do not mark GNU_STACK WX in ELFs generated from assembly

When generating ELF objects from assembly, gcc and clang mark the
GNU_STACK program headers as RWX by default. This is a security issue,
so we make sure it is marked only RW.

This modifies Anthony G. Basile's original patch for Linux to set
.note.GNU-stack whenever the assembler supports it. It is surprising
that any modern toolchain would enable an executable stack without an
explicit request. The number of programs that need an executable stack
is surely much smaller than the number of programs that include assembly.

configure.ac

@@ -57,7 +57,6 @@ AC_CHECK_FUNC([clock_gettime],,
 AC_CHECK_FUNC([dl_iterate_phdr],,
 	[AC_SEARCH_LIBS([dl_iterate_phdr],[dl])])
 
-AM_PROG_AS
 AC_PROG_CC
 AC_PROG_LIBTOOL
 AC_PROG_CC_STDC
@@ -73,6 +72,18 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
 )
 CFLAGS="$save_cflags $AM_CFLAGS"
 
+save_cflags="$CFLAGS"
+CFLAGS=
+AC_MSG_CHECKING([whether AS supports .note.GNU-stack])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+__asm__(".section .note.GNU-stack,\"\",@progbits");]])],
+	[AC_MSG_RESULT([yes])]
+	[AM_CFLAGS=-DHAVE_GNU_STACK],
+	[AC_MSG_RESULT([no])]
+)
+CFLAGS="$save_cflags $AM_CFLAGS"
+AM_PROG_AS
+
 AC_MSG_CHECKING([if compiling with clang])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
 #ifndef __clang__

update.sh

@@ -125,10 +125,20 @@ $CP crypto/compat/ui_openssl_win.c crypto/ui
 asm_src=$libssl_src/src/crypto
 gen_asm_stdout() {
 	perl $asm_src/$2 $1 > $3.tmp
+	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
+	#if defined(HAVE_GNU_STACK)
+	.section .note.GNU-stack,"",%progbits
+	#endif
+	EOF
 	$MV $3.tmp $3
 }
 gen_asm() {
 	perl $asm_src/$2 $1 $3.tmp
+	[[ $1 == "elf" ]] && cat <<-EOF >> $3.tmp
+	#if defined(HAVE_GNU_STACK)
+	.section .note.GNU-stack,"",%progbits
+	#endif
+	EOF
 	$MV $3.tmp $3
 }
 for abi in elf macosx; do