Disable stack execution

Resolves: rhbz#1950528

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
This commit is contained in:
Stephen Gallagher 2021-04-20 09:35:18 -04:00
parent 4fb0644412
commit 32edd143c2
No known key found for this signature in database
GPG key ID: 45DB85A568286D11
4 changed files with 59 additions and 7 deletions

View file

@ -1,7 +1,7 @@
From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
From 0a889af5ee18290d833f7f63742d5b714bdb1a40 Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com>
Date: Fri, 17 Apr 2020 12:59:44 +0200
Subject: [PATCH 1/2] Disable running gyp on shared deps
Subject: [PATCH 1/3] Disable running gyp on shared deps
---
Makefile | 2 +-
@ -25,5 +25,5 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e
# node_version.h is listed because the N-API version is taken from there
--
2.29.2
2.31.1

View file

@ -1,7 +1,7 @@
From 45a9bca165f6ed76c4e43cc2cc3fdf596814bc77 Mon Sep 17 00:00:00 2001
From 4012d5b9ae521f36c8b0155f591a38383e84407b Mon Sep 17 00:00:00 2001
From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
Date: Tue, 19 Mar 2019 23:22:40 -0400
Subject: [PATCH 2/2] Install both binaries and use libdir.
Subject: [PATCH 2/3] Install both binaries and use libdir.
This allows us to build with a shared library for other users while
still providing the normal executable.
@ -86,5 +86,5 @@ index 729b416fc47d3ff3317ae3671dee977c719a8841..9bfc6234edb7732f9b90f063c2ee4a27
# behave similarly for systemtap
--
2.29.2
2.31.1

View file

@ -0,0 +1,45 @@
From 6aa11a8cf48463432c0b5c6bfca5c2a5b18b1cc7 Mon Sep 17 00:00:00 2001
From: James Addison <jay@jp-hosting.net>
Date: Tue, 9 Mar 2021 13:08:47 +0000
Subject: [PATCH 3/3] src: add .note.GNU-stack section
This indicates to GNU binutils that it can unset the executable stack
flag on the binary that it is building.
PR-URL: https://github.com/nodejs/node/pull/37688
Refs: https://github.com/nodejs/node/issues/17933
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
src: Use %progbits instead of @progbits
While @progbits is preferred for most architectures, there are some
(notably 32-bit ARM) for which it does not. %progbits is effective
everywhere.
See https://bugzilla.redhat.com/show_bug.cgi?id=1950528 for more
details.
Related: https://github.com/nodejs/node/issues/17933
Related: https://github.com/nodejs/node/pull/37688
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/large_pages/node_text_start.S | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/large_pages/node_text_start.S b/src/large_pages/node_text_start.S
index 1609b254f0495a32f8896ba96d96bad03f6f2321..d27dd39cc236f0e6be4e68113bfff7b531a37455 100644
--- a/src/large_pages/node_text_start.S
+++ b/src/large_pages/node_text_start.S
@@ -1,5 +1,8 @@
+#if defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
.text
.align 0x2000
.global __node_text_start
.hidden __node_text_start
__node_text_start:
--
2.31.1

View file

@ -8,7 +8,7 @@
# This is used by both the nodejs package and the npm subpackage thar
# has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end.
%global baserelease 1
%global baserelease 2
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -145,6 +145,10 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
# Patch to install both node and libnode.so, using the correct libdir
Patch2: 0002-Install-both-binaries-and-use-libdir.patch
# Patch to disable stack execution. Merged from one upstream patch and
# one upstream proposed patch
Patch3: 0003-src-add-.note.GNU-stack-section.patch
BuildRequires: make
BuildRequires: python3-devel
BuildRequires: python3-setuptools
@ -665,6 +669,9 @@ end
%changelog
* Tue Apr 20 2021 Stephen Gallagher <sgallagh@redhat.com> - 1:14.16.1-2
- Disable stack execution (bz#1950528)
* Thu Apr 08 2021 Stephen Gallagher <sgallagh@redhat.com> - 1:14.16.1-1
- Update to 14.16.1