From: Greg Hudson Date: Fri, 3 Jan 2014 18:50:48 +0000 (-0500) Subject: Mark AESNI files as not needing executable stacks X-Git-Tag: krb5-1.13-alpha1~265 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c64e39c69a9a7ee32c00b0cf7918f6274a565544;p=thirdparty%2Fkrb5.git Mark AESNI files as not needing executable stacks Some Linux systems now come with facilities to mark the stack as non-executable, making it more difficult to exploit buffer overrun bugs. For this to work, object files built from assembly need a section added to note whether they require an executable stack. Patch from Dhiru Kholia with comments added. More information at: https://bugzilla.redhat.com/show_bug.cgi?id=1045699 https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart ticket: 7813 target_version: 1.12.1 tags: pullup --- diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s index 1c091c130f..d03c859a5c 100644 --- a/src/lib/crypto/builtin/aes/iaesx64.s +++ b/src/lib/crypto/builtin/aes/iaesx64.s @@ -834,3 +834,14 @@ lp256encsingle_CBC: movdqu [r9],xmm1 add rsp,16*16+8 ret + +; Mark this file as not needing an executable stack. +%ifidn __OUTPUT_FORMAT__,elf +section .note.GNU-stack noalloc noexec nowrite progbits +%endif +%ifidn __OUTPUT_FORMAT__,elf32 +section .note.GNU-stack noalloc noexec nowrite progbits +%endif +%ifidn __OUTPUT_FORMAT__,elf64 +section .note.GNU-stack noalloc noexec nowrite progbits +%endif diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s index b667acdd24..1aa12e6ef0 100644 --- a/src/lib/crypto/builtin/aes/iaesx86.s +++ b/src/lib/crypto/builtin/aes/iaesx86.s @@ -871,3 +871,14 @@ lp256encsingle_CBC: movdqu [ecx],xmm1 ; store last iv for chaining ret + +; Mark this file as not needing an executable stack. +%ifidn __OUTPUT_FORMAT__,elf +section .note.GNU-stack noalloc noexec nowrite progbits +%endif +%ifidn __OUTPUT_FORMAT__,elf32 +section .note.GNU-stack noalloc noexec nowrite progbits +%endif +%ifidn __OUTPUT_FORMAT__,elf64 +section .note.GNU-stack noalloc noexec nowrite progbits +%endif