From c616bfc69cc360d3b8c8e635e0306eb0835fd4e6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 08 2022 06:55:13 +0000 Subject: import gcc-8.5.0-15.el8 --- diff --git a/SOURCES/gcc8-harden-1.patch b/SOURCES/gcc8-harden-1.patch new file mode 100644 index 0000000..a325c09 --- /dev/null +++ b/SOURCES/gcc8-harden-1.patch @@ -0,0 +1,294 @@ +From 88bf1c3910e4cf97dcb85c6d32291c23e572a516 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Wed, 27 Oct 2021 07:48:54 -0700 +Subject: [PATCH 1/4] x86: Add -mharden-sls=[none|all|return|indirect-branch] + +Add -mharden-sls= to mitigate against straight line speculation (SLS) +for function return and indirect branch by adding an INT3 instruction +after function return and indirect branch. + +gcc/ + + PR target/102952 + * config/i386/i386-opts.h (harden_sls): New enum. + * config/i386/i386.c (output_indirect_thunk): Mitigate against + SLS for function return. + (ix86_output_function_return): Likewise. + (ix86_output_jmp_thunk_or_indirect): Mitigate against indirect + branch. + (ix86_output_indirect_jmp): Likewise. + (ix86_output_call_insn): Likewise. + * config/i386/i386.opt: Add -mharden-sls=. + * doc/invoke.texi: Document -mharden-sls=. + +gcc/testsuite/ + + PR target/102952 + * gcc.target/i386/harden-sls-1.c: New test. + * gcc.target/i386/harden-sls-2.c: Likewise. + * gcc.target/i386/harden-sls-3.c: Likewise. + * gcc.target/i386/harden-sls-4.c: Likewise. + * gcc.target/i386/harden-sls-5.c: Likewise. + +(cherry picked from commit 53a643f8568067d7700a9f2facc8ba39974973d3) +--- + gcc/config/i386/i386-opts.h | 7 +++++++ + gcc/config/i386/i386.c | 22 +++++++++++++++----- + gcc/config/i386/i386.opt | 20 ++++++++++++++++++ + gcc/doc/invoke.texi | 10 ++++++++- + gcc/testsuite/gcc.target/i386/harden-sls-1.c | 14 +++++++++++++ + gcc/testsuite/gcc.target/i386/harden-sls-2.c | 14 +++++++++++++ + gcc/testsuite/gcc.target/i386/harden-sls-3.c | 14 +++++++++++++ + gcc/testsuite/gcc.target/i386/harden-sls-4.c | 16 ++++++++++++++ + gcc/testsuite/gcc.target/i386/harden-sls-5.c | 17 +++++++++++++++ + 9 files changed, 128 insertions(+), 6 deletions(-) + create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-1.c + create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-2.c + create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-3.c + create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-4.c + create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-5.c + +diff --git a/gcc/config/i386/i386-opts.h b/gcc/config/i386/i386-opts.h +index 46366cbfa72..34718b6d52c 100644 +--- a/gcc/config/i386/i386-opts.h ++++ b/gcc/config/i386/i386-opts.h +@@ -119,4 +119,11 @@ enum indirect_branch { + indirect_branch_thunk_extern + }; + ++enum harden_sls { ++ harden_sls_none = 0, ++ harden_sls_return = 1 << 0, ++ harden_sls_indirect_branch = 1 << 1, ++ harden_sls_all = harden_sls_return | harden_sls_indirect_branch ++}; ++ + #endif +diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c +index 31502774ef3..eb9303f8742 100644 +--- a/gcc/config/i386/i386.c ++++ b/gcc/config/i386/i386.c +@@ -10977,6 +10977,9 @@ output_indirect_thunk (enum indirect_thunk_prefix need_prefix, + fputs ("\tbnd ret\n", asm_out_file); + else + fputs ("\tret\n", asm_out_file); ++ ++ if ((ix86_harden_sls & harden_sls_return)) ++ fputs ("\tint3\n", asm_out_file); + } + + /* Output a funtion with a call and return thunk for indirect branch. +@@ -28728,6 +28731,8 @@ ix86_output_jmp_thunk_or_indirect (const char *thunk_name, + fprintf (asm_out_file, "\tjmp\t"); + assemble_name (asm_out_file, thunk_name); + putc ('\n', asm_out_file); ++ if ((ix86_harden_sls & harden_sls_indirect_branch)) ++ fputs ("\tint3\n", asm_out_file); + } + else + output_indirect_thunk (need_prefix, regno); +@@ -28973,10 +28978,10 @@ ix86_output_indirect_jmp (rtx call_op) + gcc_unreachable (); + + ix86_output_indirect_branch (call_op, "%0", true); +- return ""; + } + else +- return "%!jmp\t%A0"; ++ output_asm_insn ("%!jmp\t%A0", &call_op); ++ return (ix86_harden_sls & harden_sls_indirect_branch) ? "int3" : ""; + } + + /* Output function return. CALL_OP is the jump target. Add a REP +@@ -29018,9 +29023,11 @@ ix86_output_function_return (bool long_p) + } + + if (!long_p || ix86_bnd_prefixed_insn_p (current_output_insn)) +- return "%!ret"; ++ output_asm_insn ("%!ret", NULL); ++ else ++ output_asm_insn ("rep%; ret", NULL); + +- return "rep%; ret"; ++ return (ix86_harden_sls & harden_sls_return) ? "int3" : ""; + } + + /* Output indirect function return. RET_OP is the function return +@@ -29158,7 +29165,12 @@ ix86_output_call_insn (rtx_insn *insn, rtx call_op) + if (output_indirect_p && !direct_p) + ix86_output_indirect_branch (call_op, xasm, true); + else +- output_asm_insn (xasm, &call_op); ++ { ++ output_asm_insn (xasm, &call_op); ++ if (!direct_p ++ && (ix86_harden_sls & harden_sls_indirect_branch)) ++ return "int3"; ++ } + return ""; + } + +diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt +index d9bd909a885..3ae48609e25 100644 +--- a/gcc/config/i386/i386.opt ++++ b/gcc/config/i386/i386.opt +@@ -1055,3 +1055,23 @@ Support MOVDIRI built-in functions and code generation. + mmovdir64b + Target Report Mask(ISA_MOVDIR64B) Var(ix86_isa_flags2) Save + Support MOVDIR64B built-in functions and code generation. ++ ++mharden-sls= ++Target RejectNegative Joined Enum(harden_sls) Var(ix86_harden_sls) Init(harden_sls_none) ++Generate code to mitigate against straight line speculation. ++ ++Enum ++Name(harden_sls) Type(enum harden_sls) ++Known choices for mitigation against straight line speculation with -mharden-sls=: ++ ++EnumValue ++Enum(harden_sls) String(none) Value(harden_sls_none) ++ ++EnumValue ++Enum(harden_sls) String(return) Value(harden_sls_return) ++ ++EnumValue ++Enum(harden_sls) String(indirect-branch) Value(harden_sls_indirect_branch) ++ ++EnumValue ++Enum(harden_sls) String(all) Value(harden_sls_all) +diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi +index 78ca7738df2..1e20efd6969 100644 +--- a/gcc/doc/invoke.texi ++++ b/gcc/doc/invoke.texi +@@ -1284,7 +1284,7 @@ See RS/6000 and PowerPC Options. + -mstack-protector-guard-symbol=@var{symbol} -mmitigate-rop @gol + -mgeneral-regs-only -mcall-ms2sysv-xlogues @gol + -mindirect-branch=@var{choice} -mfunction-return=@var{choice} @gol +--mindirect-branch-register} ++-mindirect-branch-register -mharden-sls=@var{choice}} + + @emph{x86 Windows Options} + @gccoptlist{-mconsole -mcygwin -mno-cygwin -mdll @gol +@@ -28036,6 +28036,14 @@ not be reachable in the large code model. + @opindex -mindirect-branch-register + Force indirect call and jump via register. + ++@item -mharden-sls=@var{choice} ++@opindex mharden-sls ++Generate code to mitigate against straight line speculation (SLS) with ++@var{choice}. The default is @samp{none} which disables all SLS ++hardening. @samp{return} enables SLS hardening for function return. ++@samp{indirect-branch} enables SLS hardening for indirect branch. ++@samp{all} enables all SLS hardening. ++ + @end table + + These @samp{-m} switches are supported in addition to the above +diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-1.c b/gcc/testsuite/gcc.target/i386/harden-sls-1.c +new file mode 100644 +index 00000000000..6f70dc94a23 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/i386/harden-sls-1.c +@@ -0,0 +1,14 @@ ++/* { dg-do compile } */ ++/* { dg-options "-O2 -mindirect-branch=thunk-extern -mharden-sls=all" } */ ++/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */ ++ ++extern void foo (void); ++ ++void ++bar (void) ++{ ++ foo (); ++} ++ ++/* { dg-final { scan-assembler "jmp\[ \t\]+_?foo" } } */ ++/* { dg-final { scan-assembler-not {int3} } } */ +diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-2.c b/gcc/testsuite/gcc.target/i386/harden-sls-2.c +new file mode 100644 +index 00000000000..a7c59078d03 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/i386/harden-sls-2.c +@@ -0,0 +1,14 @@ ++/* { dg-do compile } */ ++/* { dg-options "-O2 -mindirect-branch=thunk-extern -mharden-sls=all" } */ ++/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */ ++ ++extern void (*fptr) (void); ++ ++void ++foo (void) ++{ ++ fptr (); ++} ++ ++/* { dg-final { scan-assembler "jmp\[ \t\]+_?__x86_indirect_thunk_(r|e)ax" } } */ ++/* { dg-final { scan-assembler-times "int3" 1 } } */ +diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-3.c b/gcc/testsuite/gcc.target/i386/harden-sls-3.c +new file mode 100644 +index 00000000000..1a6056b6d7b +--- /dev/null ++++ b/gcc/testsuite/gcc.target/i386/harden-sls-3.c +@@ -0,0 +1,14 @@ ++/* { dg-do compile } */ ++/* { dg-options "-O2 -mindirect-branch=thunk -mharden-sls=all" } */ ++/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */ ++ ++extern void (*fptr) (void); ++ ++void ++foo (void) ++{ ++ fptr (); ++} ++ ++/* { dg-final { scan-assembler "jmp\[ \t\]+_?__x86_indirect_thunk_(r|e)ax" } } */ ++/* { dg-final { scan-assembler-times "int3" 2 } } */ +diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-4.c b/gcc/testsuite/gcc.target/i386/harden-sls-4.c +new file mode 100644 +index 00000000000..f70dd1379d3 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/i386/harden-sls-4.c +@@ -0,0 +1,16 @@ ++/* { dg-do compile } */ ++/* { dg-options "-O2 -mindirect-branch=keep -mharden-sls=all" } */ ++/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */ ++ ++extern void (*fptr) (void); ++ ++void ++foo (void) ++{ ++ fptr (); ++} ++ ++/* { dg-final { scan-assembler "jmp\[ \t\]+\\*_?fptr" { target { ! x32 } } } } */ ++/* { dg-final { scan-assembler "movl\[ \t\]+fptr\\(%rip\\), %eax" { target x32 } } } */ ++/* { dg-final { scan-assembler "jmp\[ \t\]+\\*%rax" { target x32 } } } */ ++/* { dg-final { scan-assembler-times "int3" 1 } } */ +diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-5.c b/gcc/testsuite/gcc.target/i386/harden-sls-5.c +new file mode 100644 +index 00000000000..613c44c6f82 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/i386/harden-sls-5.c +@@ -0,0 +1,17 @@ ++/* { dg-do compile } */ ++/* { dg-options "-O2 -mno-indirect-branch-register -mfunction-return=keep -mindirect-branch=thunk-extern -mharden-sls=return" } */ ++/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */ ++ ++typedef void (*dispatch_t)(long offset); ++ ++dispatch_t dispatch; ++ ++int ++male_indirect_jump (long offset) ++{ ++ dispatch(offset); ++ return 0; ++} ++ ++/* { dg-final { scan-assembler-times "ret" 1 } } */ ++/* { dg-final { scan-assembler-times "int3" 1 } } */ +-- +2.36.1 + diff --git a/SOURCES/gcc8-harden-2.patch b/SOURCES/gcc8-harden-2.patch new file mode 100644 index 0000000..669c11f --- /dev/null +++ b/SOURCES/gcc8-harden-2.patch @@ -0,0 +1,155 @@ +From 0df8313a0a5d8533f2487e21d7b42e9adee28f18 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Wed, 27 Oct 2021 06:27:15 -0700 +Subject: [PATCH 2/4] x86: Add -mindirect-branch-cs-prefix + +Add -mindirect-branch-cs-prefix to add CS prefix to call and jmp to +indirect thunk with branch target in r8-r15 registers so that the call +and jmp instruction length is 6 bytes to allow them to be replaced with +"lfence; call *%r8-r15" or "lfence; jmp *%r8-r15" at run-time. + +gcc/ + + PR target/102952 + * config/i386/i386.c (ix86_output_jmp_thunk_or_indirect): Emit + CS prefix for -mindirect-branch-cs-prefix. + (ix86_output_indirect_branch_via_reg): Likewise. + * config/i386/i386.opt: Add -mindirect-branch-cs-prefix. + * doc/invoke.texi: Document -mindirect-branch-cs-prefix. + +gcc/testsuite/ + + PR target/102952 + * gcc.target/i386/indirect-thunk-cs-prefix-1.c: New test. + * gcc.target/i386/indirect-thunk-cs-prefix-2.c: Likewise. + +(cherry picked from commit 2196a681d7810ad8b227bf983f38ba716620545e) +--- + gcc/config/i386/i386.c | 14 ++++++++++++-- + gcc/config/i386/i386.opt | 4 ++++ + gcc/doc/invoke.texi | 10 +++++++++- + .../gcc.target/i386/indirect-thunk-cs-prefix-1.c | 14 ++++++++++++++ + .../gcc.target/i386/indirect-thunk-cs-prefix-2.c | 15 +++++++++++++++ + 5 files changed, 54 insertions(+), 3 deletions(-) + create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c + create mode 100644 gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c + +diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c +index eb9303f8742..8442dd0daea 100644 +--- a/gcc/config/i386/i386.c ++++ b/gcc/config/i386/i386.c +@@ -28728,7 +28728,12 @@ ix86_output_jmp_thunk_or_indirect (const char *thunk_name, + if (need_prefix == indirect_thunk_prefix_bnd) + fprintf (asm_out_file, "\tbnd jmp\t"); + else +- fprintf (asm_out_file, "\tjmp\t"); ++ { ++ if (REX_INT_REGNO_P (regno) ++ && ix86_indirect_branch_cs_prefix) ++ fprintf (asm_out_file, "\tcs\n"); ++ fprintf (asm_out_file, "\tjmp\t"); ++ } + assemble_name (asm_out_file, thunk_name); + putc ('\n', asm_out_file); + if ((ix86_harden_sls & harden_sls_indirect_branch)) +@@ -28787,7 +28792,12 @@ ix86_output_indirect_branch_via_reg (rtx call_op, bool sibcall_p) + if (need_prefix == indirect_thunk_prefix_bnd) + fprintf (asm_out_file, "\tbnd call\t"); + else +- fprintf (asm_out_file, "\tcall\t"); ++ { ++ if (REX_INT_REGNO_P (regno) ++ && ix86_indirect_branch_cs_prefix) ++ fprintf (asm_out_file, "\tcs\n"); ++ fprintf (asm_out_file, "\tcall\t"); ++ } + assemble_name (asm_out_file, thunk_name); + putc ('\n', asm_out_file); + return; +diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt +index 3ae48609e25..9f67ef558dc 100644 +--- a/gcc/config/i386/i386.opt ++++ b/gcc/config/i386/i386.opt +@@ -1044,6 +1044,10 @@ Enum(indirect_branch) String(thunk-inline) Value(indirect_branch_thunk_inline) + EnumValue + Enum(indirect_branch) String(thunk-extern) Value(indirect_branch_thunk_extern) + ++mindirect-branch-cs-prefix ++Target Var(ix86_indirect_branch_cs_prefix) Init(0) ++Add CS prefix to call and jmp to indirect thunk with branch target in r8-r15 registers. ++ + mindirect-branch-register + Target Report Var(ix86_indirect_branch_register) Init(0) + Force indirect call and jump via register. +diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi +index 1e20efd6969..605cd4b93f1 100644 +--- a/gcc/doc/invoke.texi ++++ b/gcc/doc/invoke.texi +@@ -1284,7 +1284,8 @@ See RS/6000 and PowerPC Options. + -mstack-protector-guard-symbol=@var{symbol} -mmitigate-rop @gol + -mgeneral-regs-only -mcall-ms2sysv-xlogues @gol + -mindirect-branch=@var{choice} -mfunction-return=@var{choice} @gol +--mindirect-branch-register -mharden-sls=@var{choice}} ++-mindirect-branch-register -mharden-sls=@var{choice} @gol ++-mindirect-branch-cs-prefix} + + @emph{x86 Windows Options} + @gccoptlist{-mconsole -mcygwin -mno-cygwin -mdll @gol +@@ -28044,6 +28045,13 @@ hardening. @samp{return} enables SLS hardening for function return. + @samp{indirect-branch} enables SLS hardening for indirect branch. + @samp{all} enables all SLS hardening. + ++@item -mindirect-branch-cs-prefix ++@opindex mindirect-branch-cs-prefix ++Add CS prefix to call and jmp to indirect thunk with branch target in ++r8-r15 registers so that the call and jmp instruction length is 6 bytes ++to allow them to be replaced with @samp{lfence; call *%r8-r15} or ++@samp{lfence; jmp *%r8-r15} at run-time. ++ + @end table + + These @samp{-m} switches are supported in addition to the above +diff --git a/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c +new file mode 100644 +index 00000000000..db2f3416823 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-1.c +@@ -0,0 +1,14 @@ ++/* { dg-do compile { target { ! ia32 } } } */ ++/* { dg-options "-O2 -ffixed-rax -ffixed-rbx -ffixed-rcx -ffixed-rdx -ffixed-rdi -ffixed-rsi -mindirect-branch-cs-prefix -mindirect-branch=thunk-extern" } */ ++/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */ ++ ++extern void (*fptr) (void); ++ ++void ++foo (void) ++{ ++ fptr (); ++} ++ ++/* { dg-final { scan-assembler-times "jmp\[ \t\]+_?__x86_indirect_thunk_r\[0-9\]+" 1 } } */ ++/* { dg-final { scan-assembler-times "\tcs" 1 } } */ +diff --git a/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c +new file mode 100644 +index 00000000000..adfc39a49d4 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/i386/indirect-thunk-cs-prefix-2.c +@@ -0,0 +1,15 @@ ++/* { dg-do compile { target { ! ia32 } } } */ ++/* { dg-options "-O2 -ffixed-rax -ffixed-rbx -ffixed-rcx -ffixed-rdx -ffixed-rdi -ffixed-rsi -mindirect-branch-cs-prefix -mindirect-branch=thunk-extern" } */ ++/* { dg-additional-options "-fno-pic" { target { ! *-*-darwin* } } } */ ++ ++extern void (*bar) (void); ++ ++int ++foo (void) ++{ ++ bar (); ++ return 0; ++} ++ ++/* { dg-final { scan-assembler-times "call\[ \t\]+_?__x86_indirect_thunk_r\[0-9\]+" 1 } } */ ++/* { dg-final { scan-assembler-times "\tcs" 1 } } */ +-- +2.36.1 + diff --git a/SOURCES/gcc8-harden-3.patch b/SOURCES/gcc8-harden-3.patch new file mode 100644 index 0000000..ecb643a --- /dev/null +++ b/SOURCES/gcc8-harden-3.patch @@ -0,0 +1,108 @@ +From 621de498ee19e1f2642eebde707430254c0459c0 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Wed, 5 Jan 2022 16:33:16 -0800 +Subject: [PATCH 3/4] x86: Rename -harden-sls=indirect-branch to + -harden-sls=indirect-jmp + +Indirect branch also includes indirect call instructions. Rename +-harden-sls=indirect-branch to -harden-sls=indirect-jmp to match its +intended behavior. + + PR target/102952 + * config/i386/i386-opts.h (harden_sls): Replace + harden_sls_indirect_branch with harden_sls_indirect_jmp. + * config/i386/i386.c (ix86_output_jmp_thunk_or_indirect): + Likewise. + (ix86_output_indirect_jmp): Likewise. + (ix86_output_call_insn): Likewise. + * config/i386/i386.opt: Replace indirect-branch with + indirect-jmp. Replace harden_sls_indirect_branch with + harden_sls_indirect_jmp. + * doc/invoke.texi (-harden-sls=): Replace indirect-branch with + indirect-jmp. + +(cherry picked from commit ed8060950c64f2e449aaf90e438aa26d0d9d0b31) +--- + gcc/config/i386/i386-opts.h | 4 ++-- + gcc/config/i386/i386.c | 6 +++--- + gcc/config/i386/i386.opt | 2 +- + gcc/doc/invoke.texi | 4 ++-- + 4 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/gcc/config/i386/i386-opts.h b/gcc/config/i386/i386-opts.h +index 34718b6d52c..47facc254cd 100644 +--- a/gcc/config/i386/i386-opts.h ++++ b/gcc/config/i386/i386-opts.h +@@ -122,8 +122,8 @@ enum indirect_branch { + enum harden_sls { + harden_sls_none = 0, + harden_sls_return = 1 << 0, +- harden_sls_indirect_branch = 1 << 1, +- harden_sls_all = harden_sls_return | harden_sls_indirect_branch ++ harden_sls_indirect_jmp = 1 << 1, ++ harden_sls_all = harden_sls_return | harden_sls_indirect_jmp + }; + + #endif +diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c +index 8442dd0daea..3bc14e20105 100644 +--- a/gcc/config/i386/i386.c ++++ b/gcc/config/i386/i386.c +@@ -28736,7 +28736,7 @@ ix86_output_jmp_thunk_or_indirect (const char *thunk_name, + } + assemble_name (asm_out_file, thunk_name); + putc ('\n', asm_out_file); +- if ((ix86_harden_sls & harden_sls_indirect_branch)) ++ if ((ix86_harden_sls & harden_sls_indirect_jmp)) + fputs ("\tint3\n", asm_out_file); + } + else +@@ -28991,7 +28991,7 @@ ix86_output_indirect_jmp (rtx call_op) + } + else + output_asm_insn ("%!jmp\t%A0", &call_op); +- return (ix86_harden_sls & harden_sls_indirect_branch) ? "int3" : ""; ++ return (ix86_harden_sls & harden_sls_indirect_jmp) ? "int3" : ""; + } + + /* Output function return. CALL_OP is the jump target. Add a REP +@@ -29178,7 +29178,7 @@ ix86_output_call_insn (rtx_insn *insn, rtx call_op) + { + output_asm_insn (xasm, &call_op); + if (!direct_p +- && (ix86_harden_sls & harden_sls_indirect_branch)) ++ && (ix86_harden_sls & harden_sls_indirect_jmp)) + return "int3"; + } + return ""; +diff --git a/gcc/config/i386/i386.opt b/gcc/config/i386/i386.opt +index 9f67ef558dc..7a5c7b9369a 100644 +--- a/gcc/config/i386/i386.opt ++++ b/gcc/config/i386/i386.opt +@@ -1075,7 +1075,7 @@ EnumValue + Enum(harden_sls) String(return) Value(harden_sls_return) + + EnumValue +-Enum(harden_sls) String(indirect-branch) Value(harden_sls_indirect_branch) ++Enum(harden_sls) String(indirect-jmp) Value(harden_sls_indirect_jmp) + + EnumValue + Enum(harden_sls) String(all) Value(harden_sls_all) +diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi +index 605cd4b93f1..20d8e3fd782 100644 +--- a/gcc/doc/invoke.texi ++++ b/gcc/doc/invoke.texi +@@ -28041,8 +28041,8 @@ Force indirect call and jump via register. + @opindex mharden-sls + Generate code to mitigate against straight line speculation (SLS) with + @var{choice}. The default is @samp{none} which disables all SLS +-hardening. @samp{return} enables SLS hardening for function return. +-@samp{indirect-branch} enables SLS hardening for indirect branch. ++hardening. @samp{return} enables SLS hardening for function returns. ++@samp{indirect-jmp} enables SLS hardening for indirect jumps. + @samp{all} enables all SLS hardening. + + @item -mindirect-branch-cs-prefix +-- +2.36.1 + diff --git a/SOURCES/gcc8-harden-4.patch b/SOURCES/gcc8-harden-4.patch new file mode 100644 index 0000000..648d543 --- /dev/null +++ b/SOURCES/gcc8-harden-4.patch @@ -0,0 +1,75 @@ +From 5a5e7890cefa112e95e1de9800d8081c2a38a1da Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Wed, 5 Jan 2022 18:04:21 -0800 +Subject: [PATCH 4/4] x86: Generate INT3 for __builtin_eh_return + +Generate INT3 after indirect jmp in exception return for -fcf-protection +with -mharden-sls=indirect-jmp. + +gcc/ + + PR target/103925 + * config/i386/i386.c (ix86_output_indirect_function_return): + Generate INT3 after indirect jmp for -mharden-sls=indirect-jmp. + +gcc/testsuite/ + + PR target/103925 + * gcc.target/i386/harden-sls-6.c: New test. + +(cherry picked from commit c2e5c4feed32c808591b5278f680bbabe63eb225) +--- + gcc/config/i386/i386.c | 9 ++++++--- + gcc/testsuite/gcc.target/i386/harden-sls-6.c | 18 ++++++++++++++++++ + 2 files changed, 24 insertions(+), 3 deletions(-) + create mode 100644 gcc/testsuite/gcc.target/i386/harden-sls-6.c + +diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c +index 3bc14e20105..dbc3d462fda 100644 +--- a/gcc/config/i386/i386.c ++++ b/gcc/config/i386/i386.c +@@ -29083,11 +29083,14 @@ ix86_output_indirect_function_return (rtx ret_op) + } + else + output_indirect_thunk (need_prefix, regno); +- +- return ""; + } + else +- return "%!jmp\t%A0"; ++ { ++ output_asm_insn ("%!jmp\t%A0", &ret_op); ++ if (ix86_harden_sls & harden_sls_indirect_jmp) ++ fputs ("\tint3\n", asm_out_file); ++ } ++ return ""; + } + + /* Split simple return with popping POPC bytes from stack to indirect +diff --git a/gcc/testsuite/gcc.target/i386/harden-sls-6.c b/gcc/testsuite/gcc.target/i386/harden-sls-6.c +new file mode 100644 +index 00000000000..9068eb64008 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/i386/harden-sls-6.c +@@ -0,0 +1,18 @@ ++/* { dg-do compile { target { ! ia32 } } } */ ++/* { dg-options "-O2 -fcf-protection -mharden-sls=indirect-jmp" } */ ++ ++struct _Unwind_Context _Unwind_Resume_or_Rethrow_this_context; ++ ++void offset (int); ++ ++struct _Unwind_Context { ++ void *reg[7]; ++} _Unwind_Resume_or_Rethrow() { ++ struct _Unwind_Context cur_contextcur_context = ++ _Unwind_Resume_or_Rethrow_this_context; ++ offset(0); ++ __builtin_eh_return ((long) offset, 0); ++} ++ ++/* { dg-final { scan-assembler "jmp\[ \t\]+\\*%rcx" } } */ ++/* { dg-final { scan-assembler-times "int3" 1 } } */ +-- +2.36.1 + diff --git a/SOURCES/gcc8-rh2001788.patch b/SOURCES/gcc8-rh2001788.patch new file mode 100644 index 0000000..15f20be --- /dev/null +++ b/SOURCES/gcc8-rh2001788.patch @@ -0,0 +1,456 @@ +commit ee3db7c8f844556d35a66b3732bad9f44a086491 +Author: Jonathan Wakely +Date: Mon Sep 27 20:44:24 2021 +0100 + + libstdc++: Fix handling of invalid ranges in std::regex [PR102447] + + std::regex currently allows invalid bracket ranges such as [\w-a] which + are only allowed by ECMAScript when in web browser compatibility mode. + It should be an error, because the start of the range is a character + class, not a single character. The current implementation of + _Compiler::_M_expression_term does not provide a way to reject this, + because we only remember a previous character, not whether we just + processed a character class (or collating symbol etc.) + + This patch replaces the pair used to emulate + optional with a custom class closer to pair. That + allows us to track three states, so that we can tell when we've just + seen a character class. + + With this additional state the code in _M_expression_term for processing + the _S_token_bracket_dash can be improved to correctly reject the [\w-a] + case, without regressing for valid cases such as [\w-] and [----]. + + libstdc++-v3/ChangeLog: + + PR libstdc++/102447 + * include/bits/regex_compiler.h (_Compiler::_BracketState): New + class. + (_Compiler::_BrackeyMatcher): New alias template. + (_Compiler::_M_expression_term): Change pair + parameter to _BracketState. Process first character for + ECMAScript syntax as well as POSIX. + * include/bits/regex_compiler.tcc + (_Compiler::_M_insert_bracket_matcher): Pass _BracketState. + (_Compiler::_M_expression_term): Use _BracketState to store + state between calls. Improve handling of dashes in ranges. + * testsuite/28_regex/algorithms/regex_match/cstring_bracket_01.cc: + Add more tests for ranges containing dashes. Check invalid + ranges with character class at the beginning. + + (cherry picked from commit 7ce3c230edf6e498e125c805a6dd313bf87dc439) + +diff --git a/libstdc++-v3/include/bits/regex_compiler.h b/libstdc++-v3/include/bits/regex_compiler.h +index 7e5c2073554..2eb1c3f7863 100644 +--- a/libstdc++-v3/include/bits/regex_compiler.h ++++ b/libstdc++-v3/include/bits/regex_compiler.h +@@ -122,13 +122,45 @@ namespace __detail + void + _M_insert_bracket_matcher(bool __neg); + +- // Returns true if successfully matched one term and should continue. ++ // Cache of the last atom seen in a bracketed range expression. ++ struct _BracketState ++ { ++ enum class _Type : char { _None, _Char, _Class } _M_type = _Type::_None; ++ _CharT _M_char; ++ ++ void ++ set(_CharT __c) noexcept { _M_type = _Type::_Char; _M_char = __c; } ++ ++ _GLIBCXX_NODISCARD _CharT ++ get() const noexcept { return _M_char; } ++ ++ void ++ reset(_Type __t = _Type::_None) noexcept { _M_type = __t; } ++ ++ explicit operator bool() const noexcept ++ { return _M_type != _Type::_None; } ++ ++ // Previous token was a single character. ++ _GLIBCXX_NODISCARD bool ++ _M_is_char() const noexcept { return _M_type == _Type::_Char; } ++ ++ // Previous token was a character class, equivalent class, ++ // collating symbol etc. ++ _GLIBCXX_NODISCARD bool ++ _M_is_class() const noexcept { return _M_type == _Type::_Class; } ++ }; ++ ++ template ++ using _BracketMatcher ++ = std::__detail::_BracketMatcher<_TraitsT, __icase, __collate>; ++ ++ // Returns true if successfully parsed one term and should continue ++ // compiling a bracket expression. + // Returns false if the compiler should move on. + template + bool +- _M_expression_term(pair& __last_char, +- _BracketMatcher<_TraitsT, __icase, __collate>& +- __matcher); ++ _M_expression_term(_BracketState& __last_char, ++ _BracketMatcher<__icase, __collate>& __matcher); + + int + _M_cur_int_value(int __radix); +diff --git a/libstdc++-v3/include/bits/regex_compiler.tcc b/libstdc++-v3/include/bits/regex_compiler.tcc +index b1169428afb..5877d30ba52 100644 +--- a/libstdc++-v3/include/bits/regex_compiler.tcc ++++ b/libstdc++-v3/include/bits/regex_compiler.tcc +@@ -140,7 +140,8 @@ namespace __detail + return true; + if (this->_M_atom()) + { +- while (this->_M_quantifier()); ++ while (this->_M_quantifier()) ++ ; + return true; + } + return false; +@@ -410,7 +411,7 @@ namespace __detail + _M_insert_character_class_matcher() + { + __glibcxx_assert(_M_value.size() == 1); +- _BracketMatcher<_TraitsT, __icase, __collate> __matcher ++ _BracketMatcher<__icase, __collate> __matcher + (_M_ctype.is(_CtypeT::upper, _M_value[0]), _M_traits); + __matcher._M_add_character_class(_M_value, false); + __matcher._M_ready(); +@@ -424,25 +425,17 @@ namespace __detail + _Compiler<_TraitsT>:: + _M_insert_bracket_matcher(bool __neg) + { +- _BracketMatcher<_TraitsT, __icase, __collate> __matcher(__neg, _M_traits); +- pair __last_char; // Optional<_CharT> +- __last_char.first = false; +- if (!(_M_flags & regex_constants::ECMAScript)) +- { +- if (_M_try_char()) +- { +- __last_char.first = true; +- __last_char.second = _M_value[0]; +- } +- else if (_M_match_token(_ScannerT::_S_token_bracket_dash)) +- { +- __last_char.first = true; +- __last_char.second = '-'; +- } +- } +- while (_M_expression_term(__last_char, __matcher)); +- if (__last_char.first) +- __matcher._M_add_char(__last_char.second); ++ _BracketMatcher<__icase, __collate> __matcher(__neg, _M_traits); ++ _BracketState __last_char; ++ if (_M_try_char()) ++ __last_char.set(_M_value[0]); ++ else if (_M_match_token(_ScannerT::_S_token_bracket_dash)) ++ // Dash as first character is a normal character. ++ __last_char.set('-'); ++ while (_M_expression_term(__last_char, __matcher)) ++ ; ++ if (__last_char._M_is_char()) ++ __matcher._M_add_char(__last_char.get()); + __matcher._M_ready(); + _M_stack.push(_StateSeqT( + *_M_nfa, +@@ -453,27 +446,27 @@ namespace __detail + template + bool + _Compiler<_TraitsT>:: +- _M_expression_term(pair& __last_char, +- _BracketMatcher<_TraitsT, __icase, __collate>& __matcher) ++ _M_expression_term(_BracketState& __last_char, ++ _BracketMatcher<__icase, __collate>& __matcher) + { + if (_M_match_token(_ScannerT::_S_token_bracket_end)) + return false; + ++ // Add any previously cached char into the matcher and update cache. + const auto __push_char = [&](_CharT __ch) + { +- if (__last_char.first) +- __matcher._M_add_char(__last_char.second); +- else +- __last_char.first = true; +- __last_char.second = __ch; ++ if (__last_char._M_is_char()) ++ __matcher._M_add_char(__last_char.get()); ++ __last_char.set(__ch); + }; +- const auto __flush = [&] ++ // Add any previously cached char into the matcher and update cache. ++ const auto __push_class = [&] + { +- if (__last_char.first) +- { +- __matcher._M_add_char(__last_char.second); +- __last_char.first = false; +- } ++ if (__last_char._M_is_char()) ++ __matcher._M_add_char(__last_char.get()); ++ // We don't cache anything here, just record that the last thing ++ // processed was a character class (or similar). ++ __last_char.reset(_BracketState::_Type::_Class); + }; + + if (_M_match_token(_ScannerT::_S_token_collsymbol)) +@@ -482,16 +475,16 @@ namespace __detail + if (__symbol.size() == 1) + __push_char(__symbol[0]); + else +- __flush(); ++ __push_class(); + } + else if (_M_match_token(_ScannerT::_S_token_equiv_class_name)) + { +- __flush(); ++ __push_class(); + __matcher._M_add_equivalence_class(_M_value); + } + else if (_M_match_token(_ScannerT::_S_token_char_class_name)) + { +- __flush(); ++ __push_class(); + __matcher._M_add_character_class(_M_value, false); + } + else if (_M_try_char()) +@@ -508,49 +501,50 @@ namespace __detail + // It turns out that no one reads BNFs ;) + else if (_M_match_token(_ScannerT::_S_token_bracket_dash)) + { +- if (!__last_char.first) ++ if (_M_match_token(_ScannerT::_S_token_bracket_end)) + { +- if (!(_M_flags & regex_constants::ECMAScript)) +- { +- if (_M_match_token(_ScannerT::_S_token_bracket_end)) +- { +- __push_char('-'); +- return false; +- } +- __throw_regex_error( +- regex_constants::error_range, +- "Unexpected dash in bracket expression. For POSIX syntax, " +- "a dash is not treated literally only when it is at " +- "beginning or end."); +- } ++ // For "-]" the dash is a literal character. + __push_char('-'); ++ return false; + } +- else ++ else if (__last_char._M_is_class()) ++ { ++ // "\\w-" is invalid, start of range must be a single char. ++ __throw_regex_error(regex_constants::error_range, ++ "Invalid start of range in bracket expression."); ++ } ++ else if (__last_char._M_is_char()) + { + if (_M_try_char()) + { +- __matcher._M_make_range(__last_char.second, _M_value[0]); +- __last_char.first = false; ++ // "x-y" ++ __matcher._M_make_range(__last_char.get(), _M_value[0]); ++ __last_char.reset(); + } + else if (_M_match_token(_ScannerT::_S_token_bracket_dash)) + { +- __matcher._M_make_range(__last_char.second, '-'); +- __last_char.first = false; ++ // "x--" ++ __matcher._M_make_range(__last_char.get(), '-'); ++ __last_char.reset(); + } + else +- { +- if (_M_scanner._M_get_token() +- != _ScannerT::_S_token_bracket_end) +- __throw_regex_error( +- regex_constants::error_range, +- "Character is expected after a dash."); +- __push_char('-'); +- } ++ __throw_regex_error(regex_constants::error_range, ++ "Invalid end of range in bracket expression."); + } ++ else if (_M_flags & regex_constants::ECMAScript) ++ { ++ // A dash that is not part of an existing range. Might be the ++ // start of a new range, or might just be a literal '-' char. ++ // Only ECMAScript allows that in the middle of a bracket expr. ++ __push_char('-'); ++ } ++ else ++ __throw_regex_error(regex_constants::error_range, ++ "Invalid dash in bracket expression."); + } + else if (_M_match_token(_ScannerT::_S_token_quoted_class)) + { +- __flush(); ++ __push_class(); + __matcher._M_add_character_class(_M_value, + _M_ctype.is(_CtypeT::upper, + _M_value[0])); +diff --git a/libstdc++-v3/testsuite/28_regex/algorithms/regex_match/cstring_bracket_01.cc b/libstdc++-v3/testsuite/28_regex/algorithms/regex_match/cstring_bracket_01.cc +index 236ab663fc0..57088f5af83 100644 +--- a/libstdc++-v3/testsuite/28_regex/algorithms/regex_match/cstring_bracket_01.cc ++++ b/libstdc++-v3/testsuite/28_regex/algorithms/regex_match/cstring_bracket_01.cc +@@ -68,6 +68,16 @@ test01() + void + test02() + { ++ VERIFY(regex_match("-", regex("[-]", regex_constants::ECMAScript))); ++ VERIFY(regex_match("-", regex("[--]", regex_constants::ECMAScript))); ++ VERIFY(regex_match("-", regex("[---]", regex_constants::ECMAScript))); ++ VERIFY(regex_match("-", regex("[----]", regex_constants::ECMAScript))); ++ VERIFY(regex_match("-", regex("[-----]", regex_constants::ECMAScript))); ++ ++ VERIFY(regex_match("-", regex("[-]", regex_constants::extended))); ++ VERIFY(regex_match("-", regex("[--]", regex_constants::extended))); ++ VERIFY(regex_match("-", regex("[---]", regex_constants::extended))); ++ VERIFY(regex_match("-", regex("[----]", regex_constants::extended))); + try + { + std::regex re("[-----]", std::regex::extended); +@@ -77,7 +87,6 @@ test02() + { + VERIFY(e.code() == std::regex_constants::error_range); + } +- std::regex re("[-----]", std::regex::ECMAScript); + + VERIFY(!regex_match("b", regex("[-ac]", regex_constants::extended))); + VERIFY(!regex_match("b", regex("[ac-]", regex_constants::extended))); +@@ -92,7 +101,27 @@ test02() + } + catch (const std::regex_error& e) + { ++ VERIFY(e.code() == std::regex_constants::error_range); ++ } ++ try ++ { ++ regex("[@--]", regex_constants::extended); ++ VERIFY(false); + } ++ catch (const std::regex_error& e) ++ { ++ VERIFY(e.code() == std::regex_constants::error_range); ++ } ++ try ++ { ++ regex("[--%]", regex_constants::extended); ++ VERIFY(false); ++ } ++ catch (const std::regex_error& e) ++ { ++ VERIFY(e.code() == std::regex_constants::error_range); ++ } ++ + VERIFY(regex_match("].", regex("[][.hyphen.]-0]*", regex_constants::extended))); + } + +@@ -157,6 +186,36 @@ test06() + VERIFY(regex_match("a-", debian_cron_namespace_ok)); + } + ++// libstdc++/102447 ++void ++test07() ++{ ++ VERIFY(regex_match("-", std::regex("[\\w-]", std::regex::ECMAScript))); ++ VERIFY(regex_match("a", std::regex("[\\w-]", std::regex::ECMAScript))); ++ VERIFY(regex_match("-", std::regex("[a-]", std::regex::ECMAScript))); ++ VERIFY(regex_match("a", std::regex("[a-]", std::regex::ECMAScript))); ++ ++ try ++ { ++ std::regex re("[\\w-a]", std::regex::ECMAScript); ++ VERIFY(false); ++ } ++ catch (const std::regex_error& e) ++ { ++ VERIFY(e.code() == std::regex_constants::error_range); ++ } ++ ++ try ++ { ++ std::regex re("[\\w--]", std::regex::ECMAScript); ++ VERIFY(false); ++ } ++ catch (const std::regex_error& e) ++ { ++ VERIFY(e.code() == std::regex_constants::error_range); ++ } ++} ++ + int + main() + { +@@ -166,6 +225,7 @@ main() + test04(); + test05(); + test06(); ++ test07(); + + return 0; + } + +commit 1851cc4c5f2666dfdec53a2ada57095ffc59e08b +Author: Jonathan Wakely +Date: Mon Dec 13 13:36:33 2021 +0000 + + libstdc++: Fix non-reserved name in header + + libstdc++-v3/ChangeLog: + + * include/bits/regex_compiler.tcc (_Compiler::_M_match_token): + Use reserved name for parameter. + * testsuite/17_intro/names.cc: Check "token". + + (cherry picked from commit b0e6a257f1862e217cdf19332ea0f7bad56dcddc) + +diff --git a/libstdc++-v3/include/bits/regex_compiler.tcc b/libstdc++-v3/include/bits/regex_compiler.tcc +index 8af920e5fe9..b1169428afb 100644 +--- a/libstdc++-v3/include/bits/regex_compiler.tcc ++++ b/libstdc++-v3/include/bits/regex_compiler.tcc +@@ -586,9 +586,9 @@ namespace __detail + template + bool + _Compiler<_TraitsT>:: +- _M_match_token(_TokenT token) ++ _M_match_token(_TokenT __token) + { +- if (token == _M_scanner._M_get_token()) ++ if (__token == _M_scanner._M_get_token()) + { + _M_value = _M_scanner._M_get_value(); + _M_scanner._M_advance(); +diff --git a/libstdc++-v3/testsuite/17_intro/names.cc b/libstdc++-v3/testsuite/17_intro/names.cc +index d758138dfb1..6c06aba7228 100644 +--- a/libstdc++-v3/testsuite/17_intro/names.cc ++++ b/libstdc++-v3/testsuite/17_intro/names.cc +@@ -99,6 +99,7 @@ + #define z ( + + #define tmp ( ++#define token ( + + #if __cplusplus < 201103L + #define uses_allocator ( +--- a/libstdc++-v3/include/bits/c++config.orig 2022-07-08 15:06:14.083231445 -0400 ++++ b/libstdc++-v3/include/bits/c++config 2022-07-08 15:06:41.733247859 -0400 +@@ -99,6 +99,12 @@ + # define _GLIBCXX_ABI_TAG_CXX11 __attribute ((__abi_tag__ ("cxx11"))) + #endif + ++// Macro to warn about unused results. ++#if __cplusplus >= 201703L ++# define _GLIBCXX_NODISCARD [[__nodiscard__]] ++#else ++# define _GLIBCXX_NODISCARD ++#endif + + #if __cplusplus + diff --git a/SPECS/gcc.spec b/SPECS/gcc.spec index 5fa0be1..c87b4c9 100644 --- a/SPECS/gcc.spec +++ b/SPECS/gcc.spec @@ -4,7 +4,7 @@ %global gcc_major 8 # Note, gcc_release must be integer, if you want to add suffixes to # %%{release}, append them after %%{gcc_release} on Release: line. -%global gcc_release 10 +%global gcc_release 15 %global nvptx_tools_gitrev c28050f60193b3b95a18866a96f03334e874e78f %global nvptx_newlib_gitrev aadc8eb0ec43b7cd0dd2dfb484bae63c8b05ef24 %global _unpackaged_files_terminate_build 0 @@ -104,7 +104,7 @@ Summary: Various compilers (C, C++, Objective-C, ...) Name: gcc Version: %{gcc_version} -Release: %{gcc_release}.1%{?dist} +Release: %{gcc_release}%{?dist} # libgcc, libgfortran, libgomp, libstdc++ and crtstuff have # GCC Runtime Exception. License: GPLv3+ and GPLv3+ with exceptions and GPLv2+ with exceptions and LGPLv2+ and BSD @@ -199,7 +199,7 @@ Requires: libisl.so.15 %endif %if %{build_libstdcxx_docs} BuildRequires: doxygen >= 1.7.1 -BuildRequires: graphviz, dblatex, texlive-collection-latex, docbook5-style-xsl +BuildRequires: graphviz, dblatex, texlive-collection-latex, docbook-style-xsl %endif Requires: cpp = %{version}-%{release} # Need .eh_frame ld optimizations @@ -285,10 +285,15 @@ Patch24: gcc8-pch-tweaks.patch Patch25: gcc8-aarch64-mtune-neoverse-512tvb.patch Patch26: gcc8-rh2028609.patch Patch27: gcc8-libgfortran-default-values.patch +Patch28: gcc8-rh2001788.patch Patch30: gcc8-rh1668903-1.patch Patch31: gcc8-rh1668903-2.patch Patch32: gcc8-rh1668903-3.patch +Patch33: gcc8-harden-1.patch +Patch34: gcc8-harden-2.patch +Patch35: gcc8-harden-3.patch +Patch36: gcc8-harden-4.patch Patch1000: nvptx-tools-no-ptxas.patch Patch1001: nvptx-tools-build.patch @@ -834,6 +839,25 @@ NVidia PTX. OpenMP and OpenACC programs linked with -fopenmp will by default add PTX code into the binaries, which can be offloaded to NVidia PTX capable devices if available. +%package plugin-annobin +Summary: The annobin plugin for gcc, built by the installed version of gcc +Requires: gcc = %{version}-%{release} +# Starting with release 10.01 annobin fixed a bug in its configure scripts +# which prevented them from working with a built but not installed compiler +BuildRequires: annobin >= 10.01 +# Starting with release 9.93 annobin-plugin-gcc puts a copy of the sources +# in /usr/src/annobin +# FIXME: Currently the annobin-plugin-gcc subpackage only exists in Fedora. +# For RHEL-9 the annobin package does everything. +# BuildRequires: annobin-plugin-gcc +# Needed in order to be able to decompress the annobin source tarball. +BuildRequires: xz + +%description plugin-annobin +This package adds a version of the annobin plugin for gcc. This version +of the plugin is explicitly built by the same version of gcc that is installed +so that there cannot be any synchronization problems. + %prep %setup -q -n gcc-%{version}-%{DATE} -a 1 -a 2 %patch0 -p0 -b .hack~ @@ -871,10 +895,15 @@ to NVidia PTX capable devices if available. %patch25 -p1 -b .neoverse~ %patch26 -p1 -b .rh2028609~ %patch27 -p1 -b .libgfortran-default~ +%patch28 -p1 -b .rh2001788~ %patch30 -p0 -b .rh1668903-1~ %patch31 -p0 -b .rh1668903-2~ %patch32 -p0 -b .rh1668903-3~ +%patch33 -p1 -b .harden-1~ +%patch34 -p1 -b .harden-2~ +%patch35 -p1 -b .harden-3~ +%patch36 -p1 -b .harden-4~ cd nvptx-tools-%{nvptx_tools_gitrev} %patch1000 -p1 -b .nvptx-tools-no-ptxas~ @@ -1212,6 +1241,82 @@ done) rm -f rpm.doc/changelogs/gcc/ChangeLog.[1-9] find rpm.doc -name \*ChangeLog\* | xargs bzip2 -9 +# Get the annobin sources. Note these are not added to the rpm as SOURCE4 +# because if they were the build phase would try to include them as part of +# gcc itself, and this causes problems. Instead we locate the sources in +# the buildroot. They should have been put there when annobin was installed. + +pushd %{_builddir} + +%global annobin_source_dir %{_usrsrc}/annobin + +if [ -d %{annobin_source_dir} ] +then + # Unpack the sources. + echo "Unpacking annobin sources" + rm -fr annobin-* + tar xvf %{annobin_source_dir}/latest-annobin.tar.xz + + # Setting this as a local symbol because using %%global does not appear to work. + annobin_dir=$(find . -maxdepth 1 -type d -name "annobin*") + + # Now build the annobin plugin using the just built compiler. + echo "annobin directory = ${annobin_dir}" + cd ${annobin_dir} + + # Change the plugin so that it generates "nop" instead of ".nop" instructions. + sed -e "s/\.nop/nop/" -i gcc-plugin/annobin.cc + + # Work out where this version of gcc stores its plugins. +%global ANNOBIN_GCC_PLUGIN_DIR %{_prefix}/lib/gcc/%{gcc_target_platform}/%{gcc_major}/plugin + + CONFIG_ARGS="--quiet" + CONFIG_ARGS="$CONFIG_ARGS --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR}" + CONFIG_ARGS="$CONFIG_ARGS --without-annocheck" + CONFIG_ARGS="$CONFIG_ARGS --without-tests" + CONFIG_ARGS="$CONFIG_ARGS --disable-rpath" + + comp_dir="%{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/gcc/" + ccompiler="%{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/gcc/xgcc -B $comp_dir" + cxxcompiler="%{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/gcc/xg++ -B $comp_dir" + + comp_flags="%build_cflags" + comp_flags="$comp_flags -I %{_builddir}/gcc-%{version}-%{DATE}/gcc" + comp_flags="$comp_flags -I %{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/gcc/" + comp_flags="$comp_flags -I %{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/%{gcc_target_platform}/libstdc++-v3/include" + comp_flags="$comp_flags -I %{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/%{gcc_target_platform}/libstdc++-v3/include/%{gcc_target_platform}" + comp_flags="$comp_flags -I %{_builddir}/gcc-%{version}-%{DATE}/libstdc++-v3/libsupc++" + comp_flags="$comp_flags -I %{_builddir}/gcc-%{version}-%{DATE}/include" + comp_flags="$comp_flags -I %{_builddir}/gcc-%{version}-%{DATE}/libcpp/include" + + ld_flags="%build_ldflags" + ld_flags="$ld_flags -L%{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/libstdc++-v3/.libs" + ld_flags="$ld_flags -L%{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/%{gcc_target_platform}/libstdc++-v3/.libs" + ld_flags="$ld_flags -L%{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/%{gcc_target_platform}/libstdc++-v3/src/.libs" + ld_flags="$ld_flags -L%{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/libstdc++-v3/libsupc++/.libs" + ld_flags="$ld_flags -L%{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/%{gcc_target_platform}/libstdc++-v3/libsupc++/.libs" + ld_flags="$ld_flags -L%{_builddir}/gcc-%{version}-%{DATE}/obj-%{gcc_target_platform}/%{gcc_target_platform}/libgcc/.libs" + + # libtool works with CFLAGS but ignores LDFLAGS, so we have to combine them. + comp_flags="$comp_flags $ld_flags" + + echo "Configuring the annobin plugin" + CC="${ccompiler}" CFLAGS="${comp_flags}" \ + CXX="${cxxcompiler}" CXXFLAGS="${comp_flags}" \ + LDFLAGS="${ld_flags}" \ + ./configure ${CONFIG_ARGS} || cat config.log + + echo "Building the annobin plugin" + make + + echo "Annobin plugin build complete" +else + echo "Unable to locate annobin sources (expected to find: %{annobin_source_dir}/latest-annobin.tar.xz)" + echo "These should be provided by installing the annobin package" + exit 1 +fi +popd + %install rm -rf %{buildroot} @@ -1991,6 +2096,20 @@ rm -f %{buildroot}%{mandir}/man3/ffi* # Help plugins find out nvra. echo gcc-%{version}-%{release}.%{_arch} > $FULLPATH/rpmver +# Rename the annobin plugin to gcc-annobin. +mkdir -p %{buildroot}%{ANNOBIN_GCC_PLUGIN_DIR} +pushd %{buildroot}%{ANNOBIN_GCC_PLUGIN_DIR} + +annobin_dir=$(find %{_builddir} -maxdepth 1 -type d -name "annobin*") +echo "annobin directory = ${annobin_dir}" + +cp ${annobin_dir}/gcc-plugin/.libs/annobin.so.0.0.0 gcc-annobin.so.0.0.0 + +rm -f gcc-annobin.so.0 gcc-annobin.so +ln -s gcc-annobin.so.0.0.0 gcc-annobin.so.0 +ln -s gcc-annobin.so.0.0.0 gcc-annobin.so +popd + %check cd obj-%{gcc_target_platform} @@ -3186,9 +3305,27 @@ fi %{_prefix}/%{_lib}/libgomp-plugin-nvptx.so.* %endif +%files plugin-annobin +%{ANNOBIN_GCC_PLUGIN_DIR}/gcc-annobin.so +%{ANNOBIN_GCC_PLUGIN_DIR}/gcc-annobin.so.0 +%{ANNOBIN_GCC_PLUGIN_DIR}/gcc-annobin.so.0.0.0 + %changelog -* Wed Apr 27 2022 Marek Polacek 8.5.0-10.1 -- backport Default widths with -fdec-format-defaults patch (#2079578) +* Wed Jul 20 2022 Marek Polacek 8.5.0-15 +- backport straight-line-speculation mitigation (#2108721) + +* Fri Jul 8 2022 Jonathan Wakely 8.5.0-14 +- backport std::regex check for invalid range (#2001788) + +* Wed Apr 20 2022 Marek Polacek 8.5.0-13 +- require docbook-style-xsl instead of docbook5-style-xsl (#2073888) +- backport Default widths with -fdec-format-defaults patch (#2074614) + +* Fri Apr 01 2022 Marek Polacek 8.5.0-12 +- Fix nop generation in annobin plugin. (#2067150) + +* Wed Mar 30 2022 Marek Polacek 8.5.0-11 +- Add a plugin-annobin subpackage. (#2067150) * Thu Jan 27 2022 Marek Polacek 8.5.0-10 - fix typo in the cprop_hardreg patch (#2028609)