Bug 80180 (CVE-2017-11671)

Summary: Incorrect codegen from rdseed intrinsic use (CVE-2017-11671)
Product: gcc Reporter: Todd Eisenberger <teisenbe>
Component: targetAssignee: Uroš Bizjak <ubizjak>
Status: RESOLVED FIXED    
Severity: normal CC: fw, roland
Priority: P3    
Version: 6.2.0   
Target Milestone: 5.5   
URL: https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html
Host: Target: x86_64-elf
Build: Known to work:
Known to fail: Last reconfirmed:
Attachments: Preprocessed source file

Description Todd Eisenberger 2017-03-25 00:57:49 UTC 
Created attachment 41051 [details]
Preprocessed source file

When the attached source is compiled, the resulting assembly improperly handles the success bit (CF) for rdseed.  The instruction immediately following "rdseed %rax" is "testl %r8d, r8d" which clears CF.  The debug information does identify the "setc" that should follow rdseed, but it is no where near the rdseed instruction.

gcc -v output:
Using built-in specs.
COLLECT_GCC=./prebuilt/downloads/x86_64-elf-6.2.0-Linux-x86_64/bin/x86_64-elf-gcc
COLLECT_LTO_WRAPPER=/home/teisenbe/src/magenta/magenta/prebuilt/downloads/x86_64-elf-6.2.0-Linux-x86_64/bin/../libexec/gcc/x86_64-elf/6.2.0/lto-wrapper
Target: x86_64-elf
Configured with: ../gcc-6.2.0/configure --with-included-gettext --target=x86_64-elf --prefix=/home/phosek/fuchsia/third_party/gcc_none_toolchains/x86_64-elf-6.2.0-Linux-x86_64 --enable-languages=c,c++ --disable-werror --enable-initfini-array
Thread model: single
gcc version 6.2.0 (GCC) 

Command used to generate:
./prebuilt/downloads/x86_64-elf-6.2.0-Linux-x86_64/bin/x86_64-elf-gcc -O2  -g -finline -include ./build-magenta-pc-x86-64/config-global.h -Wall -Wextra -Wno-multichar -Werror -Wno-error=deprecated-declarations -Wno-unused-parameter -Wno-unused-function -Wno-unused-label -Werror=return-type -fno-common -Wno-nonnull-compare -fasynchronous-unwind-tables -ffunction-sections -fdata-sections -fno-pic -ffreestanding -include ./build-magenta-pc-x86-64/config-kernel.h -Wformat=2 -Wformat-signedness -fno-omit-frame-pointer -falign-jumps=1 -falign-loops=1 -falign-functions=4 -msoft-float -mno-mmx -mno-sse -mno-sse2 -mno-3dnow -mno-avx -mno-avx2 -mno-80387 -mno-fp-ret-in-387 -mcmodel=kernel -mno-red-zone -mskip-rax-setup   -mrdseed --include ./build-magenta-pc-x86-64/dev/intel_rng/config-module.h --std=c11 -Werror-implicit-function-declaration -Wstrict-prototypes -Wwrite-strings  -Wmissing-prototypes   -Isystem/public -Isystem/private -I./build-magenta-pc-x86-64/gen/include -I./build-magenta-pc-x86-64 -Ikernel/include -Isystem/include -Ithird_party/include -Ikernel/target/pc-x86/include -Ikernel/platform/pc/include -Ikernel/arch/x86/include -Ikernel/top/include -Ikernel/kernel/include -Ikernel/app/include -Ikernel/app/stringtests/include -Ikernel/app/tests/include -Ikernel/dev/include -Ikernel/dev/intel_rng/include -Ikernel/dev/interrupt/include -Ikernel/dev/pcie/include -Isystem/ulib/bitmap/include -Ikernel/lib/bitmap/include -Ikernel/lib/cbuf/include -Ikernel/lib/debugcommands/include -Ikernel/lib/debuglog/include -Ikernel/lib/fixed_point/include -Ikernel/lib/gfxconsole/include -Ikernel/lib/ktrace/include -Ikernel/lib/mtrace/include -Ikernel/lib/pow2_range_allocator/include -Ikernel/lib/syscalls/include -Ikernel/lib/userboot/include -Ikernel/lib/version/include -Ikernel/platform/include -Ikernel/target/include -Ithird_party/lib/acpica/source/include -Ithird_party/lib/acpica/include -Ikernel/dev/hw_rng/include -Ikernel/kernel/vm/include -Ikernel/lib/console/include -Ikernel/lib/crypto/include -Ikernel/lib/debug/include -Ikernel/lib/font/include -Ikernel/lib/gfx/include -Ikernel/lib/header_tests/include -Ikernel/lib/heap/include -Ikernel/lib/heap/include -Ikernel/lib/libc/include -Ikernel/lib/magenta/include -Ikernel/lib/mxtl/include -Isystem/ulib/mxtl/include -Ikernel/lib/mxtl/include -Isystem/ulib/region-alloc/include -Ikernel/lib/region-alloc/include -Ikernel/lib/unittest/include -Ikernel/lib/user_copy/include -Ikernel/lib/vdso/include -Ithird_party/lib/safeint/source/include -Ithird_party/lib/safeint/include -Ikernel/dev/udisplay/include -Ikernel/lib/dpc/include -Ikernel/lib/heap/cmpctmalloc/include -Ikernel/lib/io/include -Ithird_party/ulib/cryptolib/include -Ithird_party/lib/cryptolib/include -Ithird_party/ulib/qrcodegen/include -Ithird_party/lib/qrcodegen/include -c kernel/dev/intel_rng/intel-rng.c -MD -MP -MT build-magenta-pc-x86-64/dev/intel_rng/kernel/dev/intel_rng/intel-rng.c.o -MF build-magenta-pc-x86-64/dev/intel_rng/kernel/dev/intel_rng/intel-rng.c.d -o build-magenta-pc-x86-64/dev/intel_rng/kernel/dev/intel_rng/intel-rng.c.o --save-temps

Compiler console output: None
Comment 1 uros 2017-03-25 16:34:41 UTC 
Author: uros
Date: Sat Mar 25 16:34:09 2017
New Revision: 246475

URL: https://gcc.gnu.org/viewcvs?rev=246475&root=gcc&view=rev
Log:
	PR target/80180
	* config/i386/i386.c (ix86_expand_builtin)
	<IX86_BUILTIN_RDSEED{16,32,64}_STEP>: Do not expand arg0 between
	flags reg setting and flags reg using instructions.
	<IX86_BUILTIN_RDRAND{16,32,64}_STEP>: Ditto.  Use non-flags reg
	clobbering instructions to zero extend op2.


Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/config/i386/i386.c
Comment 2 uros 2017-03-25 18:11:10 UTC 
Author: uros
Date: Sat Mar 25 18:10:37 2017
New Revision: 246477

URL: https://gcc.gnu.org/viewcvs?rev=246477&root=gcc&view=rev
Log:
	PR target/80180
	* config/i386/i386.c (ix86_expand_builtin)
	<IX86_BUILTIN_RDSEED{16,32,64}_STEP>: Do not expand arg0 between
	flags reg setting and flags reg using instructions.
	<IX86_BUILTIN_RDRAND{16,32,64}_STEP>: Ditto.  Use non-flags reg
	clobbering instructions to zero extend op2.


Modified:
    branches/gcc-6-branch/gcc/ChangeLog
    branches/gcc-6-branch/gcc/config/i386/i386.c
Comment 3 uros 2017-03-25 19:47:46 UTC 
Author: uros
Date: Sat Mar 25 19:47:14 2017
New Revision: 246479

URL: https://gcc.gnu.org/viewcvs?rev=246479&root=gcc&view=rev
Log:
	PR target/80180
	* config/i386/i386.c (ix86_expand_builtin)
	<IX86_BUILTIN_RDSEED{16,32,64}_STEP>: Do not expand arg0 between
	flags reg setting and flags reg using instructions.
	<IX86_BUILTIN_RDRAND{16,32,64}_STEP>: Ditto.  Use non-flags reg
	clobbering instructions to zero extend op2.


Modified:
    branches/gcc-5-branch/gcc/ChangeLog
    branches/gcc-5-branch/gcc/config/i386/i386.c
Comment 4 Uroš Bizjak 2017-03-25 19:48:50 UTC 
Fixed everywhere.
Comment 5 Florian Weimer 2017-07-26 20:30:36 UTC 
Patch was posted here: https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html