From 3ca140278c3306b3e6fb9f09691723b77cb5bb28 Mon Sep 17 00:00:00 2001
From: Tulio A M Mendes <tadryanom@hotmail.com>
Date: Fri, 6 Feb 2026 11:31:32 -0300
Subject: [PATCH] x86: enforce W^X and non-exec stack

---
 src/arch/x86/boot.S       |  2 ++
 src/arch/x86/gdt_flush.S  |  2 ++
 src/arch/x86/interrupts.S |  2 ++
 src/arch/x86/linker.ld    | 21 +++++++++++++++++----
 src/arch/x86/process.S    |  2 ++
 src/arch/x86/tss_flush.S  |  2 ++
 6 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/src/arch/x86/boot.S b/src/arch/x86/boot.S
index 60ee8f4d..1ba273a0 100644
--- a/src/arch/x86/boot.S
+++ b/src/arch/x86/boot.S
@@ -198,5 +198,7 @@ stack_bottom:
     .skip 16384
 stack_top:
 
+.section .note.GNU-stack,"",@progbits
+
 /* Helper symbol for map loop limit */
 _kernel_physical_end:
\ No newline at end of file
diff --git a/src/arch/x86/gdt_flush.S b/src/arch/x86/gdt_flush.S
index 6f18e80b..1150c627 100644
--- a/src/arch/x86/gdt_flush.S
+++ b/src/arch/x86/gdt_flush.S
@@ -23,3 +23,5 @@ gdt_flush:
     ljmp $0x08, $flush_cs
 flush_cs:
     ret
+
+ .section .note.GNU-stack,"",@progbits
diff --git a/src/arch/x86/interrupts.S b/src/arch/x86/interrupts.S
index 2727f051..4c2240c2 100644
--- a/src/arch/x86/interrupts.S
+++ b/src/arch/x86/interrupts.S
@@ -142,3 +142,5 @@ IRQ 15, 47
 
 /* Syscall vector (int 0x80 -> 128) */
 ISR_NOERRCODE 128
+
+ .section .note.GNU-stack,"",@progbits
diff --git a/src/arch/x86/linker.ld b/src/arch/x86/linker.ld
index fb4b7e6e..8a1e1af2 100644
--- a/src/arch/x86/linker.ld
+++ b/src/arch/x86/linker.ld
@@ -20,6 +20,13 @@ PHYSICAL_BASE = 0x00100000;
 /* But we want to run at 3GB + 1MB virtual */
 KERNEL_VIRT_BASE = 0xC0000000;
 
+PHDRS
+{
+    text PT_LOAD FLAGS(5);
+    rodata PT_LOAD FLAGS(4);
+    data PT_LOAD FLAGS(6);
+}
+
 SECTIONS
 {
     /* 
@@ -39,23 +46,29 @@ SECTIONS
         *(.boot_text)
         /* Rest of the kernel code */
         *(.text)
-    }
+    } :text
+
+    . = ALIGN(0x1000);
 
     .rodata : AT(ADDR(.rodata) - KERNEL_VIRT_BASE)
     {
         *(.rodata)
-    }
+    } :rodata
+
+    . = ALIGN(0x1000);
 
     .data : AT(ADDR(.data) - KERNEL_VIRT_BASE)
     {
         *(.data)
-    }
+    } :data
+
+    . = ALIGN(0x1000);
 
     .bss : AT(ADDR(.bss) - KERNEL_VIRT_BASE)
     {
         *(.bss)
         *(COMMON)
-    }
+    } :data
 
     _end = .;
 }
diff --git a/src/arch/x86/process.S b/src/arch/x86/process.S
index f1729167..d847e0a2 100644
--- a/src/arch/x86/process.S
+++ b/src/arch/x86/process.S
@@ -41,3 +41,5 @@ context_switch:
     /* 5. Return */
     /* Since we changed ESP, this 'ret' pops the EIP from the NEW stack! */
     ret
+
+ .section .note.GNU-stack,"",@progbits
diff --git a/src/arch/x86/tss_flush.S b/src/arch/x86/tss_flush.S
index 2028d089..f7b990d8 100644
--- a/src/arch/x86/tss_flush.S
+++ b/src/arch/x86/tss_flush.S
@@ -13,3 +13,5 @@ tss_flush:
     mov 4(%esp), %ax
     ltr %ax
     ret
+
+ .section .note.GNU-stack,"",@progbits
-- 
2.43.0