Hi Martin, On Tue, Jan 18, 2022 at 12:12:02AM +0200, Martin Radev wrote: > This patch modifies CFLAGS to mark the stack explicitly > as not executable. > > Signed-off-by: Martin Radev <martin.b.radev@xxxxxxxxx> > --- > Makefile | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/Makefile b/Makefile > index f251147..09ef282 100644 > --- a/Makefile > +++ b/Makefile > @@ -380,8 +380,11 @@ DEFINES += -D_GNU_SOURCE > DEFINES += -DKVMTOOLS_VERSION='"$(KVMTOOLS_VERSION)"' > DEFINES += -DBUILD_ARCH='"$(ARCH)"' > > +# The stack doesn't need to be executable > +SECURITY_HARDENINGS := -z noexecstack > + > KVM_INCLUDE := include > -CFLAGS += $(CPPFLAGS) $(DEFINES) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g > +CFLAGS += $(CPPFLAGS) $(DEFINES) $(SECURITY_HARDENINGS) -I$(KVM_INCLUDE) -I$(ARCH_INCLUDE) -O2 -fno-strict-aliasing -g I used scanelf to check that the final binary has the stack marked as executable. For arm and arm64 I got this: $ scanelf -e lkvm TYPE STK/REL/PTL FILE ET_DYN RW- R-- RW- lkvm which as far as I can tell means the stack is not executable. For x86: $ scanelf -e lkvm TYPE STK/REL/PTL FILE ET_DYN RWX R-- RW- vm which means the stack is executable. Digging further, it looks like there are two objects which are missing the .note.GNU-stack section, x86/bios/entry.o and x86/bios/bios-rom.o. I suggest you try to fix the source files for those two objects before adding the flag to gcc. I used the Gentoo wiki [1] to diagnose the problem, in case it's useful to you. [1] https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart Thanks, Alex > > WARNINGS += -Wall > WARNINGS += -Wformat=2 > @@ -582,4 +585,4 @@ ifneq ($(MAKECMDGOALS),clean) > > KVMTOOLS-VERSION-FILE: > @$(SHELL_PATH) util/KVMTOOLS-VERSION-GEN $(OUTPUT) > -endif > \ No newline at end of file > +endif > -- > 2.25.1 >
