Fix: Add -Wa,--noexecstack to cc_builder for assembly files (resolves #939)

[psifertex]

Summary

Fixes missing .note.GNU-stack sections in ML-KEM assembly object files when using cc_builder, which causes executable stacks on older Linux systems.

Problem

ML-KEM native x86_64 assembly files compiled by cc_builder are missing .note.GNU-stack sections. On older Linux systems, this results in executable stacks, bypassing DEP/NX protections.

Root Cause

• AWS-LC's CMake build uses -Wa,--noexecstack (crypto/CMakeLists.txt:77)
• cmake_builder passes this through correctly ✓
• cc_builder was missing this flag ✗

ML-KEM assembly files rely on the build system to add .note.GNU-stack sections via assembler flags (unlike s2n-bignum which has them in source).

Solution

Add -Wa,--noexecstack using cc-rs's asm_flag() method in prepare_builder().

Verification

Tested on x86_64 Linux:

Before fix:

readelf -S nttfrombytes.o | grep "\.note\.GNU-stack"
(no output - section missing)

After fix:

readelf -S nttfrombytes.o | grep "\.note\.GNU-stack"
[17] .note.GNU-stack   PROGBITS        0000000000000000  00000140

Full verification script available: verify-execstack-fix.sh

Impact

• Affected: aws-lc-rs >= v0.32.3 on x86_64 Linux using cc_builder
• Severity: Medium - Older Linux systems get executable stacks
• Modern systems: Unaffected (kernel defaults to non-executable stacks)

References

• mlkem-native handled this with linker flags: Issue #590, PR #592
• Hardened GNU stack quickstart

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.36%. Comparing base (c358484) to head (86be268).
⚠️ Report is 275 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #940      +/-   ##
==========================================
- Coverage   95.80%   92.36%   -3.44%     
==========================================
  Files          61       73      +12     
  Lines        8143     9659    +1516     
  Branches        0     9659    +9659     
==========================================
+ Hits         7801     8922    +1121     
- Misses        342      450     +108     
- Partials        0      287     +287     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[justsmth]

Thanks for the PR! We require that contributions be licensed the same as our library, and this is enforced by our CI. If you agree, would you add the following statement to the PR description, and I'll re-run the CI job:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[justsmth]

I verified that with this change, all object files contain the required section:

❯ for obj_file in $(find target -name "*.o"); do if readelf -S $obj_file | grep "\.note\.GNU-stack" > /dev/null; then x=1; else echo Not found in $obj_file; fi; done

❯ 

[psifertex]

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.