krb5 commit [krb5-1.12]: Mark AESNI files as not needing executable stacks

Tom Yu tlyu at MIT.EDU
Wed Jan 8 22:30:40 EST 2014 

https://github.com/krb5/krb5/commit/1cc36f83ae13d91c255c92add19bbfea54a4e9a0
commit 1cc36f83ae13d91c255c92add19bbfea54a4e9a0
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Jan 3 13:50:48 2014 -0500

    Mark AESNI files as not needing executable stacks
    
    Some Linux systems now come with facilities to mark the stack as
    non-executable, making it more difficult to exploit buffer overrun
    bugs.  For this to work, object files built from assembly need a
    section added to note whether they require an executable stack.
    
    Patch from Dhiru Kholia with comments added.  More information at:
    https://bugzilla.redhat.com/show_bug.cgi?id=1045699
    https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
    
    (cherry picked from commit c64e39c69a9a7ee32c00b0cf7918f6274a565544)
    
    ticket: 7813
    version_fixed: 1.12.1
    status: resolved

 src/lib/crypto/builtin/aes/iaesx64.s |   11 +++++++++++
 src/lib/crypto/builtin/aes/iaesx86.s |   11 +++++++++++
 2 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s
index 1c091c1..d03c859 100644
--- a/src/lib/crypto/builtin/aes/iaesx64.s
+++ b/src/lib/crypto/builtin/aes/iaesx64.s
@@ -834,3 +834,14 @@ lp256encsingle_CBC:
 	movdqu [r9],xmm1
 	add rsp,16*16+8
 	ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s
index b667acd..1aa12e6 100644
--- a/src/lib/crypto/builtin/aes/iaesx86.s
+++ b/src/lib/crypto/builtin/aes/iaesx86.s
@@ -871,3 +871,14 @@ lp256encsingle_CBC:
 	movdqu	[ecx],xmm1 ; store last iv for chaining
 
 	ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif

More information about the cvs-krb5 mailing list