
> -endif
> \ No newline at end of file
> +endif
> -- 
> 2.25.1
>