diff options
| author | maya <maya@pkgsrc.org> | 2017-07-28 23:40:07 +0000 |
|---|---|---|
| committer | maya <maya@pkgsrc.org> | 2017-07-28 23:40:07 +0000 |
| commit | bfbe34cdfe28e8041bb3c1f538bfde1d7a7ef075 (patch) | |
| tree | 834cf4934c28a27b2546cfbb24f9696374bfaf99 | |
| parent | f27254d06781df78db1f4d053f5fa3b35f50877e (diff) | |
| download | pkgsrc-bfbe34cdfe28e8041bb3c1f538bfde1d7a7ef075.tar.gz | |
gcc48: backport upstream security fix
Incorrect codegen from rdseed intrinsic use (CVE-2017-11671)
We should not expand call arguments in between flags reg setting and
flags reg using instructions, as it may expand with flags reg
clobbering insn (ADD in this case).
Attached patch moves expansion out of the link. Also, change
zero-extension to non-flags reg clobbering sequence in case we perform
zero-extension with and.
2017-03-25 Uros Bizjak
| -rw-r--r-- | lang/gcc48/Makefile | 4 | ||||
| -rw-r--r-- | lang/gcc48/distinfo | 3 | ||||
| -rw-r--r-- | lang/gcc48/patches/patch-gcc_config_i386_i386.c | 81 |
3 files changed, 85 insertions, 3 deletions
diff --git a/lang/gcc48/Makefile b/lang/gcc48/Makefile index 5105a51b749..18938a7a1b3 100644 --- a/lang/gcc48/Makefile +++ b/lang/gcc48/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.36 2017/07/10 15:55:40 maya Exp $ +# $NetBSD: Makefile,v 1.37 2017/07/28 23:40:07 maya Exp $ GCC_PKGNAME= gcc48 .include "version.mk" @@ -8,7 +8,7 @@ PKGNAME= ${GCC_PKGNAME}-${GCC48_DIST_VERSION} ## When bumping the PKGREVISION of this package the PKGREVISION of ## lang/gcc48-libs needs to be bump to be at least 1 more than the ## PKGREVISION of this package! -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= lang MASTER_SITES= ${MASTER_SITE_GNU:=gcc/gcc-${GCC48_DIST_VERSION}/} EXTRACT_SUFX= .tar.bz2 diff --git a/lang/gcc48/distinfo b/lang/gcc48/distinfo index 96b2f8b3d01..9791ce2d685 100644 --- a/lang/gcc48/distinfo +++ b/lang/gcc48/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.35 2017/07/10 15:55:40 maya Exp $ +$NetBSD: distinfo,v 1.36 2017/07/28 23:40:07 maya Exp $ SHA1 (ecj-4.5.jar) = 58c1d79c64c8cd718550f32a932ccfde8d1e6449 RMD160 (ecj-4.5.jar) = d3f4da657f086b6423f74e93f001132f4855368a @@ -37,6 +37,7 @@ SHA1 (patch-gcc_config_dragonfly.opt) = 92f615c73c2e94664bae5b5935ab8b09bca15f73 SHA1 (patch-gcc_config_exec-stack.h) = 8135806e88c1b136038bb240958a4435b4e0bbe3 SHA1 (patch-gcc_config_host-netbsd.c) = 765295f07edb8a68f1910e3a9b4dd2a7dcd491a5 SHA1 (patch-gcc_config_i386_dragonfly.h) = 0d3f785434c02beb9c4561fe59842a970e8f7896 +SHA1 (patch-gcc_config_i386_i386.c) = 17dad8b3283521d23ca08690eb447a0e4e694e4c SHA1 (patch-gcc_config_i386_openbsd.h) = df5b85b5957392138f99085bd8ebeb923e37e9e7 SHA1 (patch-gcc_config_i386_openbsdelf.h) = 74498a1bd7c339c90b847740d3c474ad3ca4a956 SHA1 (patch-gcc_config_netbsd-stdint.h) = 025fc883101a187e84ed4c0772406720d645d550 diff --git a/lang/gcc48/patches/patch-gcc_config_i386_i386.c b/lang/gcc48/patches/patch-gcc_config_i386_i386.c new file mode 100644 index 00000000000..1b98d78a0f5 --- /dev/null +++ b/lang/gcc48/patches/patch-gcc_config_i386_i386.c @@ -0,0 +1,81 @@ +$NetBSD: patch-gcc_config_i386_i386.c,v 1.3 2017/07/28 23:40:07 maya Exp $ + +Incorrect codegen from rdseed intrinsic use (CVE-2017-11671) + +We should not expand call arguments in between flags reg setting and +flags reg using instructions, as it may expand with flags reg +clobbering insn (ADD in this case). + +Attached patch moves expansion out of the link. Also, change +zero-extension to non-flags reg clobbering sequence in case we perform +zero-extension with and. + +2017-03-25 Uros Bizjak + +--- gcc/config/i386/i386.c.orig 2015-06-10 09:34:21.000000000 +0000 ++++ gcc/config/i386/i386.c +@@ -32099,9 +32099,6 @@ ix86_expand_builtin (tree exp, rtx targe + mode0 = DImode; + + rdrand_step: +- op0 = gen_reg_rtx (mode0); +- emit_insn (GEN_FCN (icode) (op0)); +- + arg0 = CALL_EXPR_ARG (exp, 0); + op1 = expand_normal (arg0); + if (!address_operand (op1, VOIDmode)) +@@ -32109,6 +32106,10 @@ rdrand_step: + op1 = convert_memory_address (Pmode, op1); + op1 = copy_addr_to_reg (op1); + } ++ ++ op0 = gen_reg_rtx (mode0); ++ emit_insn (GEN_FCN (icode) (op0)); ++ + emit_move_insn (gen_rtx_MEM (mode0, op1), op0); + + op1 = gen_reg_rtx (SImode); +@@ -32117,8 +32118,20 @@ rdrand_step: + /* Emit SImode conditional move. */ + if (mode0 == HImode) + { +- op2 = gen_reg_rtx (SImode); +- emit_insn (gen_zero_extendhisi2 (op2, op0)); ++ if (TARGET_ZERO_EXTEND_WITH_AND ++ && optimize_function_for_speed_p (cfun)) ++ { ++ op2 = force_reg (SImode, const0_rtx); ++ ++ emit_insn (gen_movstricthi ++ (gen_lowpart (HImode, op2), op0)); ++ } ++ else ++ { ++ op2 = gen_reg_rtx (SImode); ++ ++ emit_insn (gen_zero_extendhisi2 (op2, op0)); ++ } + } + else if (mode0 == SImode) + op2 = op0; +@@ -32150,9 +32163,6 @@ rdrand_step: + mode0 = DImode; + + rdseed_step: +- op0 = gen_reg_rtx (mode0); +- emit_insn (GEN_FCN (icode) (op0)); +- + arg0 = CALL_EXPR_ARG (exp, 0); + op1 = expand_normal (arg0); + if (!address_operand (op1, VOIDmode)) +@@ -32160,6 +32170,10 @@ rdseed_step: + op1 = convert_memory_address (Pmode, op1); + op1 = copy_addr_to_reg (op1); + } ++ ++ op0 = gen_reg_rtx (mode0); ++ emit_insn (GEN_FCN (icode) (op0)); ++ + emit_move_insn (gen_rtx_MEM (mode0, op1), op0); + + op2 = gen_reg_rtx (QImode); |