[OE-core] [thud][PATCH v5] gcc: Security fix for CVE: <CVE-2019-15847>
Muminul Islam
misla011 at fiu.edu
Fri Sep 20 03:07:59 UTC 2019
Signed-off-by: Muminul Islam <muislam at microsoft.com>
---
meta/recipes-devtools/gcc/gcc-8.2.inc | 3 +
.../gcc/gcc-8.2/CVE-2019-15847_p1.patch | 223 ++++++++++++++++++
.../gcc/gcc-8.2/CVE-2019-15847_p2.patch | 47 ++++
.../gcc/gcc-8.2/CVE-2019-15847_p3.patch | 38 +++
4 files changed, 311 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p1.patch
create mode 100644 meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p2.patch
create mode 100644 meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p3.patch
diff --git a/meta/recipes-devtools/gcc/gcc-8.2.inc b/meta/recipes-devtools/gcc/gcc-8.2.inc
index 866a77558b..65fd29d943 100644
--- a/meta/recipes-devtools/gcc/gcc-8.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.2.inc
@@ -70,6 +70,9 @@ SRC_URI = "\
file://0039-Fix-for-testsuite-failure.patch \
file://0040-Re-introduce-spe-commandline-options.patch \
file://0041-ARC-fix-spec-gen.patch \
+ file://CVE-2019-15847_p1.patch \
+ file://CVE-2019-15847_p2.patch \
+ file://CVE-2019-15847_p3.patch \
${BACKPORTS} \
"
BACKPORTS = "\
diff --git a/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p1.patch b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p1.patch
new file mode 100644
index 0000000000..6e73564266
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p1.patch
@@ -0,0 +1,223 @@
+From eebe740f9142ee15bd997c480df0e1f61ac6ffd1 Mon Sep 17 00:00:00 2001
+From: segher <segher at 138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 30 Aug 2019 14:15:39 +0000
+Subject: [PATCH] Backport from trunk 2019-08-22 Segher Boessenkool
+ <segher at kernel.crashing.org>
+Reply-To: muislam at microsoft.com
+
+ PR target/91481
+ * config/rs6000/rs6000.md (unspec): Delete UNSPEC_DARN, UNSPEC_DARN_32,
+ and UNSPEC_DARN_RAW.
+ (unspecv): New enumerator values UNSPECV_DARN, UNSPECV_DARN_32, and
+ UNSPECV_DARN_RAW.
+ (darn_32): Use an unspec_volatile, and UNSPECV_DARN_32.
+ (darn_raw): Use an unspec_volatile, and UNSPECV_DARN_RAW.
+ (darn): Use an unspec_volatile, and UNSPECV_DARN.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@275181 138bc75d-0d04-0410-961f-82ee72b054a4
+Signed-off-by: Muminul Islam <muislam at microsoft.com>
+
+CVE: CVE-2019-15847
+
+Upstream-Status: Backport
+---
+ gcc/config/rs6000/rs6000.md | 169 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 169 insertions(+)
+
+diff --git a/gcc/config/rs6000/rs6000.md b/gcc/config/rs6000/rs6000.md
+index 60058814b8a..f540b033541 100644
+--- a/gcc/config/rs6000/rs6000.md
++++ b/gcc/config/rs6000/rs6000.md
+@@ -136,6 +136,9 @@
+ UNSPEC_LSQ
+ UNSPEC_FUSION_GPR
+ UNSPEC_STACK_CHECK
++ UNSPEC_CMPRB
++ UNSPEC_CMPRB2
++ UNSPEC_CMPEQB
+ UNSPEC_FUSION_P9
+ UNSPEC_FUSION_ADDIS
+ UNSPEC_ADD_ROUND_TO_ODD
+@@ -162,6 +165,9 @@
+ UNSPECV_EH_RR ; eh_reg_restore
+ UNSPECV_ISYNC ; isync instruction
+ UNSPECV_MFTB ; move from time base
++ UNSPECV_DARN ; darn 1 (deliver a random number)
++ UNSPECV_DARN_32 ; darn 2
++ UNSPECV_DARN_RAW ; darn 0
+ UNSPECV_NLGR ; non-local goto receiver
+ UNSPECV_MFFS ; Move from FPSCR
+ UNSPECV_MTFSF ; Move to FPSCR Fields
+@@ -14602,6 +14608,169 @@
+ "xscmpuqp %0,%1,%2"
+ [(set_attr "type" "veccmp")
+ (set_attr "size" "128")])
++
++;; Miscellaneous ISA 3.0 (power9) instructions
++
++(define_insn "darn_32"
++ [(set (match_operand:SI 0 "register_operand" "=r")
++ (unspec_volatile:SI [(const_int 0)] UNSPECV_DARN_32))]
++ "TARGET_P9_MISC"
++ "darn %0,0"
++ [(set_attr "type" "integer")])
++
++(define_insn "darn_raw"
++ [(set (match_operand:DI 0 "register_operand" "=r")
++ (unspec_volatile:DI [(const_int 0)] UNSPECV_DARN_RAW))]
++ "TARGET_P9_MISC && TARGET_64BIT"
++ "darn %0,2"
++ [(set_attr "type" "integer")])
++
++(define_insn "darn"
++ [(set (match_operand:DI 0 "register_operand" "=r")
++ (unspec_volatile:DI [(const_int 0)] UNSPECV_DARN))]
++ "TARGET_P9_MISC && TARGET_64BIT"
++ "darn %0,1"
++ [(set_attr "type" "integer")])
++
++;; Test byte within range.
++;;
++;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
++;; represents a byte whose value is ignored in this context and
++;; vv, the least significant byte, holds the byte value that is to
++;; be tested for membership within the range specified by operand 2.
++;; The bytes of operand 2 are organized as xx:xx:hi:lo.
++;;
++;; Return in target register operand 0 a value of 1 if lo <= vv and
++;; vv <= hi. Otherwise, set register operand 0 to 0.
++;;
++;; Though the instructions to which this expansion maps operate on
++;; 64-bit registers, the current implementation only operates on
++;; SI-mode operands as the high-order bits provide no information
++;; that is not already available in the low-order bits. To avoid the
++;; costs of data widening operations, future enhancements might allow
++;; DI mode for operand 0 and/or might allow operand 1 to be QI mode.
++(define_expand "cmprb"
++ [(set (match_dup 3)
++ (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
++ (match_operand:SI 2 "gpc_reg_operand" "r")]
++ UNSPEC_CMPRB))
++ (set (match_operand:SI 0 "gpc_reg_operand" "=r")
++ (if_then_else:SI (lt (match_dup 3)
++ (const_int 0))
++ (const_int -1)
++ (if_then_else (gt (match_dup 3)
++ (const_int 0))
++ (const_int 1)
++ (const_int 0))))]
++ "TARGET_P9_MISC"
++{
++ operands[3] = gen_reg_rtx (CCmode);
++})
++
++;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
++;; represents a byte whose value is ignored in this context and
++;; vv, the least significant byte, holds the byte value that is to
++;; be tested for membership within the range specified by operand 2.
++;; The bytes of operand 2 are organized as xx:xx:hi:lo.
++;;
++;; Set bit 1 (the GT bit, 0x4) of CR register operand 0 to 1 if
++;; lo <= vv and vv <= hi. Otherwise, set the GT bit to 0. The other
++;; 3 bits of the target CR register are all set to 0.
++(define_insn "*cmprb_internal"
++ [(set (match_operand:CC 0 "cc_reg_operand" "=y")
++ (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
++ (match_operand:SI 2 "gpc_reg_operand" "r")]
++ UNSPEC_CMPRB))]
++ "TARGET_P9_MISC"
++ "cmprb %0,0,%1,%2"
++ [(set_attr "type" "logical")])
++
++;; Set operand 0 register to -1 if the LT bit (0x8) of condition
++;; register operand 1 is on. Otherwise, set operand 0 register to 1
++;; if the GT bit (0x4) of condition register operand 1 is on.
++;; Otherwise, set operand 0 to 0. Note that the result stored into
++;; register operand 0 is non-zero iff either the LT or GT bits are on
++;; within condition register operand 1.
++(define_insn "setb_signed"
++ [(set (match_operand:SI 0 "gpc_reg_operand" "=r")
++ (if_then_else:SI (lt (match_operand:CC 1 "cc_reg_operand" "y")
++ (const_int 0))
++ (const_int -1)
++ (if_then_else (gt (match_dup 1)
++ (const_int 0))
++ (const_int 1)
++ (const_int 0))))]
++ "TARGET_P9_MISC"
++ "setb %0,%1"
++ [(set_attr "type" "logical")])
++
++(define_insn "setb_unsigned"
++ [(set (match_operand:SI 0 "gpc_reg_operand" "=r")
++ (if_then_else:SI (ltu (match_operand:CCUNS 1 "cc_reg_operand" "y")
++ (const_int 0))
++ (const_int -1)
++ (if_then_else (gtu (match_dup 1)
++ (const_int 0))
++ (const_int 1)
++ (const_int 0))))]
++ "TARGET_P9_MISC"
++ "setb %0,%1"
++ [(set_attr "type" "logical")])
++
++;; Test byte within two ranges.
++;;
++;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
++;; represents a byte whose value is ignored in this context and
++;; vv, the least significant byte, holds the byte value that is to
++;; be tested for membership within the range specified by operand 2.
++;; The bytes of operand 2 are organized as hi_1:lo_1:hi_2:lo_2.
++;;
++;; Return in target register operand 0 a value of 1 if (lo_1 <= vv and
++;; vv <= hi_1) or if (lo_2 <= vv and vv <= hi_2). Otherwise, set register
++;; operand 0 to 0.
++;;
++;; Though the instructions to which this expansion maps operate on
++;; 64-bit registers, the current implementation only operates on
++;; SI-mode operands as the high-order bits provide no information
++;; that is not already available in the low-order bits. To avoid the
++;; costs of data widening operations, future enhancements might allow
++;; DI mode for operand 0 and/or might allow operand 1 to be QI mode.
++(define_expand "cmprb2"
++ [(set (match_dup 3)
++ (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
++ (match_operand:SI 2 "gpc_reg_operand" "r")]
++ UNSPEC_CMPRB2))
++ (set (match_operand:SI 0 "gpc_reg_operand" "=r")
++ (if_then_else:SI (lt (match_dup 3)
++ (const_int 0))
++ (const_int -1)
++ (if_then_else (gt (match_dup 3)
++ (const_int 0))
++ (const_int 1)
++ (const_int 0))))]
++ "TARGET_P9_MISC"
++{
++ operands[3] = gen_reg_rtx (CCmode);
++})
++
++;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
++;; represents a byte whose value is ignored in this context and
++;; vv, the least significant byte, holds the byte value that is to
++;; be tested for membership within the ranges specified by operand 2.
++;; The bytes of operand 2 are organized as hi_1:lo_1:hi_2:lo_2.
++;;
++;; Set bit 1 (the GT bit, 0x4) of CR register operand 0 to 1 if
++;; (lo_1 <= vv and vv <= hi_1) or if (lo_2 <= vv and vv <= hi_2).
++;; Otherwise, set the GT bit to 0. The other 3 bits of the target
++;; CR register are all set to 0.
++(define_insn "*cmprb2_internal"
++ [(set (match_operand:CC 0 "cc_reg_operand" "=y")
++ (unspec:CC [(match_operand:SI 1 "gpc_reg_operand" "r")
++ (match_operand:SI 2 "gpc_reg_operand" "r")]
++ UNSPEC_CMPRB2))]
++ "TARGET_P9_MISC"
++ "cmprb %0,1,%1,%2"
++ [(set_attr "type" "logical")])
+
+
+
+--
+2.23.0
+
diff --git a/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p2.patch b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p2.patch
new file mode 100644
index 0000000000..4f64c39b0a
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p2.patch
@@ -0,0 +1,47 @@
+From f2b99d05bb2721e062404afdfb05e570e68b4ced Mon Sep 17 00:00:00 2001
+From: segher <segher at 138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 30 Aug 2019 14:17:20 +0000
+Subject: [PATCH] Backport from trunk 2019-08-23 Segher Boessenkool
+ <segher at kernel.crashing.org>
+Reply-To: muislam at microsoft.com
+
+gcc/testsuite/
+ PR target/91481
+ * gcc.target/powerpc/darn-3.c: New testcase.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@275182 138bc75d-0d04-0410-961f-82ee72b054a4
+Signed-off-by: Muminul Islam <muislam at microsoft.com>
+
+CVE: CVE-2019-15847
+
+Upstream-Status: Backport
+---
+ gcc/testsuite/gcc.target/powerpc/darn-3.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+ create mode 100644 gcc/testsuite/gcc.target/powerpc/darn-3.c
+
+diff --git a/gcc/testsuite/gcc.target/powerpc/darn-3.c b/gcc/testsuite/gcc.target/powerpc/darn-3.c
+new file mode 100644
+index 00000000000..477901fde70
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/powerpc/darn-3.c
+@@ -0,0 +1,16 @@
++/* { dg-do compile { target { powerpc*-*-* } } } */
++/* { dg-skip-if "" { powerpc*-*-aix* } } */
++/* { dg-options "-O2 -mdejagnu-cpu=power9" } */
++
++static int darn32(void) { return __builtin_darn_32(); }
++
++int four(void)
++{
++ int sum = 0;
++ int i;
++ for (i = 0; i < 4; i++)
++ sum += darn32();
++ return sum;
++}
++
++/* { dg-final { scan-assembler-times {(?n)\mdarn .*,0\M} 4 } } */
+--
+2.23.0
+
diff --git a/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p3.patch b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p3.patch
new file mode 100644
index 0000000000..0ab7544caa
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p3.patch
@@ -0,0 +1,38 @@
+From f4721625a060ad708c0b7d02d3d6b3a581e7d885 Mon Sep 17 00:00:00 2001
+From: segher <segher at 138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Sat, 31 Aug 2019 18:58:04 +0000
+Subject: [PATCH] rs6000: Fix darn-3.c for GCC 8 and GCC 7
+Reply-To: muislam at microsoft.com
+
+Apparently I didn't properly test the testcase backport to GCC 8 and
+GCC 7. This makes it not fail there.
+
+ PR target/91481
+ * gcc.target/powerpc/darn-3.c: Fix testcase.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@275244 138bc75d-0d04-0410-961f-82ee72b054a4
+Signed-off-by: Muminul Islam <muislam at microsoft.com>
+
+CVE: CVE-2019-15847
+
+Upstream-Status: Backport
+---
+ gcc/testsuite/gcc.target/powerpc/darn-3.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gcc/testsuite/gcc.target/powerpc/darn-3.c b/gcc/testsuite/gcc.target/powerpc/darn-3.c
+index 477901fde70..96ac21fc58c 100644
+--- a/gcc/testsuite/gcc.target/powerpc/darn-3.c
++++ b/gcc/testsuite/gcc.target/powerpc/darn-3.c
+@@ -1,6 +1,7 @@
+ /* { dg-do compile { target { powerpc*-*-* } } } */
+ /* { dg-skip-if "" { powerpc*-*-aix* } } */
+-/* { dg-options "-O2 -mdejagnu-cpu=power9" } */
++/* { dg-skip-if "do not override -mcpu" { powerpc*-*-* } { "-mcpu=*" } { "-mcpu=power9" } } */
++/* { dg-options "-O2 -mcpu=power9" } */
+
+ static int darn32(void) { return __builtin_darn_32(); }
+
+--
+2.23.0
+
--
2.23.0
More information about the Openembedded-core
mailing list