Mark AESNI files as not needing executable stacks

Some Linux systems now come with facilities to mark the stack as
non-executable, making it more difficult to exploit buffer overrun
bugs.  For this to work, object files built from assembly need a
section added to note whether they require an executable stack.

Patch from Dhiru Kholia with comments added.  More information at:
https://bugzilla.redhat.com/show_bug.cgi?id=1045699
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart

ticket: 7813
target_version: 1.12.1
tags: pullup

2 files changed, 22 insertions, 0 deletions

diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s
index 1c091c130f..d03c859a5c 100644
--- a/src/lib/crypto/builtin/aes/iaesx64.s
+++ b/src/lib/crypto/builtin/aes/iaesx64.s
@@ -834,3 +834,14 @@ lp256encsingle_CBC:
 	movdqu [r9],xmm1
 	add rsp,16*16+8
 	ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s
index b667acdd24..1aa12e6ef0 100644
--- a/src/lib/crypto/builtin/aes/iaesx86.s
+++ b/src/lib/crypto/builtin/aes/iaesx86.s
@@ -871,3 +871,14 @@ lp256encsingle_CBC:
 	movdqu	[ecx],xmm1 ; store last iv for chaining
 
 	ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif