Summary: | Incorrect codegen from rdseed intrinsic use (CVE-2017-11671) | ||
---|---|---|---|
Product: | gcc | Reporter: | Todd Eisenberger <teisenbe> |
Component: | target | Assignee: | Uroš Bizjak <ubizjak> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | fw, roland |
Priority: | P3 | ||
Version: | 6.2.0 | ||
Target Milestone: | 5.5 | ||
URL: | https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html | ||
Host: | Target: | x86_64-elf | |
Build: | Known to work: | ||
Known to fail: | Last reconfirmed: | ||
Attachments: | Preprocessed source file |
Author: uros Date: Sat Mar 25 16:34:09 2017 New Revision: 246475 URL: https://gcc.gnu.org/viewcvs?rev=246475&root=gcc&view=rev Log: PR target/80180 * config/i386/i386.c (ix86_expand_builtin) <IX86_BUILTIN_RDSEED{16,32,64}_STEP>: Do not expand arg0 between flags reg setting and flags reg using instructions. <IX86_BUILTIN_RDRAND{16,32,64}_STEP>: Ditto. Use non-flags reg clobbering instructions to zero extend op2. Modified: trunk/gcc/ChangeLog trunk/gcc/config/i386/i386.c Author: uros Date: Sat Mar 25 18:10:37 2017 New Revision: 246477 URL: https://gcc.gnu.org/viewcvs?rev=246477&root=gcc&view=rev Log: PR target/80180 * config/i386/i386.c (ix86_expand_builtin) <IX86_BUILTIN_RDSEED{16,32,64}_STEP>: Do not expand arg0 between flags reg setting and flags reg using instructions. <IX86_BUILTIN_RDRAND{16,32,64}_STEP>: Ditto. Use non-flags reg clobbering instructions to zero extend op2. Modified: branches/gcc-6-branch/gcc/ChangeLog branches/gcc-6-branch/gcc/config/i386/i386.c Author: uros Date: Sat Mar 25 19:47:14 2017 New Revision: 246479 URL: https://gcc.gnu.org/viewcvs?rev=246479&root=gcc&view=rev Log: PR target/80180 * config/i386/i386.c (ix86_expand_builtin) <IX86_BUILTIN_RDSEED{16,32,64}_STEP>: Do not expand arg0 between flags reg setting and flags reg using instructions. <IX86_BUILTIN_RDRAND{16,32,64}_STEP>: Ditto. Use non-flags reg clobbering instructions to zero extend op2. Modified: branches/gcc-5-branch/gcc/ChangeLog branches/gcc-5-branch/gcc/config/i386/i386.c Fixed everywhere. Patch was posted here: https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html |
Created attachment 41051 [details] Preprocessed source file When the attached source is compiled, the resulting assembly improperly handles the success bit (CF) for rdseed. The instruction immediately following "rdseed %rax" is "testl %r8d, r8d" which clears CF. The debug information does identify the "setc" that should follow rdseed, but it is no where near the rdseed instruction. gcc -v output: Using built-in specs. COLLECT_GCC=./prebuilt/downloads/x86_64-elf-6.2.0-Linux-x86_64/bin/x86_64-elf-gcc COLLECT_LTO_WRAPPER=/home/teisenbe/src/magenta/magenta/prebuilt/downloads/x86_64-elf-6.2.0-Linux-x86_64/bin/../libexec/gcc/x86_64-elf/6.2.0/lto-wrapper Target: x86_64-elf Configured with: ../gcc-6.2.0/configure --with-included-gettext --target=x86_64-elf --prefix=/home/phosek/fuchsia/third_party/gcc_none_toolchains/x86_64-elf-6.2.0-Linux-x86_64 --enable-languages=c,c++ --disable-werror --enable-initfini-array Thread model: single gcc version 6.2.0 (GCC) Command used to generate: ./prebuilt/downloads/x86_64-elf-6.2.0-Linux-x86_64/bin/x86_64-elf-gcc -O2 -g -finline -include ./build-magenta-pc-x86-64/config-global.h -Wall -Wextra -Wno-multichar -Werror -Wno-error=deprecated-declarations -Wno-unused-parameter -Wno-unused-function -Wno-unused-label -Werror=return-type -fno-common -Wno-nonnull-compare -fasynchronous-unwind-tables -ffunction-sections -fdata-sections -fno-pic -ffreestanding -include ./build-magenta-pc-x86-64/config-kernel.h -Wformat=2 -Wformat-signedness -fno-omit-frame-pointer -falign-jumps=1 -falign-loops=1 -falign-functions=4 -msoft-float -mno-mmx -mno-sse -mno-sse2 -mno-3dnow -mno-avx -mno-avx2 -mno-80387 -mno-fp-ret-in-387 -mcmodel=kernel -mno-red-zone -mskip-rax-setup -mrdseed --include ./build-magenta-pc-x86-64/dev/intel_rng/config-module.h --std=c11 -Werror-implicit-function-declaration -Wstrict-prototypes -Wwrite-strings -Wmissing-prototypes -Isystem/public -Isystem/private -I./build-magenta-pc-x86-64/gen/include -I./build-magenta-pc-x86-64 -Ikernel/include -Isystem/include -Ithird_party/include -Ikernel/target/pc-x86/include -Ikernel/platform/pc/include -Ikernel/arch/x86/include -Ikernel/top/include -Ikernel/kernel/include -Ikernel/app/include -Ikernel/app/stringtests/include -Ikernel/app/tests/include -Ikernel/dev/include -Ikernel/dev/intel_rng/include -Ikernel/dev/interrupt/include -Ikernel/dev/pcie/include -Isystem/ulib/bitmap/include -Ikernel/lib/bitmap/include -Ikernel/lib/cbuf/include -Ikernel/lib/debugcommands/include -Ikernel/lib/debuglog/include -Ikernel/lib/fixed_point/include -Ikernel/lib/gfxconsole/include -Ikernel/lib/ktrace/include -Ikernel/lib/mtrace/include -Ikernel/lib/pow2_range_allocator/include -Ikernel/lib/syscalls/include -Ikernel/lib/userboot/include -Ikernel/lib/version/include -Ikernel/platform/include -Ikernel/target/include -Ithird_party/lib/acpica/source/include -Ithird_party/lib/acpica/include -Ikernel/dev/hw_rng/include -Ikernel/kernel/vm/include -Ikernel/lib/console/include -Ikernel/lib/crypto/include -Ikernel/lib/debug/include -Ikernel/lib/font/include -Ikernel/lib/gfx/include -Ikernel/lib/header_tests/include -Ikernel/lib/heap/include -Ikernel/lib/heap/include -Ikernel/lib/libc/include -Ikernel/lib/magenta/include -Ikernel/lib/mxtl/include -Isystem/ulib/mxtl/include -Ikernel/lib/mxtl/include -Isystem/ulib/region-alloc/include -Ikernel/lib/region-alloc/include -Ikernel/lib/unittest/include -Ikernel/lib/user_copy/include -Ikernel/lib/vdso/include -Ithird_party/lib/safeint/source/include -Ithird_party/lib/safeint/include -Ikernel/dev/udisplay/include -Ikernel/lib/dpc/include -Ikernel/lib/heap/cmpctmalloc/include -Ikernel/lib/io/include -Ithird_party/ulib/cryptolib/include -Ithird_party/lib/cryptolib/include -Ithird_party/ulib/qrcodegen/include -Ithird_party/lib/qrcodegen/include -c kernel/dev/intel_rng/intel-rng.c -MD -MP -MT build-magenta-pc-x86-64/dev/intel_rng/kernel/dev/intel_rng/intel-rng.c.o -MF build-magenta-pc-x86-64/dev/intel_rng/kernel/dev/intel_rng/intel-rng.c.d -o build-magenta-pc-x86-64/dev/intel_rng/kernel/dev/intel_rng/intel-rng.c.o --save-temps Compiler console output: None