From 152e60f2fe72db456bfeff4780a7db291c58106d Mon Sep 17 00:00:00 2001
From: Dimitry Andric <dim@FreeBSD.org>
Date: Tue, 15 Feb 2011 22:03:09 +0000
Subject: [PATCH] Fix some leftover binaries and shared libraries in the system
 that still have an executable stack, due to linking in hand-assembled .S or
 .s files, that have no .GNU-stack sections:

RWX --- ---  /lib/libcrypto.so.6
RWX --- ---  /lib/libmd.so.5
RWX --- ---  /lib/libz.so.6
RWX --- ---  /lib/libzpool.so.2
RWX --- ---  /usr/lib/liblzma.so.5

These were found using scanelf, from the sysutils/pax-utils port.

Reviewed by:	kib
---
 cddl/lib/libzpool/Makefile    | 1 +
 lib/liblzma/Makefile          | 1 +
 lib/libmd/Makefile            | 7 +++++--
 lib/libz/Makefile             | 2 ++
 secure/lib/libcrypto/Makefile | 4 ++++
 5 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/cddl/lib/libzpool/Makefile b/cddl/lib/libzpool/Makefile
index 7a0ce3cb98e..bdd9ecdcd0a 100644
--- a/cddl/lib/libzpool/Makefile
+++ b/cddl/lib/libzpool/Makefile
@@ -14,6 +14,7 @@
 .if ${MACHINE_ARCH} == "i386" || ${MACHINE_ARCH} == "amd64" || ${MACHINE_ARCH} == "ia64" || ${MACHINE_ARCH} == "sparc64" || ${MACHINE_ARCH} == "powerpc64"
 .PATH: ${.CURDIR}/../../../sys/cddl/contrib/opensolaris/common/atomic/${MACHINE_ARCH}
 ATOMIC_SRCS=	opensolaris_atomic.S
+ACFLAGS+=	-Wa,--noexecstack
 .else
 .PATH: ${.CURDIR}/../../../sys/cddl/compat/opensolaris/kern
 ATOMIC_SRCS=	opensolaris_atomic.c
diff --git a/lib/liblzma/Makefile b/lib/liblzma/Makefile
index 927fe8c4935..8d614cf8b45 100644
--- a/lib/liblzma/Makefile
+++ b/lib/liblzma/Makefile
@@ -78,6 +78,7 @@ SRCS+=	check.c \
 .if defined(MACHINE_ARCH) && ${MACHINE_ARCH} == "i386"
 SRCS+=	crc32_x86.S \
 	crc64_x86.S
+ACFLAGS+=	-Wa,--noexecstack
 .else
 SRCS+=	crc32_fast.c \
 	crc64_fast.c
diff --git a/lib/libmd/Makefile b/lib/libmd/Makefile
index ba1ebc03417..ff351055d00 100644
--- a/lib/libmd/Makefile
+++ b/lib/libmd/Makefile
@@ -43,11 +43,14 @@ CFLAGS+= -I${.CURDIR}
 
 .if exists(${MACHINE_ARCH}/sha.S)
 SRCS+=	sha.S
-CFLAGS+= -DSHA1_ASM -DELF
+CFLAGS+= -DSHA1_ASM
 .endif
 .if exists(${MACHINE_ARCH}/rmd160.S)
 SRCS+=	rmd160.S
-CFLAGS+= -DRMD160_ASM -DELF
+CFLAGS+= -DRMD160_ASM
+.endif
+.if exists(${MACHINE_ARCH}/sha.S) || exists(${MACHINE_ARCH}/rmd160.S)
+ACFLAGS+= -DELF -Wa,--noexecstack
 .endif
 
 md2hl.c: mdXhl.c
diff --git a/lib/libz/Makefile b/lib/libz/Makefile
index 8835e0da8e1..1343c6f758b 100644
--- a/lib/libz/Makefile
+++ b/lib/libz/Makefile
@@ -39,12 +39,14 @@ SRCS+=		zutil.c
 .PATH:		${.CURDIR}/contrib/asm686
 SRCS+=		match.S
 CFLAGS+=	-DASMV -DNO_UNDERLINE
+ACFLAGS+=	-Wa,--noexecstack
 .endif
 
 .if ${MACHINE_ARCH} == "amd64"
 .PATH:		${.CURDIR}/contrib/gcc_gvmat64
 SRCS+=		gvmat64.S
 CFLAGS+=	-DASMV -DNO_UNDERLINE
+ACFLAGS+=	-Wa,--noexecstack
 .endif
 
 VERSION_DEF=	${.CURDIR}/Versions.def
diff --git a/secure/lib/libcrypto/Makefile b/secure/lib/libcrypto/Makefile
index 0c019055d68..0a1704c4955 100644
--- a/secure/lib/libcrypto/Makefile
+++ b/secure/lib/libcrypto/Makefile
@@ -345,6 +345,10 @@ INCSDIR=	${INCLUDEDIR}/openssl
 
 CSTD=	gnu89
 
+.if !empty(SRCS:M*.s)
+AFLAGS+=	--noexecstack
+.endif
+
 CLEANFILES=	buildinf.h opensslconf.h evp.h
 
 buildinf.h: ${.CURDIR}/Makefile
-- 
2.45.0