From fdd78a53878be5421aeb76295d6f98b7994d4b04 Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Wed, 21 Aug 2019 00:07:38 +0200 Subject: [PATCH] libressl: use CFLAGS to avoid exectuable stack It turns out that libcrypto had an exectuable stack, because it linked some objects without a .note.GNU-stack section. Compilers add this section by default, but the objects produced from .S files did not contain it. The .S files do include a directive to add the section, but guarded behind an #ifdef HAVE_GNU_STACK. So define HAVE_GNU_STACK, to ensure that all objects have a .note.GNU-stack section. --- .../libraries/libressl/default.nix | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/pkgs/development/libraries/libressl/default.nix b/pkgs/development/libraries/libressl/default.nix index f30ead30b3bb..29b28e85f861 100644 --- a/pkgs/development/libraries/libressl/default.nix +++ b/pkgs/development/libraries/libressl/default.nix @@ -13,7 +13,15 @@ let nativeBuildInputs = [ cmake ]; - cmakeFlags = [ "-DENABLE_NC=ON" "-DBUILD_SHARED_LIBS=ON" ]; + cmakeFlags = [ + "-DENABLE_NC=ON" + "-DBUILD_SHARED_LIBS=ON" + # Ensure that the output libraries do not require an executable stack. + # Without this define, assembly files in libcrypto do not include a + # .note.GNU-stack section, and if that section is missing from any object, + # the linker will make the stack executable. + "-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK" + ]; # The autoconf build is broken as of 2.9.1, resulting in the following error: # libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'. @@ -23,15 +31,6 @@ let rm configure ''; - # Ensure that the output libraries do not require an executable stack. - # Without this, libcrypto would be built with the executable stack flag set. - # For GCC the flag is '-z noexecstack'. Clang, which is used on Darwin, - # expects '--noexecstack'. Execstack is an ELF thing, so it is not needed - # on Darwin. - NIX_LDFLAGS = if stdenv.isDarwin - then [] - else ["-z" "noexecstack"]; - enableParallelBuilding = true; outputs = [ "bin" "dev" "out" "man" "nc" ];