From bfbe34cdfe28e8041bb3c1f538bfde1d7a7ef075 Mon Sep 17 00:00:00 2001
From: maya <maya@pkgsrc.org>
Date: Fri, 28 Jul 2017 23:40:07 +0000
Subject: gcc48: backport upstream security fix Incorrect codegen from rdseed
 intrinsic use (CVE-2017-11671)

We should not expand call arguments in between flags reg setting and
flags reg using instructions, as it may expand with flags reg
clobbering insn (ADD in this case).

Attached patch moves expansion out of the link. Also, change
zero-extension to non-flags reg clobbering sequence in case we perform
zero-extension with and.

2017-03-25  Uros Bizjak
---
 lang/gcc48/Makefile                             |  4 +-
 lang/gcc48/distinfo                             |  3 +-
 lang/gcc48/patches/patch-gcc_config_i386_i386.c | 81 +++++++++++++++++++++++++
 3 files changed, 85 insertions(+), 3 deletions(-)
 create mode 100644 lang/gcc48/patches/patch-gcc_config_i386_i386.c

diff --git a/lang/gcc48/Makefile b/lang/gcc48/Makefile
index 5105a51b749..18938a7a1b3 100644
--- a/lang/gcc48/Makefile
+++ b/lang/gcc48/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.36 2017/07/10 15:55:40 maya Exp $
+# $NetBSD: Makefile,v 1.37 2017/07/28 23:40:07 maya Exp $
 
 GCC_PKGNAME=	gcc48
 .include	"version.mk"
@@ -8,7 +8,7 @@ PKGNAME=	${GCC_PKGNAME}-${GCC48_DIST_VERSION}
 ## When bumping the PKGREVISION of this package the PKGREVISION of
 ## lang/gcc48-libs needs to be bump to be at least 1 more than the
 ## PKGREVISION of this package!
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	lang
 MASTER_SITES=	${MASTER_SITE_GNU:=gcc/gcc-${GCC48_DIST_VERSION}/}
 EXTRACT_SUFX=	.tar.bz2
diff --git a/lang/gcc48/distinfo b/lang/gcc48/distinfo
index 96b2f8b3d01..9791ce2d685 100644
--- a/lang/gcc48/distinfo
+++ b/lang/gcc48/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.35 2017/07/10 15:55:40 maya Exp $
+$NetBSD: distinfo,v 1.36 2017/07/28 23:40:07 maya Exp $
 
 SHA1 (ecj-4.5.jar) = 58c1d79c64c8cd718550f32a932ccfde8d1e6449
 RMD160 (ecj-4.5.jar) = d3f4da657f086b6423f74e93f001132f4855368a
@@ -37,6 +37,7 @@ SHA1 (patch-gcc_config_dragonfly.opt) = 92f615c73c2e94664bae5b5935ab8b09bca15f73
 SHA1 (patch-gcc_config_exec-stack.h) = 8135806e88c1b136038bb240958a4435b4e0bbe3
 SHA1 (patch-gcc_config_host-netbsd.c) = 765295f07edb8a68f1910e3a9b4dd2a7dcd491a5
 SHA1 (patch-gcc_config_i386_dragonfly.h) = 0d3f785434c02beb9c4561fe59842a970e8f7896
+SHA1 (patch-gcc_config_i386_i386.c) = 17dad8b3283521d23ca08690eb447a0e4e694e4c
 SHA1 (patch-gcc_config_i386_openbsd.h) = df5b85b5957392138f99085bd8ebeb923e37e9e7
 SHA1 (patch-gcc_config_i386_openbsdelf.h) = 74498a1bd7c339c90b847740d3c474ad3ca4a956
 SHA1 (patch-gcc_config_netbsd-stdint.h) = 025fc883101a187e84ed4c0772406720d645d550
diff --git a/lang/gcc48/patches/patch-gcc_config_i386_i386.c b/lang/gcc48/patches/patch-gcc_config_i386_i386.c
new file mode 100644
index 00000000000..1b98d78a0f5
--- /dev/null
+++ b/lang/gcc48/patches/patch-gcc_config_i386_i386.c
@@ -0,0 +1,81 @@
+$NetBSD: patch-gcc_config_i386_i386.c,v 1.3 2017/07/28 23:40:07 maya Exp $
+
+Incorrect codegen from rdseed intrinsic use (CVE-2017-11671)
+
+We should not expand call arguments in between flags reg setting and
+flags reg using instructions, as it may expand with flags reg
+clobbering insn (ADD in this case).
+
+Attached patch moves expansion out of the link. Also, change
+zero-extension to non-flags reg clobbering sequence in case we perform
+zero-extension with and.
+
+2017-03-25  Uros Bizjak
+
+--- gcc/config/i386/i386.c.orig	2015-06-10 09:34:21.000000000 +0000
++++ gcc/config/i386/i386.c
+@@ -32099,9 +32099,6 @@ ix86_expand_builtin (tree exp, rtx targe
+       mode0 = DImode;
+ 
+ rdrand_step:
+-      op0 = gen_reg_rtx (mode0);
+-      emit_insn (GEN_FCN (icode) (op0));
+-
+       arg0 = CALL_EXPR_ARG (exp, 0);
+       op1 = expand_normal (arg0);
+       if (!address_operand (op1, VOIDmode))
+@@ -32109,6 +32106,10 @@ rdrand_step:
+ 	  op1 = convert_memory_address (Pmode, op1);
+ 	  op1 = copy_addr_to_reg (op1);
+ 	}
++
++      op0 = gen_reg_rtx (mode0);
++      emit_insn (GEN_FCN (icode) (op0));
++
+       emit_move_insn (gen_rtx_MEM (mode0, op1), op0);
+ 
+       op1 = gen_reg_rtx (SImode);
+@@ -32117,8 +32118,20 @@ rdrand_step:
+       /* Emit SImode conditional move.  */
+       if (mode0 == HImode)
+ 	{
+-	  op2 = gen_reg_rtx (SImode);
+-	  emit_insn (gen_zero_extendhisi2 (op2, op0));
++	  if (TARGET_ZERO_EXTEND_WITH_AND
++	      && optimize_function_for_speed_p (cfun))
++	    {
++	      op2 = force_reg (SImode, const0_rtx);
++
++	      emit_insn (gen_movstricthi
++			 (gen_lowpart (HImode, op2), op0));
++	    }
++	  else
++	    {
++	      op2 = gen_reg_rtx (SImode);
++
++	      emit_insn (gen_zero_extendhisi2 (op2, op0));
++	    }
+ 	}
+       else if (mode0 == SImode)
+ 	op2 = op0;
+@@ -32150,9 +32163,6 @@ rdrand_step:
+       mode0 = DImode;
+ 
+ rdseed_step:
+-      op0 = gen_reg_rtx (mode0);
+-      emit_insn (GEN_FCN (icode) (op0));
+-
+       arg0 = CALL_EXPR_ARG (exp, 0);
+       op1 = expand_normal (arg0);
+       if (!address_operand (op1, VOIDmode))
+@@ -32160,6 +32170,10 @@ rdseed_step:
+ 	  op1 = convert_memory_address (Pmode, op1);
+ 	  op1 = copy_addr_to_reg (op1);
+ 	}
++
++      op0 = gen_reg_rtx (mode0);
++      emit_insn (GEN_FCN (icode) (op0));
++
+       emit_move_insn (gen_rtx_MEM (mode0, op1), op0);
+ 
+       op2 = gen_reg_rtx (QImode);
-- 
cgit v1.2.3