Mark AESNI files as not needing executable stacks

Some Linux systems now come with facilities to mark the stack as non-executable, making it more difficult to exploit buffer overrun bugs. For this to work, object files built from assembly need a section added to note whether they require an executable stack. Patch from Dhiru Kholia with comments added. More information at: https://bugzilla.redhat.com/show_bug.cgi?id=1045699 https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart ticket: 7813 target_version: 1.12.1 tags: pullup
greghudson · Jan 3, 2014 · c64e39c · c64e39c
1 parent dae7693
commit c64e39c
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s
@@ -834,3 +834,14 @@ lp256encsingle_CBC:
 	movdqu [r9],xmm1
 	add rsp,16*16+8
 	ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s
@@ -871,3 +871,14 @@ lp256encsingle_CBC:
 	movdqu	[ecx],xmm1 ; store last iv for chaining
 
 	ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif