GNU-based toolchains on ELF platforms default the stack to executable
and rely on a .note.GNU-stack section in *each* object file to flip it
off. The compiler knows to do this for its object files, but assembly
does everything by hand. See this link for details:
https://www.airs.com/blog/archives/518
We do this in the cmake build by passing -Wa,--noexecstack to the
assembler. However, since we have to deal with many buildsystems, it
would be more robust to put it in the source.
It's unclear whether this should be gated on ELF or Linux. The Gentoo
and Ubuntu documents recommend checking for Linux with gas, but only ELF
with NASM.
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstarthttps://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks
At the same time, these links suggest it is an ELF-wide issue and not
just Linux:
https://github.com/golang/go/issues/5392https://reviews.freebsd.org/D11033https://github.com/openssl/openssl/issues/4575 also discusses this but
the rationale lists both ELF and non-ELF platforms, so it's unclear.
Treat it as ELF-wide for now. We can revisit this if necessary.
Update-Note: If there is a build failure due to .note.GNU-stack, holler.
Change-Id: Ic59096aa1fc2bf5380a412c9991de22cb46c0faf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/37984
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
9c49713ba8