Re: [OE-core] [thud][PATCH v4] gcc: CVE fix for gcc

[Mikko.Rapeli]

Looks ok, though I would consider updating to point releases or latest
versions of the gcc-8 stable tree, where these patches are already backported
by upstream developers. The 8.3 update does not have this CVE patch, but
a lot of bug fixes which should be useful for gcc 8 users.

Reviewed-by: Mikko Rapeli 

-Mikko
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [thud][PATCH v4] gcc: CVE fix for gcc

[Muminul Islam]

Signed-off-by: Muminul Islam 
---
 meta/recipes-devtools/gcc/gcc-8.2.inc |   3 +
 .../gcc/gcc-8.2/CVE-2019-15847_p1.patch   | 222 ++
 .../gcc/gcc-8.2/CVE-2019-15847_p2.patch   |  47 
 .../gcc/gcc-8.2/CVE-2019-15847_p3.patch   |  38 +++
 4 files changed, 310 insertions(+)
 create mode 100644 meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p1.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p2.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p3.patch

diff --git a/meta/recipes-devtools/gcc/gcc-8.2.inc 
b/meta/recipes-devtools/gcc/gcc-8.2.inc
index 866a77558b..65fd29d943 100644
--- a/meta/recipes-devtools/gcc/gcc-8.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.2.inc
@@ -70,6 +70,9 @@ SRC_URI = "\
file://0039-Fix-for-testsuite-failure.patch \
file://0040-Re-introduce-spe-commandline-options.patch \
file://0041-ARC-fix-spec-gen.patch \
+   file://CVE-2019-15847_p1.patch \
+   file://CVE-2019-15847_p2.patch \
+   file://CVE-2019-15847_p3.patch \
${BACKPORTS} \
 "
 BACKPORTS = "\
diff --git a/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p1.patch 
b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p1.patch
new file mode 100644
index 00..61fd5f341b
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-15847_p1.patch
@@ -0,0 +1,222 @@
+From eebe740f9142ee15bd997c480df0e1f61ac6ffd1 Mon Sep 17 00:00:00 2001
+From: segher 
+Date: Fri, 30 Aug 2019 14:15:39 +
+Subject: [PATCH]   Backport from trunk 2019-08-22  Segher Boessenkool
+  
+Reply-To: muis...@microsoft.com
+
+   PR target/91481
+   * config/rs6000/rs6000.md (unspec): Delete UNSPEC_DARN, UNSPEC_DARN_32,
+   and UNSPEC_DARN_RAW.
+   (unspecv): New enumerator values UNSPECV_DARN, UNSPECV_DARN_32, and
+   UNSPECV_DARN_RAW.
+   (darn_32): Use an unspec_volatile, and UNSPECV_DARN_32.
+   (darn_raw): Use an unspec_volatile, and UNSPECV_DARN_RAW.
+   (darn): Use an unspec_volatile, and UNSPECV_DARN.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@275181 
138bc75d-0d04-0410-961f-82ee72b054a4
+Signed-off-by: Muminul Islam 
+
+CVE: CVE-2019-15847
+
+Upstream-Status: Backport
+---
+ gcc/config/rs6000/rs6000.md | 169 
+ 1 file changed, 169 insertions(+)
+
+diff --git a/gcc/config/rs6000/rs6000.md b/gcc/config/rs6000/rs6000.md
+index 60058814b8a..f540b033541 100644
+--- a/gcc/config/rs6000/rs6000.md
 b/gcc/config/rs6000/rs6000.md
+@@ -136,6 +136,9 @@
+UNSPEC_LSQ
+UNSPEC_FUSION_GPR
+UNSPEC_STACK_CHECK
++   UNSPEC_CMPRB
++   UNSPEC_CMPRB2
++   UNSPEC_CMPEQB
+UNSPEC_FUSION_P9
+UNSPEC_FUSION_ADDIS
+UNSPEC_ADD_ROUND_TO_ODD
+@@ -162,6 +165,9 @@
+UNSPECV_EH_RR  ; eh_reg_restore
+UNSPECV_ISYNC  ; isync instruction
+UNSPECV_MFTB   ; move from time base
++   UNSPECV_DARN   ; darn 1 (deliver a random number)
++   UNSPECV_DARN_32; darn 2
++   UNSPECV_DARN_RAW   ; darn 0
+UNSPECV_NLGR   ; non-local goto receiver
+UNSPECV_MFFS   ; Move from FPSCR
+UNSPECV_MTFSF  ; Move to FPSCR Fields
+@@ -14602,6 +14608,169 @@
+"xscmpuqp %0,%1,%2"
+   [(set_attr "type" "veccmp")
+(set_attr "size" "128")])
++
++;; Miscellaneous ISA 3.0 (power9) instructions
++
++(define_insn "darn_32"
++  [(set (match_operand:SI 0 "register_operand" "=r")
++(unspec_volatile:SI [(const_int 0)] UNSPECV_DARN_32))]
++  "TARGET_P9_MISC"
++  "darn %0,0"
++  [(set_attr "type" "integer")])
++
++(define_insn "darn_raw"
++  [(set (match_operand:DI 0 "register_operand" "=r")
++(unspec_volatile:DI [(const_int 0)] UNSPECV_DARN_RAW))]
++  "TARGET_P9_MISC && TARGET_64BIT"
++  "darn %0,2"
++  [(set_attr "type" "integer")])
++
++(define_insn "darn"
++  [(set (match_operand:DI 0 "register_operand" "=r")
++(unspec_volatile:DI [(const_int 0)] UNSPECV_DARN))]
++  "TARGET_P9_MISC && TARGET_64BIT"
++  "darn %0,1"
++  [(set_attr "type" "integer")])
++
++;; Test byte within range.
++;;
++;; The bytes of operand 1 are organized as xx:xx:xx:vv, where xx
++;; represents a byte whose value is ignored in this context and
++;; vv, the least significant byte, holds the byte value that is to
++;; be tested for membership within the range specified by operand 2.
++;; The bytes of operand 2 are organized as xx:xx:hi:lo.
++;;
++;; Return in target register operand 0 a value of 1 if lo <= vv and
++;; vv <= hi.  Otherwise, set register operand 0 to 0.
++;;
++;; Though the instructions to which this expansion maps operate on
++;; 64-bit registers, the current implementation only operates on
++;; SI-mode operands as the high-order bits provide no information
++;; that is not already available in the low-order bits.  To avoid the
++;; costs of data widening operations,