From 9ee96d803ef8fb822a7d9b32572276b47d9575f4 Mon Sep 17 00:00:00 2001
From: Sebastian Ramacher <Sebastian.Ramacher@ait.ac.at>
Date: Wed, 31 Aug 2022 06:41:28 +0200
Subject: [PATCH] Ensure build without an executable stack (fixes #1285)
 (#1294)

* Ensure build without an executable stack (fixes #1285)

Until it is clear why the shared library on mips64el and hppa is built
with the executable bit set for the stack, build with both
`-Wa,--noexecstack` (for the assembler) and `-Wl,-z,--noexecstack` (for
the linker).

* Check if compiler/linker support flags for noexecstack before using them

* Add a warning if unable to check for support
---
 .CMake/compiler_opts.cmake | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/.CMake/compiler_opts.cmake b/.CMake/compiler_opts.cmake
index 72c741ad3..7acf88c89 100644
--- a/.CMake/compiler_opts.cmake
+++ b/.CMake/compiler_opts.cmake
@@ -11,6 +11,22 @@
 # If OQS_OPT_TARGET=auto we target the current CPU.
 # If OQS_OPT_TARGET=generic we target a generic CPU.
 # Otherwise we target the specified CPU.
+
+include(CheckCCompilerFlag)
+check_c_compiler_flag("-Wa,--noexecstack" CC_SUPPORTS_WA_NOEXECSTACK)
+
+if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.18")
+    include(CheckLinkerFlag)
+    check_linker_flag(C "-Wl,-z,noexecstack" LD_SUPPORTS_WL_Z_NOEXECSTACK)
+elseif(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.14")
+    set(TMP_TESTDIR "${CMAKE_BINARY_DIR}/test_noexecstack")
+    file(WRITE "${TMP_TESTDIR}/test.c" "int main() { return 0; }\n")
+    try_compile(LD_SUPPORTS_WL_Z_NOEXECSTACK "${TMP_TESTDIR}" "${TMP_TESTDIR}/test.c" LINK_OPTIONS "-Wl,-z,noexecstack")
+else()
+    message(WARNING "Unable to check if '-Wl,-z,noexecstack' is supported.")
+    set(LD_SUPPORTS_WL_Z_NOEXECSTACK FALSE)
+endif()
+
 set(OQS_OPT_FLAG "")
 if(CMAKE_C_COMPILER_ID MATCHES "Clang|GNU")
     if(${OQS_DIST_BUILD})
@@ -67,7 +83,12 @@ if(CMAKE_C_COMPILER_ID MATCHES "Clang")
     add_compile_options(-Wextra)
     add_compile_options(-Wpedantic)
     add_compile_options(-Wno-unused-command-line-argument)
-    set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,--noexecstack")
+    if(CC_SUPPORTS_WA_NOEXECSTACK)
+        add_compile_options("-Wa,--noexecstack")
+    endif()
+    if(LD_SUPPORTS_WL_Z_NOEXECSTACK)
+        add_link_options("-Wl,-z,noexecstack")
+    endif()
 
     if(NOT ${OQS_BUILD_ONLY_LIB})
         set(THREADS_PREFER_PTHREAD_FLAG ON)
@@ -119,7 +140,12 @@ elseif(CMAKE_C_COMPILER_ID STREQUAL "GNU")
     add_compile_options(-Wfloat-equal)
     add_compile_options(-Wwrite-strings)
     if (NOT CMAKE_SYSTEM_NAME STREQUAL "Darwin")
-        set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,--noexecstack")
+        if(CC_SUPPORTS_WA_NOEXECSTACK)
+            add_compile_options("-Wa,--noexecstack")
+        endif()
+        if(LD_SUPPORTS_WL_Z_NOEXECSTACK)
+            add_link_options("-Wl,-z,noexecstack")
+        endif()
     endif()
 
     if(NOT ${OQS_BUILD_ONLY_LIB})