From 480b9efaa384fc82dc110969bd100b1f8416ccf7 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Thu, 2 Jan 2014 23:43:55 -0500 Subject: [PATCH] Add Dhiru Kholia's patch to restore noexecstack - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they're used (#1045699, and so many others) --- krb5-1.12-enable-NX.patch | 36 ++++++++++++++++++++++++++++++++++++ krb5.spec | 12 +++++++++--- 2 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 krb5-1.12-enable-NX.patch diff --git a/krb5-1.12-enable-NX.patch b/krb5-1.12-enable-NX.patch new file mode 100644 index 0000000..bd6f2f7 --- /dev/null +++ b/krb5-1.12-enable-NX.patch @@ -0,0 +1,36 @@ +diff --git a/src/lib/crypto/builtin/aes/iaesx64.s b/src/lib/crypto/builtin/aes/iaesx64.s +index 1c091c1..3a3d6fc 100644 +--- a/src/lib/crypto/builtin/aes/iaesx64.s ++++ b/src/lib/crypto/builtin/aes/iaesx64.s +@@ -834,3 +834,13 @@ lp256encsingle_CBC: + movdqu [r9],xmm1 + add rsp,16*16+8 + ret ++ ++%ifidn __OUTPUT_FORMAT__,elf ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif ++%ifidn __OUTPUT_FORMAT__,elf32 ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif ++%ifidn __OUTPUT_FORMAT__,elf64 ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif +diff --git a/src/lib/crypto/builtin/aes/iaesx86.s b/src/lib/crypto/builtin/aes/iaesx86.s +index b667acd..03a8670 100644 +--- a/src/lib/crypto/builtin/aes/iaesx86.s ++++ b/src/lib/crypto/builtin/aes/iaesx86.s +@@ -871,3 +871,13 @@ lp256encsingle_CBC: + movdqu [ecx],xmm1 ; store last iv for chaining + + ret ++ ++%ifidn __OUTPUT_FORMAT__,elf ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif ++%ifidn __OUTPUT_FORMAT__,elf32 ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif ++%ifidn __OUTPUT_FORMAT__,elf64 ++section .note.GNU-stack noalloc noexec nowrite progbits ++%endif diff --git a/krb5.spec b/krb5.spec index 5d29779..36ed60a 100644 --- a/krb5.spec +++ b/krb5.spec @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.12 -Release: 7%{?dist} +Release: 8%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12-signed.tar Source0: krb5-%{version}.tar.gz @@ -96,6 +96,7 @@ Patch137: krb5-master-gss_oid_leak.patch Patch138: krb5-master-keytab_close.patch Patch139: krb5-1.12-copy_context.patch Patch140: krb5-master-spnego_error_messages.patch +Patch141: krb5-1.12-enable-NX.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -148,10 +149,9 @@ BuildRequires: iproute %if 0%{?fedora} >= 9 BuildRequires: python-pyrad %endif - %if 0%{?fedora} >= 8 %ifarch %{ix86} x86_64 -#BuildRequires: yasm +BuildRequires: yasm %endif %endif @@ -321,6 +321,7 @@ ln -s NOTICE LICENSE %patch138 -p1 -b .keytab_close %patch139 -p1 -b .copy_context %patch140 -p1 -b .spnego_error_messages +%patch141 -p1 -b .enable-NX # Apply when the hard-wired or configured default location is # DIR:/run/user/%%{uid}/krb5cc. @@ -975,6 +976,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Thu Jan 2 2014 Nalin Dahyabhai - 1.12-8 +- add patch from Dhiru Kholia for the AES-NI implementations to allow + libk5crypto to be properly marked as not needing an executable stack + on arches where they're used (#1045699, and so many others) + * Thu Jan 2 2014 Nalin Dahyabhai - 1.12-7 - revert that last change for a bit while sorting out execstack when we use AES-NI (#1045699)