Add Dhiru Kholia's patch to restore noexecstack

- add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they're used (#1045699, and so many others)
2014-01-02 23:43:55 -05:00 · 2014-01-02 23:43:55 -05:00 · 480b9efaa3
commit 480b9efaa3
parent 13df2d5386
2 changed files with 45 additions and 3 deletions
--- a/krb5-1.12-enable-NX.patch
+++ b/krb5-1.12-enable-NX.patch
@ -0,0 +1,36 @@
+diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s
+index 1c091c1..3a3d6fc 100644
+--- a/src/lib/crypto/builtin/aes/iaesx64.s
+++ b/src/lib/crypto/builtin/aes/iaesx64.s
+@@ -834,3 +834,13 @@ lp256encsingle_CBC:
+ 	movdqu [r9],xmm1
+ 	add rsp,16*16+8
+ 	ret
+
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s
+index b667acd..03a8670 100644
+--- a/src/lib/crypto/builtin/aes/iaesx86.s
+++ b/src/lib/crypto/builtin/aes/iaesx86.s
+@@ -871,3 +871,13 @@ lp256encsingle_CBC:
+ 	movdqu	[ecx],xmm1 ; store last iv for chaining
+ 
+ 	ret
+
+%ifidn __OUTPUT_FORMAT__,elf
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf32
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
+%ifidn __OUTPUT_FORMAT__,elf64
+section .note.GNU-stack noalloc noexec nowrite progbits
+%endif
--- a/krb5.spec
+++ b/krb5.spec
@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12
-Release: 7%{?dist}
+Release: 8%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -96,6 +96,7 @@ Patch137: krb5-master-gss_oid_leak.patch
 Patch138: krb5-master-keytab_close.patch
 Patch139: krb5-1.12-copy_context.patch
 Patch140: krb5-master-spnego_error_messages.patch
+Patch141: krb5-1.12-enable-NX.patch

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -148,10 +149,9 @@ BuildRequires: iproute
 %if 0%{?fedora} >= 9
 BuildRequires: python-pyrad
 %endif
-
 %if 0%{?fedora} >= 8
 %ifarch %{ix86} x86_64
-#BuildRequires: yasm
+BuildRequires: yasm
 %endif
 %endif

@ -321,6 +321,7 @@ ln -s NOTICE LICENSE
 %patch138 -p1 -b .keytab_close
 %patch139 -p1 -b .copy_context
 %patch140 -p1 -b .spnego_error_messages
+%patch141 -p1 -b .enable-NX

 # Apply when the hard-wired or configured default location is
 # DIR:/run/user/%%{uid}/krb5cc.
@ -975,6 +976,11 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
+* Thu Jan  2 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-8
+- add patch from Dhiru Kholia for the AES-NI implementations to allow
+  libk5crypto to be properly marked as not needing an executable stack
+  on arches where they're used (#1045699, and so many others)
+
 * Thu Jan  2 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-7
 - revert that last change for a bit while sorting out execstack when we
  use AES-NI (#1045699)