psifertex · November 8, 2025 16:24
diff --git a/verify-execstack-fix.sh b/verify-execstack-fix.sh
 #!/bin/bash
 # Standalone verification script for aws-lc-rs executable stack fix
 # Run this on an x86_64 Linux machine

 WORK_DIR="/tmp/aws-lc-rs-execstack-test"
 REPO_URL="https://github.com/aws/aws-lc-rs.git"

 echo "============================================================"
 echo "  aws-lc-rs Executable Stack Fix Verification"
 echo "============================================================"
 echo ""

 # Check system
 echo "[1/8] Checking system requirements..."
 if [ "$(uname -s)" != "Linux" ]; then
    echo "ERROR: Must run on Linux (detected: $(uname -s))"
    exit 1
 fi
 if [ "$(uname -m)" != "x86_64" ]; then
    echo "WARNING: Should run on x86_64 (detected: $(uname -m))"
 fi

 # Check tools
 for tool in cargo readelf git; do
    if ! command -v $tool >/dev/null 2>&1; then
        echo "ERROR: $tool not found"
        exit 1
    fi
 done
 echo "   ✓ Linux x86_64, cargo, readelf, git found"

 # Setup
 echo ""
 echo "[2/8] Setting up test environment..."
 # Use a consistent working directory (without $$) so it can be reused
 WORK_DIR="/tmp/aws-lc-rs-execstack-test"
 mkdir -p "$WORK_DIR"
 cd "$WORK_DIR"
 echo "   ✓ Working in: $WORK_DIR"

 # Clone or update
 echo ""
 if [ -d "aws-lc-rs/.git" ]; then
    echo "[3/8] Updating existing aws-lc-rs clone..."
    cd aws-lc-rs
    git fetch origin main --quiet 2>/tmp/git-error.log || {
        echo "   ⚠ Git fetch failed, will use existing state"
    }
    git checkout main --quiet 2>/dev/null
    git reset --hard origin/main --quiet 2>/dev/null || git reset --hard HEAD --quiet
    git clean -fdx --quiet
    if ! git submodule update --init --quiet --depth 1 aws-lc-sys/aws-lc 2>/tmp/submodule-error.log; then
        echo "   ⚠ Submodule update failed, trying from scratch..."
        cd "$WORK_DIR"
        rm -rf aws-lc-rs
        if ! git clone --quiet "$REPO_URL" aws-lc-rs 2>/tmp/git-error.log; then
            echo "   ✗ ERROR: Git clone failed"
            cat /tmp/git-error.log
            exit 1
        fi
        cd aws-lc-rs
        if ! git submodule update --init --quiet --depth 1 aws-lc-sys/aws-lc 2>/tmp/submodule-error.log; then
            echo "   ✗ ERROR: Submodule init failed"
            cat /tmp/submodule-error.log
            exit 1
        fi
    fi
    echo "   ✓ Repository updated (reusing clone = faster)"
 else
    echo "[3/8] Cloning aws-lc-rs (first run)..."
    if ! git clone --quiet "$REPO_URL" aws-lc-rs 2>/tmp/git-error.log; then
        echo "   ✗ ERROR: Git clone failed"
        cat /tmp/git-error.log
        exit 1
    fi
    cd aws-lc-rs
    if ! git submodule update --init --quiet --depth 1 aws-lc-sys/aws-lc 2>/tmp/submodule-error.log; then
        echo "   ✗ ERROR: Submodule init failed"
        cat /tmp/submodule-error.log
        exit 1
    fi
    echo "   ✓ Repository cloned"
 fi

 # Build BEFORE
 echo ""
 echo "[4/8] Building BEFORE fix (this may take a few minutes)..."
 if ! cargo build --release -p aws-lc-sys >/tmp/build-before.log 2>&1; then
    echo "   ✗ ERROR: Build failed"
    echo "   Last 50 lines of build output:"
    tail -50 /tmp/build-before.log
    exit 1
 fi
 echo "   ✓ Build completed"

 # Check BEFORE
 echo ""
 echo "[5/8] Checking executable stack BEFORE fix..."
 # Try with and without hash prefix
 OBJ_BEFORE=$(find target/release/build/aws-lc-sys-*/out -name "nttfrombytes.o" -o -name "*-nttfrombytes.o" 2>/dev/null | grep nttfrombytes | head -1)
 if [ -z "$OBJ_BEFORE" ]; then
    echo "   ⚠ WARNING: nttfrombytes.o not found"
    echo "   This might be because:"
    echo "   - cc_builder is not being used (cmake_builder used instead?)"
    echo "   - Platform doesn't support ML-KEM native assembly"
    echo ""
    echo "   Searching for any ML-KEM assembly files..."
    find target/release/build/aws-lc-sys-*/out -name "*ntt*.o" -o -name "*kem*.o" 2>/dev/null | head -10
    echo ""
    echo "   Checking which builder was used..."
    grep -i "Building with" /tmp/build-before.log || echo "   Unable to determine builder"
    exit 1
 fi
 echo "   Found: $OBJ_BEFORE"
 # Check for .note.GNU-stack section in object file
 if readelf -S "$OBJ_BEFORE" | grep -q "\.note\.GNU-stack"; then
    RESULT_BEFORE="RW (has .note.GNU-stack section)"
    HAS_SECTION_BEFORE="yes"
 else
    RESULT_BEFORE="RWE (missing .note.GNU-stack section)"
    HAS_SECTION_BEFORE="no"
 fi
 echo "   Result: $RESULT_BEFORE"

 # Apply fix
 echo ""
 echo "[6/8] Applying fix..."
 # Insert the fix using awk
 awk '
 /if !cflags.is_empty\(\) \{/ {
    print
    getline; print
    getline; print
    print ""
    print "        // Add --noexecstack flag for assembly files to prevent executable stacks"
    print "        // This matches AWS-LC'\''s CMake build (-Wa,--noexecstack)"
    print "        // See: https://github.com/aws/aws-lc/blob/main/crypto/CMakeLists.txt#L77"
    print "        if target_os() == \"linux\" || target_os().ends_with(\"bsd\") {"
    print "            cc_build.asm_flag(\"-Wa,--noexecstack\");"
    print "        }"
    print ""
    next
 }
 { print }
 ' aws-lc-sys/builder/cc_builder.rs > /tmp/cc_builder_fixed.rs

 if ! mv /tmp/cc_builder_fixed.rs aws-lc-sys/builder/cc_builder.rs; then
    echo "   ✗ ERROR: Could not apply fix"
    exit 1
 fi
 echo "   ✓ Fix applied"

 # Verify fix was applied
 if ! grep -q "asm_flag" aws-lc-sys/builder/cc_builder.rs; then
    echo "   ✗ ERROR: Fix was not applied correctly"
    exit 1
 fi

 # Build AFTER
 echo ""
 echo "[7/8] Building AFTER fix (this may take a few minutes)..."
 cargo clean -p aws-lc-sys >/dev/null 2>&1
 if ! cargo build --release -p aws-lc-sys >/tmp/build-after.log 2>&1; then
    echo "   ✗ ERROR: Build failed after applying fix"
    echo "   Last 50 lines of build output:"
    tail -50 /tmp/build-after.log
    exit 1
 fi
 echo "   ✓ Build completed"

 # Check AFTER
 echo ""
 echo "[8/8] Checking executable stack AFTER fix..."
 OBJ_AFTER=$(find target/release/build/aws-lc-sys-*/out -name "nttfrombytes.o" -o -name "*-nttfrombytes.o" 2>/dev/null | grep nttfrombytes | head -1)
 if [ -z "$OBJ_AFTER" ]; then
    echo "   ✗ ERROR: nttfrombytes.o not found after rebuild"
    exit 1
 fi
 echo "   Found: $OBJ_AFTER"
 # Check for .note.GNU-stack section in object file
 if readelf -S "$OBJ_AFTER" | grep -q "\.note\.GNU-stack"; then
    RESULT_AFTER="RW (has .note.GNU-stack section)"
    HAS_SECTION_AFTER="yes"
 else
    RESULT_AFTER="RWE (missing .note.GNU-stack section)"
    HAS_SECTION_AFTER="no"
 fi
 echo "   Result: $RESULT_AFTER"

 # Summary
 echo ""
 echo "============================================================"
 echo "                      RESULTS"
 echo "============================================================"
 echo ""
 echo "BEFORE fix: $RESULT_BEFORE"
 echo "AFTER fix:  $RESULT_AFTER"
 echo ""
 if [ "$HAS_SECTION_BEFORE" = "no" ] && [ "$HAS_SECTION_AFTER" = "yes" ]; then
    echo "✓ SUCCESS: Fix works correctly!"
    echo "  - BEFORE: Missing .note.GNU-stack section (implies executable stack)"
    echo "  - AFTER:  Has .note.GNU-stack section (non-executable stack)"
    EXIT_CODE=0
 elif [ "$HAS_SECTION_BEFORE" = "yes" ]; then
    echo "✗ UNEXPECTED: Already fixed in main branch?"
    echo "  - BEFORE already had .note.GNU-stack section"
    EXIT_CODE=1
 elif [ "$HAS_SECTION_AFTER" = "no" ]; then
    echo "✗ FAILED: Fix did not work"
    echo "  - AFTER still missing .note.GNU-stack section"
    EXIT_CODE=1
 else
    echo "? UNKNOWN: Unexpected results"
    echo "  - BEFORE has section: $HAS_SECTION_BEFORE"
    echo "  - AFTER has section: $HAS_SECTION_AFTER"
    EXIT_CODE=1
 fi
 echo ""
 echo "Build logs saved to:"
 echo "  /tmp/build-before.log"
 echo "  /tmp/build-after.log"
 echo ""
 echo "Working directory: $WORK_DIR"
 echo "============================================================"
 exit $EXIT_CODE
	#!/bin/bash
	# Standalone verification script for aws-lc-rs executable stack fix
	# Run this on an x86_64 Linux machine

	WORK_DIR="/tmp/aws-lc-rs-execstack-test"
	REPO_URL="https://github.com/aws/aws-lc-rs.git"

	echo "============================================================"
	echo " aws-lc-rs Executable Stack Fix Verification"
	echo "============================================================"
	echo ""

	# Check system
	echo "[1/8] Checking system requirements..."
	if [ "$(uname -s)" != "Linux" ]; then
	echo "ERROR: Must run on Linux (detected: $(uname -s))"
	exit 1
	fi
	if [ "$(uname -m)" != "x86_64" ]; then
	echo "WARNING: Should run on x86_64 (detected: $(uname -m))"
	fi

	# Check tools
	for tool in cargo readelf git; do
	if ! command -v $tool >/dev/null 2>&1; then
	echo "ERROR: $tool not found"
	exit 1
	fi
	done
	echo " ✓ Linux x86_64, cargo, readelf, git found"

	# Setup
	echo ""
	echo "[2/8] Setting up test environment..."
	# Use a consistent working directory (without $$) so it can be reused
	WORK_DIR="/tmp/aws-lc-rs-execstack-test"
	mkdir -p "$WORK_DIR"
	cd "$WORK_DIR"
	echo " ✓ Working in: $WORK_DIR"

	# Clone or update
	echo ""
	if [ -d "aws-lc-rs/.git" ]; then
	echo "[3/8] Updating existing aws-lc-rs clone..."
	cd aws-lc-rs
	git fetch origin main --quiet 2>/tmp/git-error.log \|\| {
	echo " ⚠ Git fetch failed, will use existing state"
	}
	git checkout main --quiet 2>/dev/null
	git reset --hard origin/main --quiet 2>/dev/null \|\| git reset --hard HEAD --quiet
	git clean -fdx --quiet
	if ! git submodule update --init --quiet --depth 1 aws-lc-sys/aws-lc 2>/tmp/submodule-error.log; then
	echo " ⚠ Submodule update failed, trying from scratch..."
	cd "$WORK_DIR"
	rm -rf aws-lc-rs
	if ! git clone --quiet "$REPO_URL" aws-lc-rs 2>/tmp/git-error.log; then
	echo " ✗ ERROR: Git clone failed"
	cat /tmp/git-error.log
	exit 1
	fi
	cd aws-lc-rs
	if ! git submodule update --init --quiet --depth 1 aws-lc-sys/aws-lc 2>/tmp/submodule-error.log; then
	echo " ✗ ERROR: Submodule init failed"
	cat /tmp/submodule-error.log
	exit 1
	fi
	fi
	echo " ✓ Repository updated (reusing clone = faster)"
	else
	echo "[3/8] Cloning aws-lc-rs (first run)..."
	if ! git clone --quiet "$REPO_URL" aws-lc-rs 2>/tmp/git-error.log; then
	echo " ✗ ERROR: Git clone failed"
	cat /tmp/git-error.log
	exit 1
	fi
	cd aws-lc-rs
	if ! git submodule update --init --quiet --depth 1 aws-lc-sys/aws-lc 2>/tmp/submodule-error.log; then
	echo " ✗ ERROR: Submodule init failed"
	cat /tmp/submodule-error.log
	exit 1
	fi
	echo " ✓ Repository cloned"
	fi

	# Build BEFORE
	echo ""
	echo "[4/8] Building BEFORE fix (this may take a few minutes)..."
	if ! cargo build --release -p aws-lc-sys >/tmp/build-before.log 2>&1; then
	echo " ✗ ERROR: Build failed"
	echo " Last 50 lines of build output:"
	tail -50 /tmp/build-before.log
	exit 1
	fi
	echo " ✓ Build completed"

	# Check BEFORE
	echo ""
	echo "[5/8] Checking executable stack BEFORE fix..."
	# Try with and without hash prefix
	OBJ_BEFORE=$(find target/release/build/aws-lc-sys-/out -name "nttfrombytes.o" -o -name "-nttfrombytes.o" 2>/dev/null \| grep nttfrombytes \| head -1)
	if [ -z "$OBJ_BEFORE" ]; then
	echo " ⚠ WARNING: nttfrombytes.o not found"
	echo " This might be because:"
	echo " - cc_builder is not being used (cmake_builder used instead?)"
	echo " - Platform doesn't support ML-KEM native assembly"
	echo ""
	echo " Searching for any ML-KEM assembly files..."
	find target/release/build/aws-lc-sys-/out -name "ntt.o" -o -name "kem*.o" 2>/dev/null \| head -10
	echo ""
	echo " Checking which builder was used..."
	grep -i "Building with" /tmp/build-before.log \|\| echo " Unable to determine builder"
	exit 1
	fi
	echo " Found: $OBJ_BEFORE"
	# Check for .note.GNU-stack section in object file
	if readelf -S "$OBJ_BEFORE" \| grep -q "\.note\.GNU-stack"; then
	RESULT_BEFORE="RW (has .note.GNU-stack section)"
	HAS_SECTION_BEFORE="yes"
	else
	RESULT_BEFORE="RWE (missing .note.GNU-stack section)"
	HAS_SECTION_BEFORE="no"
	fi
	echo " Result: $RESULT_BEFORE"

	# Apply fix
	echo ""
	echo "[6/8] Applying fix..."
	# Insert the fix using awk
	awk '
	/if !cflags.is_empty\(\) \{/ {
	print
	getline; print
	getline; print
	print ""
	print " // Add --noexecstack flag for assembly files to prevent executable stacks"
	print " // This matches AWS-LC'\''s CMake build (-Wa,--noexecstack)"
	print " // See: https://github.com/aws/aws-lc/blob/main/crypto/CMakeLists.txt#L77"
	print " if target_os() == \"linux\" \|\| target_os().ends_with(\"bsd\") {"
	print " cc_build.asm_flag(\"-Wa,--noexecstack\");"
	print " }"
	print ""
	next
	}
	{ print }
	' aws-lc-sys/builder/cc_builder.rs > /tmp/cc_builder_fixed.rs

	if ! mv /tmp/cc_builder_fixed.rs aws-lc-sys/builder/cc_builder.rs; then
	echo " ✗ ERROR: Could not apply fix"
	exit 1
	fi
	echo " ✓ Fix applied"

	# Verify fix was applied
	if ! grep -q "asm_flag" aws-lc-sys/builder/cc_builder.rs; then
	echo " ✗ ERROR: Fix was not applied correctly"
	exit 1
	fi

	# Build AFTER
	echo ""
	echo "[7/8] Building AFTER fix (this may take a few minutes)..."
	cargo clean -p aws-lc-sys >/dev/null 2>&1
	if ! cargo build --release -p aws-lc-sys >/tmp/build-after.log 2>&1; then
	echo " ✗ ERROR: Build failed after applying fix"
	echo " Last 50 lines of build output:"
	tail -50 /tmp/build-after.log
	exit 1
	fi
	echo " ✓ Build completed"

	# Check AFTER
	echo ""
	echo "[8/8] Checking executable stack AFTER fix..."
	OBJ_AFTER=$(find target/release/build/aws-lc-sys-/out -name "nttfrombytes.o" -o -name "-nttfrombytes.o" 2>/dev/null \| grep nttfrombytes \| head -1)
	if [ -z "$OBJ_AFTER" ]; then
	echo " ✗ ERROR: nttfrombytes.o not found after rebuild"
	exit 1
	fi
	echo " Found: $OBJ_AFTER"
	# Check for .note.GNU-stack section in object file
	if readelf -S "$OBJ_AFTER" \| grep -q "\.note\.GNU-stack"; then
	RESULT_AFTER="RW (has .note.GNU-stack section)"
	HAS_SECTION_AFTER="yes"
	else
	RESULT_AFTER="RWE (missing .note.GNU-stack section)"
	HAS_SECTION_AFTER="no"
	fi
	echo " Result: $RESULT_AFTER"

	# Summary
	echo ""
	echo "============================================================"
	echo " RESULTS"
	echo "============================================================"
	echo ""
	echo "BEFORE fix: $RESULT_BEFORE"
	echo "AFTER fix: $RESULT_AFTER"
	echo ""
	if [ "$HAS_SECTION_BEFORE" = "no" ] && [ "$HAS_SECTION_AFTER" = "yes" ]; then
	echo "✓ SUCCESS: Fix works correctly!"
	echo " - BEFORE: Missing .note.GNU-stack section (implies executable stack)"
	echo " - AFTER: Has .note.GNU-stack section (non-executable stack)"
	EXIT_CODE=0
	elif [ "$HAS_SECTION_BEFORE" = "yes" ]; then
	echo "✗ UNEXPECTED: Already fixed in main branch?"
	echo " - BEFORE already had .note.GNU-stack section"
	EXIT_CODE=1
	elif [ "$HAS_SECTION_AFTER" = "no" ]; then
	echo "✗ FAILED: Fix did not work"
	echo " - AFTER still missing .note.GNU-stack section"
	EXIT_CODE=1
	else
	echo "? UNKNOWN: Unexpected results"
	echo " - BEFORE has section: $HAS_SECTION_BEFORE"
	echo " - AFTER has section: $HAS_SECTION_AFTER"
	EXIT_CODE=1
	fi
	echo ""
	echo "Build logs saved to:"
	echo " /tmp/build-before.log"
	echo " /tmp/build-after.log"
	echo ""
	echo "Working directory: $WORK_DIR"
	echo "============================================================"
	exit $EXIT_CODE