krb5/krb5-1.12-enable-NX.patch

commit c64e39c69a9a7ee32c00b0cf7918f6274a565544
Author: Greg Hudson <ghudson@mit.edu>
Date:   Fri Jan 3 13:50:48 2014 -0500

    Mark AESNI files as not needing executable stacks
    
    Some Linux systems now come with facilities to mark the stack as
    non-executable, making it more difficult to exploit buffer overrun
    bugs.  For this to work, object files built from assembly need a
    section added to note whether they require an executable stack.
    
    Patch from Dhiru Kholia with comments added.  More information at:
    https://bugzilla.redhat.com/show_bug.cgi?id=1045699
    https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
    
    ticket: 7813
    target_version: 1.12.1
    tags: pullup

diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s
index 1c091c1..d03c859 100644
--- a/src/lib/crypto/builtin/aes/iaesx64.s
+++ b/src/lib/crypto/builtin/aes/iaesx64.s
@@ -834,3 +834,14 @@ lp256encsingle_CBC:
 	movdqu [r9],xmm1
 	add rsp,16*16+8
 	ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s
index b667acd..1aa12e6 100644
--- a/src/lib/crypto/builtin/aes/iaesx86.s
+++ b/src/lib/crypto/builtin/aes/iaesx86.s
@@ -871,3 +871,14 @@ lp256encsingle_CBC:
 	movdqu	[ecx],xmm1 ; store last iv for chaining
 
 	ret
+
+; Mark this file as not needing an executable stack.
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
Switch to as-committed version - grab a more-commented version of the most recent patch from upstream master 2014-01-06 20:58:20 +00:00			`commit c64e39c69a9a7ee32c00b0cf7918f6274a565544`
			`Author: Greg Hudson <ghudson@mit.edu>`
			`Date: Fri Jan 3 13:50:48 2014 -0500`

			`Mark AESNI files as not needing executable stacks`

			`Some Linux systems now come with facilities to mark the stack as`
			`non-executable, making it more difficult to exploit buffer overrun`
			`bugs. For this to work, object files built from assembly need a`
			`section added to note whether they require an executable stack.`

			`Patch from Dhiru Kholia with comments added. More information at:`
			`https://bugzilla.redhat.com/show_bug.cgi?id=1045699`
			`https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart`

			`ticket: 7813`
			`target_version: 1.12.1`
			`tags: pullup`

Add Dhiru Kholia's patch to restore noexecstack - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they're used (#1045699, and so many others) 2014-01-03 04:43:55 +00:00			`diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s`
Switch to as-committed version - grab a more-commented version of the most recent patch from upstream master 2014-01-06 20:58:20 +00:00			`index 1c091c1..d03c859 100644`
Add Dhiru Kholia's patch to restore noexecstack - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they're used (#1045699, and so many others) 2014-01-03 04:43:55 +00:00			`--- a/src/lib/crypto/builtin/aes/iaesx64.s`
			`+++ b/src/lib/crypto/builtin/aes/iaesx64.s`
Switch to as-committed version - grab a more-commented version of the most recent patch from upstream master 2014-01-06 20:58:20 +00:00			`@@ -834,3 +834,14 @@ lp256encsingle_CBC:`
Add Dhiru Kholia's patch to restore noexecstack - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they're used (#1045699, and so many others) 2014-01-03 04:43:55 +00:00			`movdqu [r9],xmm1`
			`add rsp,16*16+8`
			`ret`
			`+`
Switch to as-committed version - grab a more-commented version of the most recent patch from upstream master 2014-01-06 20:58:20 +00:00			`+; Mark this file as not needing an executable stack.`
Add Dhiru Kholia's patch to restore noexecstack - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they're used (#1045699, and so many others) 2014-01-03 04:43:55 +00:00			`+%ifidn __OUTPUT_FORMAT__,elf`
			`+section .note.GNU-stack noalloc noexec nowrite progbits`
			`+%endif`
			`+%ifidn __OUTPUT_FORMAT__,elf32`
			`+section .note.GNU-stack noalloc noexec nowrite progbits`
			`+%endif`
			`+%ifidn __OUTPUT_FORMAT__,elf64`
			`+section .note.GNU-stack noalloc noexec nowrite progbits`
			`+%endif`
			`diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s`
Switch to as-committed version - grab a more-commented version of the most recent patch from upstream master 2014-01-06 20:58:20 +00:00			`index b667acd..1aa12e6 100644`
Add Dhiru Kholia's patch to restore noexecstack - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they're used (#1045699, and so many others) 2014-01-03 04:43:55 +00:00			`--- a/src/lib/crypto/builtin/aes/iaesx86.s`
			`+++ b/src/lib/crypto/builtin/aes/iaesx86.s`
Switch to as-committed version - grab a more-commented version of the most recent patch from upstream master 2014-01-06 20:58:20 +00:00			`@@ -871,3 +871,14 @@ lp256encsingle_CBC:`
Add Dhiru Kholia's patch to restore noexecstack - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they're used (#1045699, and so many others) 2014-01-03 04:43:55 +00:00			`movdqu [ecx],xmm1 ; store last iv for chaining`

			`ret`
			`+`
Switch to as-committed version - grab a more-commented version of the most recent patch from upstream master 2014-01-06 20:58:20 +00:00			`+; Mark this file as not needing an executable stack.`
Add Dhiru Kholia's patch to restore noexecstack - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they're used (#1045699, and so many others) 2014-01-03 04:43:55 +00:00			`+%ifidn __OUTPUT_FORMAT__,elf`
			`+section .note.GNU-stack noalloc noexec nowrite progbits`
			`+%endif`
			`+%ifidn __OUTPUT_FORMAT__,elf32`
			`+section .note.GNU-stack noalloc noexec nowrite progbits`
			`+%endif`
			`+%ifidn __OUTPUT_FORMAT__,elf64`
			`+section .note.GNU-stack noalloc noexec nowrite progbits`
			`+%endif`