diff options
Diffstat (limited to 'poky/meta/recipes-devtools')
103 files changed, 6460 insertions, 547 deletions
diff --git a/poky/meta/recipes-devtools/automake/automake/buildtest.patch b/poky/meta/recipes-devtools/automake/automake/buildtest.patch index b88b9e8693..c43a4ac8f3 100644 --- a/poky/meta/recipes-devtools/automake/automake/buildtest.patch +++ b/poky/meta/recipes-devtools/automake/automake/buildtest.patch @@ -36,7 +36,7 @@ index e0db651..de137fa 100644 -check-TESTS: $(TESTS) +AM_RECURSIVE_TARGETS += buildtest runtest + -+buildtest-TESTS: $(TESTS) ++buildtest-TESTS: $(TESTS) $(check_PROGRAMS) + +check-TESTS: buildtest-TESTS + $(MAKE) $(AM_MAKEFLAGS) runtest-TESTS diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.40.inc b/poky/meta/recipes-devtools/binutils/binutils-2.40.inc index dbb43044a4..424cfc48fc 100644 --- a/poky/meta/recipes-devtools/binutils/binutils-2.40.inc +++ b/poky/meta/recipes-devtools/binutils/binutils-2.40.inc @@ -18,7 +18,7 @@ SRCBRANCH ?= "binutils-2_40-branch" UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)" -SRCREV ?= "4671be001eb5a899ecac3e2686a92934000f8262" +SRCREV ?= "391fd4d9ee5d2b78244cbcd57fc405738359b70b" BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https" SRC_URI = "\ ${BINUTILS_GIT_URI} \ @@ -34,5 +34,7 @@ SRC_URI = "\ file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://0015-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \ file://0016-CVE-2023-25586.patch \ + file://0001-Fix-an-illegal-memory-access-when-an-accessing-a-zer.patch \ + file://0017-CVE-2023-39128.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/binutils/binutils.inc b/poky/meta/recipes-devtools/binutils/binutils.inc index c69d29448f..e176b5cff1 100644 --- a/poky/meta/recipes-devtools/binutils/binutils.inc +++ b/poky/meta/recipes-devtools/binutils/binutils.inc @@ -33,6 +33,8 @@ FILES:${PN}-dev = " \ ${libdir}/libctf-nobfd.so \ ${libdir}/libopcodes.so" +FILES:${PN}-staticdev += "${libdir}/gprofng/*.a" + # Rather than duplicating multiple entries for these, make one # list and reuse it. diff --git a/poky/meta/recipes-devtools/binutils/binutils/0001-Fix-an-illegal-memory-access-when-an-accessing-a-zer.patch b/poky/meta/recipes-devtools/binutils/binutils/0001-Fix-an-illegal-memory-access-when-an-accessing-a-zer.patch new file mode 100644 index 0000000000..31157cacd2 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0001-Fix-an-illegal-memory-access-when-an-accessing-a-zer.patch @@ -0,0 +1,43 @@ +From c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 30 Mar 2023 10:10:09 +0100 +Subject: [PATCH] Fix an illegal memory access when an accessing a + zer0-lengthverdef table. + + PR 30285 + * elf.c (_bfd_elf_slurp_version_tables): Fail if no version definitions are allocated. + +CVE: CVE-2023-1972 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + bfd/ChangeLog | 6 ++++++ + bfd/elf.c | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/bfd/elf.c b/bfd/elf.c +index 027d0143735..185028cbd97 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -9030,6 +9030,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return_verdef; + } ++ ++ if (amt == 0) ++ goto error_return_verdef; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return_verdef; +@@ -9133,6 +9136,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return; + } ++ if (amt == 0) ++ goto error_return; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return; +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch b/poky/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch new file mode 100644 index 0000000000..cd81a52b15 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0017-CVE-2023-39128.patch @@ -0,0 +1,74 @@ +From: Tom Tromey <tromey@adacore.com> +Date: Wed, 16 Aug 2023 17:29:19 +0000 (-0600) +Subject: Avoid buffer overflow in ada_decode +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=033bc52bb6190393c8eed80925fa78cc35b40c6d + +Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz <keiths@redhat.com> +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] + +CVE: CVE-2023-39128 + +Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com> + +--- + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 4a9a6e0f38f..2f934b1e79a 100644 +--- a/gdb/ada-lang.c ++++ b/gdb/ada-lang.c +@@ -57,6 +57,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include <algorithm> + #include "ada-exp.h" + #include "charset.h" +@@ -1377,7 +1378,7 @@ ada_decode (const char *encoded, bool wrap, bool operators) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1574,6 +1575,18 @@ Suppress: + return decoded; + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once + allocated, names in this table are never released. While this is a + storage leak, it should not be significant unless there are massive +@@ -13984,4 +13997,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); + gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); + gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } diff --git a/poky/meta/recipes-devtools/binutils/binutils_2.40.bb b/poky/meta/recipes-devtools/binutils/binutils_2.40.bb index 9fe4bf5ae3..4ce1b4bec2 100644 --- a/poky/meta/recipes-devtools/binutils/binutils_2.40.bb +++ b/poky/meta/recipes-devtools/binutils/binutils_2.40.bb @@ -67,7 +67,6 @@ FILES:libbfd = "${libdir}/libbfd-*.so.* ${libdir}/libbfd-*.so" FILES:libopcodes = "${libdir}/libopcodes-*.so.* ${libdir}/libopcodes-*.so" FILES:gprofng = "${sysconfdir}/gprofng.rc ${libdir}/gprofng/libgp-*.so ${libdir}/gprofng/libgprofng.so.* ${bindir}/gp-* ${bindir}/gprofng" FILES:${PN}-dev += "${libdir}/libgprofng.so ${libdir}/libsframe.so" -FILES:${PN}-staticdev += "${libdir}/gprofng/*.a" SRC_URI:append:class-nativesdk = " file://0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch " USE_ALTERNATIVES_FOR:class-nativesdk = "" diff --git a/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch new file mode 100644 index 0000000000..53480d6299 --- /dev/null +++ b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch @@ -0,0 +1,237 @@ +From d8cfbc808f387e87091c25e7d5b8c2bb348bb206 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Tue, 27 Jun 2023 09:40:23 +0000 +Subject: [PATCH] dmidecode: Write the whole dump file at once + +When option --dump-bin is used, write the whole dump file at once, +instead of opening and closing the file separately for the table +and then for the entry point. + +As the file writing function is no longer generic, it gets moved +from util.c to dmidecode.c. + +One minor functional change resulting from the new implementation is +that the entry point is written first now, so the messages printed +are swapped. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> + +CVE: CVE-2023-30630 + +Reference: https://github.com/mirror/dmidecode/commit/39b2dd7b6ab719b920e96ed832cfb4bdd664e808 + +Upstream-Status: Backport [https://github.com/mirror/dmidecode/commit/d8cfbc808f387e87091c25e7d5b8c2bb348bb206] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + dmidecode.c | 79 +++++++++++++++++++++++++++++++++++++++-------------- + util.c | 40 --------------------------- + util.h | 1 - + 3 files changed, 58 insertions(+), 62 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index 9aeff91..5477309 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5427,11 +5427,56 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver + } + } + +-static void dmi_table_dump(const u8 *buf, u32 len) ++static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, ++ u32 table_len) + { ++ FILE *f; ++ ++ f = fopen(opt.dumpfile, "wb"); ++ if (!f) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fopen"); ++ return -1; ++ } ++ ++ if (!(opt.flags & FLAG_QUIET)) ++ pr_comment("Writing %d bytes to %s.", ep_len, opt.dumpfile); ++ if (fwrite(ep, ep_len, 1, f) != 1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fwrite"); ++ goto err_close; ++ } ++ ++ if (fseek(f, 32, SEEK_SET) != 0) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fseek"); ++ goto err_close; ++ } ++ + if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", len, opt.dumpfile); +- write_dump(32, len, buf, opt.dumpfile, 0); ++ pr_comment("Writing %d bytes to %s.", table_len, opt.dumpfile); ++ if (fwrite(table, table_len, 1, f) != 1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fwrite"); ++ goto err_close; ++ } ++ ++ if (fclose(f)) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fclose"); ++ return -1; ++ } ++ ++ return 0; ++ ++err_close: ++ fclose(f); ++ return -1; + } + + static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) +@@ -5648,11 +5693,6 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, + return; + } + +- if (opt.flags & FLAG_DUMP_BIN) +- dmi_table_dump(buf, len); +- else +- dmi_table_decode(buf, len, num, ver >> 8, flags); +- + free(buf); + } + +@@ -5688,8 +5728,9 @@ static void overwrite_smbios3_address(u8 *buf) + + static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + { +- u32 ver; ++ u32 ver, len; + u64 offset; ++ u8 *table; + + /* Don't let checksum run beyond the buffer */ + if (buf[0x06] > 0x20) +@@ -5725,10 +5766,7 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_smbios3_address(crafted); + +- if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", crafted[0x06], +- opt.dumpfile); +- write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, crafted[0x06], table, len); + } + + return 1; +@@ -5737,6 +5775,8 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + { + u16 ver; ++ u32 len; ++ u8 *table; + + /* Don't let checksum run beyond the buffer */ + if (buf[0x05] > 0x20) +@@ -5786,10 +5826,7 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_dmi_address(crafted + 0x10); + +- if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", crafted[0x05], +- opt.dumpfile); +- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, crafted[0x05], table, len); + } + + return 1; +@@ -5797,6 +5834,9 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + + static int legacy_decode(u8 *buf, const char *devmem, u32 flags) + { ++ u32 len; ++ u8 *table; ++ + if (!checksum(buf, 0x0F)) + return 0; + +@@ -5815,10 +5855,7 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 16); + overwrite_dmi_address(crafted); + +- if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", 0x0F, +- opt.dumpfile); +- write_dump(0, 0x0F, crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, 0x0F, table, len); + } + + return 1; +diff --git a/util.c b/util.c +index 04aaadd..1547096 100644 +--- a/util.c ++++ b/util.c +@@ -259,46 +259,6 @@ out: + return p; + } + +-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add) +-{ +- FILE *f; +- +- f = fopen(dumpfile, add ? "r+b" : "wb"); +- if (!f) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fopen"); +- return -1; +- } +- +- if (fseek(f, base, SEEK_SET) != 0) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fseek"); +- goto err_close; +- } +- +- if (fwrite(data, len, 1, f) != 1) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fwrite"); +- goto err_close; +- } +- +- if (fclose(f)) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fclose"); +- return -1; +- } +- +- return 0; +- +-err_close: +- fclose(f); +- return -1; +-} +- + /* Returns end - start + 1, assuming start < end */ + u64 u64_range(u64 start, u64 end) + { +diff --git a/util.h b/util.h +index 3094cf8..ef24eb9 100644 +--- a/util.h ++++ b/util.h +@@ -27,5 +27,4 @@ + int checksum(const u8 *buf, size_t len); + void *read_file(off_t base, size_t *len, const char *filename); + void *mem_chunk(off_t base, size_t len, const char *devmem); +-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add); + u64 u64_range(u64 start, u64 end); +-- +2.35.5 diff --git a/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch new file mode 100644 index 0000000000..dcc87d2326 --- /dev/null +++ b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch @@ -0,0 +1,81 @@ +From 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Tue, 27 Jun 2023 10:03:53 +0000 +Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing file + +Make sure that the file passed to option --dump-bin does not already +exist. In practice, it is rather unlikely that an honest user would +want to overwrite an existing dump file, while this possibility +could be used by a rogue user to corrupt a system file. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> + +CVE: CVE-2023-30630 + +Upstream-Status: Backport +[https://github.com/mirror/dmidecode/commit/6ca381c1247c81f74e1ca4e7706f70bdda72e6f2] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + dmidecode.c | 14 ++++++++++++-- + man/dmidecode.8 | 3 ++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index 5477309..98f9692 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -60,6 +60,7 @@ + * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf + */ + ++#include <fcntl.h> + #include <stdio.h> + #include <string.h> + #include <strings.h> +@@ -5430,13 +5431,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver + static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, + u32 table_len) + { ++ int fd; + FILE *f; + +- f = fopen(opt.dumpfile, "wb"); ++ fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666); ++ if (fd == -1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("open"); ++ return -1; ++ } ++ ++ f = fdopen(fd, "wb"); + if (!f) + { + fprintf(stderr, "%s: ", opt.dumpfile); +- perror("fopen"); ++ perror("fdopen"); + return -1; + } + +diff --git a/man/dmidecode.8 b/man/dmidecode.8 +index ed066b3..3a732c0 100644 +--- a/man/dmidecode.8 ++++ b/man/dmidecode.8 +@@ -1,4 +1,4 @@ +-.TH DMIDECODE 8 "January 2019" "dmidecode" ++.TH DMIDECODE 8 "February 2023" "dmidecode" + .\" + .SH NAME + dmidecode \- \s-1DMI\s0 table decoder +@@ -159,6 +159,7 @@ hexadecimal and \s-1ASCII\s0. This option is mainly useful for debugging. + Do not decode the entries, instead dump the DMI data to a file in binary + form. The generated file is suitable to pass to \fB--from-dump\fP + later. ++\fIFILE\fP must not exist. + .TP + .BR " " " " "--from-dump \fIFILE\fP" + Read the DMI data from a binary file previously generated using +-- +2.35.5 diff --git a/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch new file mode 100644 index 0000000000..01d0d1f867 --- /dev/null +++ b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch @@ -0,0 +1,69 @@ +From c76ddda0ba0aa99a55945e3290095c2ec493c892 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Tue, 27 Jun 2023 10:25:50 +0000 +Subject: [PATCH] Consistently use read_file() when reading from a dump file + +Use read_file() instead of mem_chunk() to read the entry point from a +dump file. This is faster, and consistent with how we then read the +actual DMI table from that dump file. + +This made no functional difference so far, which is why it went +unnoticed for years. But now that a file type check was added to the +mem_chunk() function, we must stop using it to read from regular +files. + +This will again allow root to use the --from-dump option. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Tested-by: Jerry Hoemann <jerry.hoemann@hpe.com> + +CVE: CVE-2023-30630 + +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=c76ddda0ba0aa99a55945e3290095c2ec493c892] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + dmidecode.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index 98f9692..b4dbc9d 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5997,17 +5997,25 @@ int main(int argc, char * const argv[]) + pr_comment("dmidecode %s", VERSION); + + /* Read from dump if so instructed */ ++ size = 0x20; + if (opt.flags & FLAG_FROM_DUMP) + { + if (!(opt.flags & FLAG_QUIET)) + pr_info("Reading SMBIOS/DMI data from file %s.", + opt.dumpfile); +- if ((buf = mem_chunk(0, 0x20, opt.dumpfile)) == NULL) ++ if ((buf = read_file(0, &size, opt.dumpfile)) == NULL) + { + ret = 1; + goto exit_free; + } + ++ /* Truncated entry point can't be processed */ ++ if (size < 0x20) ++ { ++ ret = 1; ++ goto done; ++ } ++ + if (memcmp(buf, "_SM3_", 5) == 0) + { + if (smbios3_decode(buf, opt.dumpfile, 0)) +@@ -6031,7 +6039,6 @@ int main(int argc, char * const argv[]) + * contain one of several types of entry points, so read enough for + * the largest one, then determine what type it contains. + */ +- size = 0x20; + if (!(opt.flags & FLAG_NO_SYSFS) + && (buf = read_file(0, &size, SYS_ENTRY_FILE)) != NULL) + { +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch new file mode 100644 index 0000000000..5fa72b4f9b --- /dev/null +++ b/poky/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch @@ -0,0 +1,137 @@ +From 2b83c4b898f8325313162f588765411e8e3e5561 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Tue, 27 Jun 2023 10:58:11 +0000 +Subject: [PATCH] Don't read beyond sysfs entry point buffer + +Functions smbios_decode() and smbios3_decode() include a check +against buffer overrun. This check assumes that the buffer length is +always 32 bytes. This is true when reading from /dev/mem or from a +dump file, however when reading from sysfs, the buffer length is the +size of the actual sysfs attribute file, typically 31 bytes for an +SMBIOS 2.x entry point and 24 bytes for an SMBIOS 3.x entry point. + +In the unlikely event of a malformed entry point, with encoded length +larger than expected but smaller than or equal to 32, we would hit a +buffer overrun. So properly pass the actual buffer length as an +argument and perform the check against it. + +In practice, this will never happen, because on the Linux kernel +side, the size of the sysfs attribute file is decided from the entry +point length field. So it is technically impossible for them not to +match. But user-space code should not make such assumptions. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> + +CVE: CVE-2023-30630 + +Upstream-Status: Backport +[https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=2b83c4b898f8325313162f588765411e8e3e5561] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + dmidecode.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index b4dbc9d..870d94e 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5736,14 +5736,14 @@ static void overwrite_smbios3_address(u8 *buf) + buf[0x17] = 0; + } + +-static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) ++static int smbios3_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) + { + u32 ver, len; + u64 offset; + u8 *table; + + /* Don't let checksum run beyond the buffer */ +- if (buf[0x06] > 0x20) ++ if (buf[0x06] > buf_len) + { + fprintf(stderr, + "Entry point length too large (%u bytes, expected %u).\n", +@@ -5782,14 +5782,14 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + return 1; + } + +-static int smbios_decode(u8 *buf, const char *devmem, u32 flags) ++static int smbios_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) + { + u16 ver; + u32 len; + u8 *table; + + /* Don't let checksum run beyond the buffer */ +- if (buf[0x05] > 0x20) ++ if (buf[0x05] > buf_len) + { + fprintf(stderr, + "Entry point length too large (%u bytes, expected %u).\n", +@@ -6018,12 +6018,12 @@ int main(int argc, char * const argv[]) + + if (memcmp(buf, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf, opt.dumpfile, 0)) ++ if (smbios3_decode(buf, size, opt.dumpfile, 0)) + found++; + } + else if (memcmp(buf, "_SM_", 4) == 0) + { +- if (smbios_decode(buf, opt.dumpfile, 0)) ++ if (smbios_decode(buf, size, opt.dumpfile, 0)) + found++; + } + else if (memcmp(buf, "_DMI_", 5) == 0) +@@ -6046,12 +6046,12 @@ int main(int argc, char * const argv[]) + pr_info("Getting SMBIOS data from sysfs."); + if (size >= 24 && memcmp(buf, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) ++ if (smbios3_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) + found++; + } + else if (size >= 31 && memcmp(buf, "_SM_", 4) == 0) + { +- if (smbios_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) ++ if (smbios_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) + found++; + } + else if (size >= 15 && memcmp(buf, "_DMI_", 5) == 0) +@@ -6088,12 +6088,12 @@ int main(int argc, char * const argv[]) + + if (memcmp(buf, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf, opt.devmem, 0)) ++ if (smbios3_decode(buf, 0x20, opt.devmem, 0)) + found++; + } + else if (memcmp(buf, "_SM_", 4) == 0) + { +- if (smbios_decode(buf, opt.devmem, 0)) ++ if (smbios_decode(buf, 0x20, opt.devmem, 0)) + found++; + } + goto done; +@@ -6114,7 +6114,7 @@ memory_scan: + { + if (memcmp(buf + fp, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf + fp, opt.devmem, 0)) ++ if (smbios3_decode(buf + fp, 0x20, opt.devmem, 0)) + { + found++; + goto done; +@@ -6127,7 +6127,7 @@ memory_scan: + { + if (memcmp(buf + fp, "_SM_", 4) == 0 && fp <= 0xFFE0) + { +- if (smbios_decode(buf + fp, opt.devmem, 0)) ++ if (smbios_decode(buf + fp, 0x20, opt.devmem, 0)) + { + found++; + goto done; +-- +2.35.5 diff --git a/poky/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb b/poky/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb index bc741046dd..4d5255df64 100644 --- a/poky/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb +++ b/poky/meta/recipes-devtools/dmidecode/dmidecode_3.4.bb @@ -6,6 +6,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \ file://0001-Committing-changes-from-do_unpack_extra.patch \ + file://CVE-2023-30630_1.patch \ + file://CVE-2023-30630_2.patch \ + file://CVE-2023-30630_3.patch \ + file://CVE-2023-30630_4.patch \ " COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux" diff --git a/poky/meta/recipes-devtools/dnf/dnf_4.14.0.bb b/poky/meta/recipes-devtools/dnf/dnf_4.14.0.bb index 62df8c4ace..95007c9c4b 100644 --- a/poky/meta/recipes-devtools/dnf/dnf_4.14.0.bb +++ b/poky/meta/recipes-devtools/dnf/dnf_4.14.0.bb @@ -15,9 +15,10 @@ SRC_URI = "git://github.com/rpm-software-management/dnf.git;branch=master;protoc file://0029-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \ file://0030-Run-python-scripts-using-env.patch \ file://0001-set-python-path-for-completion_helper.patch \ - file://0001-dnf-write-the-log-lock-to-root.patch \ " +SRC_URI:append:class-native = "file://0001-dnf-write-the-log-lock-to-root.patch" + SRCREV = "e50875b3f5790f70720bdb670e1dd2bf4d828744" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)" diff --git a/poky/meta/recipes-devtools/dpkg/dpkg_1.21.21.bb b/poky/meta/recipes-devtools/dpkg/dpkg_1.21.22.bb index a19a96ef06..04bcc93321 100644 --- a/poky/meta/recipes-devtools/dpkg/dpkg_1.21.21.bb +++ b/poky/meta/recipes-devtools/dpkg/dpkg_1.21.22.bb @@ -18,6 +18,6 @@ SRC_URI = "git://salsa.debian.org/dpkg-team/dpkg.git;protocol=https;branch=1.21. SRC_URI:append:class-native = " file://0001-build.c-ignore-return-of-1-from-tar-cf.patch" -SRCREV = "9ef736b7b3a5fa0d6e991e8475eb2e3151fec345" +SRCREV = "48482e4f16467e05a08aa3b3b8048e08f0024609" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch new file mode 100644 index 0000000000..9ed77d921f --- /dev/null +++ b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33551.patch @@ -0,0 +1,80 @@ +From 5782f0d47df99dcfc743aa138361336e9a4ac966 Mon Sep 17 00:00:00 2001 +From: Gao Xiang <hsiangkao@linux.alibaba.com> +Date: Fri, 2 Jun 2023 13:52:56 +0800 +Subject: [PATCH 1/4] erofs-utils: fsck: block insane long paths when + extracting images + +Since some crafted EROFS filesystem images could have insane deep +hierarchy (or may form directory loops) which triggers the +PATH_MAX-sized path buffer OR stack overflow. + +Actually some crafted images cannot be deemed as real corrupted +images but over-PATH_MAX paths are not something that we'd like to +support for now. + +CVE: CVE-2023-33551 +Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551 +Reported-by: Chaoming Yang <lometsj@live.com> +Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs") +Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()") +Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X") +Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> +Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/patch/?id=27aeef179bf17d5f1d98f827e93d24839a6d4176] +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + fsck/main.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/fsck/main.c b/fsck/main.c +index 5a2f659..2b6a6dd 100644 +--- a/fsck/main.c ++++ b/fsck/main.c +@@ -679,28 +679,35 @@ again: + static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx) + { + int ret; +- size_t prev_pos = fsckcfg.extract_pos; ++ size_t prev_pos, curr_pos; + + if (ctx->dot_dotdot) + return 0; + +- if (fsckcfg.extract_path) { +- size_t curr_pos = prev_pos; ++ prev_pos = fsckcfg.extract_pos; ++ curr_pos = prev_pos; ++ ++ if (prev_pos + ctx->de_namelen >= PATH_MAX) { ++ erofs_err("unable to fsck since the path is too long (%u)", ++ curr_pos + ctx->de_namelen); ++ return -EOPNOTSUPP; ++ } + ++ if (fsckcfg.extract_path) { + fsckcfg.extract_path[curr_pos++] = '/'; + strncpy(fsckcfg.extract_path + curr_pos, ctx->dname, + ctx->de_namelen); + curr_pos += ctx->de_namelen; + fsckcfg.extract_path[curr_pos] = '\0'; +- fsckcfg.extract_pos = curr_pos; ++ } else { ++ curr_pos += ctx->de_namelen; + } +- ++ fsckcfg.extract_pos = curr_pos; + ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid); + +- if (fsckcfg.extract_path) { ++ if (fsckcfg.extract_path) + fsckcfg.extract_path[prev_pos] = '\0'; +- fsckcfg.extract_pos = prev_pos; +- } ++ fsckcfg.extract_pos = prev_pos; + return ret; + } + +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-1.patch b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-1.patch new file mode 100644 index 0000000000..011ca1cd5e --- /dev/null +++ b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-1.patch @@ -0,0 +1,221 @@ +From 8aef6015a03242a7d13467d23ad52b5427bf5247 Mon Sep 17 00:00:00 2001 +From: Yue Hu <huyue2@coolpad.com> +Date: Wed, 11 Jan 2023 09:49:26 +0800 +Subject: [PATCH] erofs-utils: lib: export parts of erofs_pread() + +Export parts of erofs_pread() to avoid duplicated code in +erofs_verify_inode_data(). Let's make two helpers for this. + +Signed-off-by: Yue Hu <huyue2@coolpad.com> +Link: https://lore.kernel.org/r/ff560da9c798b2ca1f1a663a000501486d865487.1673401718.git.huyue2@coolpad.com +Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> + +CVE: CVE-2023-33552 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/commit/?id=4c0fb15a5d85378debe9d10d96cd643d167300ca] +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + include/erofs/internal.h | 5 ++ + lib/data.c | 108 ++++++++++++++++++++++++--------------- + 2 files changed, 71 insertions(+), 42 deletions(-) + +diff --git a/include/erofs/internal.h b/include/erofs/internal.h +index d3b2986..28d0e68 100644 +--- a/include/erofs/internal.h ++++ b/include/erofs/internal.h +@@ -335,6 +335,11 @@ int erofs_pread(struct erofs_inode *inode, char *buf, + int erofs_map_blocks(struct erofs_inode *inode, + struct erofs_map_blocks *map, int flags); + int erofs_map_dev(struct erofs_sb_info *sbi, struct erofs_map_dev *map); ++int erofs_read_one_data(struct erofs_map_blocks *map, char *buffer, u64 offset, ++ size_t len); ++int z_erofs_read_one_data(struct erofs_inode *inode, ++ struct erofs_map_blocks *map, char *raw, char *buffer, ++ erofs_off_t skip, erofs_off_t length, bool trimmed); + + static inline int erofs_get_occupied_size(const struct erofs_inode *inode, + erofs_off_t *size) +diff --git a/lib/data.c b/lib/data.c +index 6bc554d..2a7fdd5 100644 +--- a/lib/data.c ++++ b/lib/data.c +@@ -158,19 +158,38 @@ int erofs_map_dev(struct erofs_sb_info *sbi, struct erofs_map_dev *map) + return 0; + } + ++int erofs_read_one_data(struct erofs_map_blocks *map, char *buffer, u64 offset, ++ size_t len) ++{ ++ struct erofs_map_dev mdev; ++ int ret; ++ ++ mdev = (struct erofs_map_dev) { ++ .m_deviceid = map->m_deviceid, ++ .m_pa = map->m_pa, ++ }; ++ ret = erofs_map_dev(&sbi, &mdev); ++ if (ret) ++ return ret; ++ ++ ret = dev_read(mdev.m_deviceid, buffer, mdev.m_pa + offset, len); ++ if (ret < 0) ++ return -EIO; ++ return 0; ++} ++ + static int erofs_read_raw_data(struct erofs_inode *inode, char *buffer, + erofs_off_t size, erofs_off_t offset) + { + struct erofs_map_blocks map = { + .index = UINT_MAX, + }; +- struct erofs_map_dev mdev; + int ret; + erofs_off_t ptr = offset; + + while (ptr < offset + size) { + char *const estart = buffer + ptr - offset; +- erofs_off_t eend; ++ erofs_off_t eend, moff = 0; + + map.m_la = ptr; + ret = erofs_map_blocks(inode, &map, 0); +@@ -179,14 +198,6 @@ static int erofs_read_raw_data(struct erofs_inode *inode, char *buffer, + + DBG_BUGON(map.m_plen != map.m_llen); + +- mdev = (struct erofs_map_dev) { +- .m_deviceid = map.m_deviceid, +- .m_pa = map.m_pa, +- }; +- ret = erofs_map_dev(&sbi, &mdev); +- if (ret) +- return ret; +- + /* trim extent */ + eend = min(offset + size, map.m_la + map.m_llen); + DBG_BUGON(ptr < map.m_la); +@@ -204,19 +215,54 @@ static int erofs_read_raw_data(struct erofs_inode *inode, char *buffer, + } + + if (ptr > map.m_la) { +- mdev.m_pa += ptr - map.m_la; ++ moff = ptr - map.m_la; + map.m_la = ptr; + } + +- ret = dev_read(mdev.m_deviceid, estart, mdev.m_pa, +- eend - map.m_la); +- if (ret < 0) +- return -EIO; ++ ret = erofs_read_one_data(&map, estart, moff, eend - map.m_la); ++ if (ret) ++ return ret; + ptr = eend; + } + return 0; + } + ++int z_erofs_read_one_data(struct erofs_inode *inode, ++ struct erofs_map_blocks *map, char *raw, char *buffer, ++ erofs_off_t skip, erofs_off_t length, bool trimmed) ++{ ++ struct erofs_map_dev mdev; ++ int ret = 0; ++ ++ /* no device id here, thus it will always succeed */ ++ mdev = (struct erofs_map_dev) { ++ .m_pa = map->m_pa, ++ }; ++ ret = erofs_map_dev(&sbi, &mdev); ++ if (ret) { ++ DBG_BUGON(1); ++ return ret; ++ } ++ ++ ret = dev_read(mdev.m_deviceid, raw, mdev.m_pa, map->m_plen); ++ if (ret < 0) ++ return ret; ++ ++ ret = z_erofs_decompress(&(struct z_erofs_decompress_req) { ++ .in = raw, ++ .out = buffer, ++ .decodedskip = skip, ++ .inputsize = map->m_plen, ++ .decodedlength = length, ++ .alg = map->m_algorithmformat, ++ .partial_decoding = trimmed ? true : ++ !(map->m_flags & EROFS_MAP_FULL_MAPPED) ++ }); ++ if (ret < 0) ++ return ret; ++ return 0; ++} ++ + static int z_erofs_read_data(struct erofs_inode *inode, char *buffer, + erofs_off_t size, erofs_off_t offset) + { +@@ -224,8 +270,7 @@ static int z_erofs_read_data(struct erofs_inode *inode, char *buffer, + struct erofs_map_blocks map = { + .index = UINT_MAX, + }; +- struct erofs_map_dev mdev; +- bool partial; ++ bool trimmed; + unsigned int bufsize = 0; + char *raw = NULL; + int ret = 0; +@@ -238,27 +283,17 @@ static int z_erofs_read_data(struct erofs_inode *inode, char *buffer, + if (ret) + break; + +- /* no device id here, thus it will always succeed */ +- mdev = (struct erofs_map_dev) { +- .m_pa = map.m_pa, +- }; +- ret = erofs_map_dev(&sbi, &mdev); +- if (ret) { +- DBG_BUGON(1); +- break; +- } +- + /* + * trim to the needed size if the returned extent is quite + * larger than requested, and set up partial flag as well. + */ + if (end < map.m_la + map.m_llen) { + length = end - map.m_la; +- partial = true; ++ trimmed = true; + } else { + DBG_BUGON(end != map.m_la + map.m_llen); + length = map.m_llen; +- partial = !(map.m_flags & EROFS_MAP_FULL_MAPPED); ++ trimmed = false; + } + + if (map.m_la < offset) { +@@ -283,19 +318,8 @@ static int z_erofs_read_data(struct erofs_inode *inode, char *buffer, + break; + } + } +- ret = dev_read(mdev.m_deviceid, raw, mdev.m_pa, map.m_plen); +- if (ret < 0) +- break; +- +- ret = z_erofs_decompress(&(struct z_erofs_decompress_req) { +- .in = raw, +- .out = buffer + end - offset, +- .decodedskip = skip, +- .inputsize = map.m_plen, +- .decodedlength = length, +- .alg = map.m_algorithmformat, +- .partial_decoding = partial +- }); ++ ret = z_erofs_read_one_data(inode, &map, raw, ++ buffer + end - offset, skip, length, trimmed); + if (ret < 0) + break; + } +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-2.patch b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-2.patch new file mode 100644 index 0000000000..4d190363b9 --- /dev/null +++ b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-2.patch @@ -0,0 +1,97 @@ +From 3a360e01058467573bd7239fa430d8dc5fbd60f4 Mon Sep 17 00:00:00 2001 +From: Yue Hu <huyue2@coolpad.com> +Date: Wed, 11 Jan 2023 09:49:27 +0800 +Subject: [PATCH 3/4] erofs-utils: fsck: cleanup erofs_verify_inode_data() + +Diretly call {z_}erofs_read_one_data() to avoid duplicated code. +Accordingly, fragment and partial-referenced plusters are also supported +after this change. + +Signed-off-by: Yue Hu <huyue2@coolpad.com> +Link: https://lore.kernel.org/r/115e61fc9c2d34cab6d3dd78383ac57c94a491fc.1673401718.git.huyue2@coolpad.com +Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> + +CVE: CVE-2023-33552 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/commit/?id=87430c69e1d542928c4519e8fabfd6348a741999] +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + fsck/main.c | 53 ++++++++++------------------------------------------- + 1 file changed, 10 insertions(+), 43 deletions(-) + +diff --git a/fsck/main.c b/fsck/main.c +index 2b6a6dd..92ef17a 100644 +--- a/fsck/main.c ++++ b/fsck/main.c +@@ -366,7 +366,6 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) + struct erofs_map_blocks map = { + .index = UINT_MAX, + }; +- struct erofs_map_dev mdev; + int ret = 0; + bool compressed; + erofs_off_t pos = 0; +@@ -427,51 +426,19 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) + BUG_ON(!raw); + } + +- mdev = (struct erofs_map_dev) { +- .m_deviceid = map.m_deviceid, +- .m_pa = map.m_pa, +- }; +- ret = erofs_map_dev(&sbi, &mdev); +- if (ret) { +- erofs_err("failed to map device of m_pa %" PRIu64 ", m_deviceid %u @ nid %llu: %d", +- map.m_pa, map.m_deviceid, inode->nid | 0ULL, +- ret); +- goto out; +- } +- +- if (compressed && map.m_llen > buffer_size) { +- buffer_size = map.m_llen; +- buffer = realloc(buffer, buffer_size); +- BUG_ON(!buffer); +- } +- +- ret = dev_read(mdev.m_deviceid, raw, mdev.m_pa, map.m_plen); +- if (ret < 0) { +- erofs_err("failed to read data of m_pa %" PRIu64 ", m_plen %" PRIu64 " @ nid %llu: %d", +- mdev.m_pa, map.m_plen, inode->nid | 0ULL, +- ret); +- goto out; +- } +- + if (compressed) { +- struct z_erofs_decompress_req rq = { +- .in = raw, +- .out = buffer, +- .decodedskip = 0, +- .inputsize = map.m_plen, +- .decodedlength = map.m_llen, +- .alg = map.m_algorithmformat, +- .partial_decoding = 0 +- }; +- +- ret = z_erofs_decompress(&rq); +- if (ret < 0) { +- erofs_err("failed to decompress data of m_pa %" PRIu64 ", m_plen %" PRIu64 " @ nid %llu: %s", +- mdev.m_pa, map.m_plen, +- inode->nid | 0ULL, strerror(-ret)); +- goto out; ++ if (map.m_llen > buffer_size) { ++ buffer_size = map.m_llen; ++ buffer = realloc(buffer, buffer_size); ++ BUG_ON(!buffer); + } ++ ret = z_erofs_read_one_data(inode, &map, raw, buffer, ++ 0, map.m_llen, false); ++ } else { ++ ret = erofs_read_one_data(&map, raw, 0, map.m_plen); + } ++ if (ret) ++ goto out; + + if (outfd >= 0 && write(outfd, compressed ? buffer : raw, + map.m_llen) < 0) { +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-3.patch b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-3.patch new file mode 100644 index 0000000000..c05d62c5dd --- /dev/null +++ b/poky/meta/recipes-devtools/erofs-utils/erofs-utils/CVE-2023-33552-3.patch @@ -0,0 +1,127 @@ +From b4e155ba759ae389c5f71cd13d97eb3bcf2c1adf Mon Sep 17 00:00:00 2001 +From: Gao Xiang <hsiangkao@linux.alibaba.com> +Date: Fri, 2 Jun 2023 11:05:19 +0800 +Subject: [PATCH] erofs-utils: fsck: don't allocate/read too large extents + +Since some crafted EROFS filesystem images could have insane large +extents, which causes unexpected bahaviors when extracting data. + +Fix it by extracting large extents with a buffer of a reasonable +maximum size limit and reading multiple times instead. + +Note that only `--extract` option is impacted. + +CVE: CVE-2023-33552 +Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33552 +Reported-by: Chaoming Yang <lometsj@live.com> +Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X") +Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> +Link: https://lore.kernel.org/r/20230602030519.117071-1-hsiangkao@linux.alibaba.com + +CVE: CVE-2023-33552 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git/patch/?id=2145dff03dd3f3f74bcda3b52160fbad37f7fcfe] +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + fsck/main.c | 64 ++++++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 49 insertions(+), 15 deletions(-) + +diff --git a/fsck/main.c b/fsck/main.c +index 92ef17a..1bd1117 100644 +--- a/fsck/main.c ++++ b/fsck/main.c +@@ -392,6 +392,8 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) + } + + while (pos < inode->i_size) { ++ unsigned int alloc_rawsize; ++ + map.m_la = pos; + if (compressed) + ret = z_erofs_map_blocks_iter(inode, &map, +@@ -420,10 +422,28 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) + if (!(map.m_flags & EROFS_MAP_MAPPED) || !fsckcfg.check_decomp) + continue; + +- if (map.m_plen > raw_size) { +- raw_size = map.m_plen; +- raw = realloc(raw, raw_size); +- BUG_ON(!raw); ++ if (map.m_plen > Z_EROFS_PCLUSTER_MAX_SIZE) { ++ if (compressed) { ++ erofs_err("invalid pcluster size %" PRIu64 " @ offset %" PRIu64 " of nid %" PRIu64, ++ map.m_plen, map.m_la, ++ inode->nid | 0ULL); ++ ret = -EFSCORRUPTED; ++ goto out; ++ } ++ alloc_rawsize = Z_EROFS_PCLUSTER_MAX_SIZE; ++ } else { ++ alloc_rawsize = map.m_plen; ++ } ++ ++ if (alloc_rawsize > raw_size) { ++ char *newraw = realloc(raw, alloc_rawsize); ++ ++ if (!newraw) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ raw = newraw; ++ raw_size = alloc_rawsize; + } + + if (compressed) { +@@ -434,18 +454,26 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd) + } + ret = z_erofs_read_one_data(inode, &map, raw, buffer, + 0, map.m_llen, false); +- } else { +- ret = erofs_read_one_data(&map, raw, 0, map.m_plen); +- } +- if (ret) +- goto out; ++ if (ret) ++ goto out; + +- if (outfd >= 0 && write(outfd, compressed ? buffer : raw, +- map.m_llen) < 0) { +- erofs_err("I/O error occurred when verifying data chunk @ nid %llu", +- inode->nid | 0ULL); +- ret = -EIO; +- goto out; ++ if (outfd >= 0 && write(outfd, buffer, map.m_llen) < 0) ++ goto fail_eio; ++ } else { ++ u64 p = 0; ++ do { ++ u64 count = min_t(u64, alloc_rawsize, ++ map.m_llen); ++ ++ ret = erofs_read_one_data(&map, raw, p, count); ++ if (ret) ++ goto out; ++ ++ if (outfd >= 0 && write(outfd, raw, count) < 0) ++ goto fail_eio; ++ map.m_llen -= count; ++ p += count; ++ } while (map.m_llen); + } + } + +@@ -461,6 +489,12 @@ out: + if (buffer) + free(buffer); + return ret < 0 ? ret : 0; ++ ++fail_eio: ++ erofs_err("I/O error occurred when verifying data chunk @ nid %llu", ++ inode->nid | 0ULL); ++ ret = -EIO; ++ goto out; + } + + static inline int erofs_extract_dir(struct erofs_inode *inode) +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/erofs-utils/erofs-utils_1.5.bb b/poky/meta/recipes-devtools/erofs-utils/erofs-utils_1.5.bb index 2b5861882d..d7e646a66c 100644 --- a/poky/meta/recipes-devtools/erofs-utils/erofs-utils_1.5.bb +++ b/poky/meta/recipes-devtools/erofs-utils/erofs-utils_1.5.bb @@ -10,6 +10,10 @@ SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git;b file://0001-configure-use-AC_SYS_LARGEFILE.patch \ file://0002-erofs-replace-l-stat64-by-equivalent-l-stat.patch \ file://0003-internal.h-Make-LFS-mandatory-for-all-usecases.patch \ + file://CVE-2023-33551.patch \ + file://CVE-2023-33552-1.patch \ + file://CVE-2023-33552-2.patch \ + file://CVE-2023-33552-3.patch \ " UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>(\d+(\.\d+)+))" diff --git a/poky/meta/recipes-devtools/file/file_5.44.bb b/poky/meta/recipes-devtools/file/file_5.45.bb index 3090d346ed..a7127023cb 100644 --- a/poky/meta/recipes-devtools/file/file_5.44.bb +++ b/poky/meta/recipes-devtools/file/file_5.45.bb @@ -13,7 +13,7 @@ DEPENDS:class-native = "bzip2-replacement-native" SRC_URI = "git://github.com/file/file.git;branch=master;protocol=https" -SRCREV = "b92eed41b1bc0739c5c5d70c444e0c574429321b" +SRCREV = "4cbd5c8f0851201d203755b76cb66ba991ffd8be" S = "${WORKDIR}/git" inherit autotools update-alternatives @@ -45,9 +45,10 @@ do_install:append:class-native() { } do_install:append:class-nativesdk() { + create_wrapper ${D}/${bindir}/file MAGIC=${datadir}/misc/magic.mgc mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d cat <<- EOF > ${D}${SDKPATHNATIVE}/environment-setup.d/file.sh - export MAGIC="$OECORE_NATIVE_SYSROOT${datadir}/misc/magic.mgc" + export MAGIC="${datadir}/misc/magic.mgc" EOF } diff --git a/poky/meta/recipes-devtools/gcc/gcc-12.2.inc b/poky/meta/recipes-devtools/gcc/gcc-12.3.inc index 0dbbecad4a..5655b6f46d 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-12.2.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-12.3.inc @@ -2,11 +2,11 @@ require gcc-common.inc # Third digit in PV should be incremented after a minor release -PV = "12.2.0" +PV = "12.3.0" # BINV should be incremented to a revision after a minor gcc release -BINV = "12.2.0" +BINV = "12.3.0" FILESEXTRAPATHS =. "${FILE_DIRNAME}/gcc:${FILE_DIRNAME}/gcc/backport:" @@ -63,8 +63,10 @@ SRC_URI = "${BASEURI} \ file://0026-rust-recursion-limit.patch \ file://prefix-map-realpath.patch \ file://hardcoded-paths.patch \ + file://CVE-2023-4039.patch \ + file://0026-aarch64-Fix-loose-ldpstp-check-PR111411.patch \ " -SRC_URI[sha256sum] = "e549cf9cf3594a00e27b6589d4322d70e0720cdd213f39beb4181e06926230ff" +SRC_URI[sha256sum] = "949a5d4f99e786421a93b532b22ffab5578de7321369975b91aec97adfda8c3b" S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/${SOURCEDIR}" B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}" diff --git a/poky/meta/recipes-devtools/gcc/gcc-configure-common.inc b/poky/meta/recipes-devtools/gcc/gcc-configure-common.inc index e4cdb73f0a..dba25eb754 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-configure-common.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-configure-common.inc @@ -40,7 +40,6 @@ EXTRA_OECONF = "\ ${@get_gcc_mips_plt_setting(bb, d)} \ ${@get_gcc_ppc_plt_settings(bb, d)} \ ${@get_gcc_multiarch_setting(bb, d)} \ - --enable-standard-branch-protection \ " # glibc version is a minimum controlling whether features are enabled. diff --git a/poky/meta/recipes-devtools/gcc/gcc-cross-canadian_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-cross-canadian_12.3.bb index bf53c5cd78..bf53c5cd78 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-cross-canadian_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-cross-canadian_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-cross_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-cross_12.3.bb index b43cca0c52..b43cca0c52 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-cross_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-cross_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-crosssdk.inc b/poky/meta/recipes-devtools/gcc/gcc-crosssdk.inc index bd2e71d63f..74c4537f4f 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-crosssdk.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-crosssdk.inc @@ -10,3 +10,5 @@ GCCMULTILIB = "--disable-multilib" DEPENDS = "virtual/${TARGET_PREFIX}binutils-crosssdk gettext-native ${NATIVEDEPS}" PROVIDES = "virtual/${TARGET_PREFIX}gcc-crosssdk virtual/${TARGET_PREFIX}g++-crosssdk" + +gcc_multilib_setup[vardepsexclude] = "MULTILIB_VARIANTS" diff --git a/poky/meta/recipes-devtools/gcc/gcc-crosssdk_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-crosssdk_12.3.bb index 40a6c4feff..40a6c4feff 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-crosssdk_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-crosssdk_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-runtime_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-runtime_12.3.bb index dd430b57eb..dd430b57eb 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-runtime_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-runtime_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-sanitizers_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-sanitizers_12.3.bb index 8bda2ccad6..8bda2ccad6 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-sanitizers_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-sanitizers_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-source_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc-source_12.3.bb index b890fa33ea..b890fa33ea 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-source_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc-source_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/gcc-testsuite.inc b/poky/meta/recipes-devtools/gcc/gcc-testsuite.inc index f68fec58ed..64f60c730f 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-testsuite.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-testsuite.inc @@ -51,9 +51,10 @@ python check_prepare() { # enable all valid instructions, since the test suite itself does not # limit itself to the target cpu options. # - valid for x86*, powerpc, arm, arm64 - if qemu_binary.lstrip("qemu-") in ["x86_64", "i386", "ppc", "arm", "aarch64"]: + if qemu_binary.lstrip("qemu-") in ["x86_64", "i386", "arm", "aarch64"]: args += ["-cpu", "max"] - + elif qemu_binary.lstrip("qemu-") in ["ppc"]: + args += d.getVar("QEMU_EXTRAOPTIONS_%s" % d.getVar('PACKAGE_ARCH')).split() sysroot = d.getVar("RECIPE_SYSROOT") args += ["-L", sysroot] # lib paths are static here instead of using $libdir since this is used by a -cross recipe diff --git a/poky/meta/recipes-devtools/gcc/gcc/0026-aarch64-Fix-loose-ldpstp-check-PR111411.patch b/poky/meta/recipes-devtools/gcc/gcc/0026-aarch64-Fix-loose-ldpstp-check-PR111411.patch new file mode 100644 index 0000000000..a408a98698 --- /dev/null +++ b/poky/meta/recipes-devtools/gcc/gcc/0026-aarch64-Fix-loose-ldpstp-check-PR111411.patch @@ -0,0 +1,117 @@ +From adb60dc78e0da4877747f32347cee339364775be Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Fri, 15 Sep 2023 09:19:14 +0100 +Subject: [PATCH] aarch64: Fix loose ldpstp check [PR111411] + +aarch64_operands_ok_for_ldpstp contained the code: + + /* One of the memory accesses must be a mempair operand. + If it is not the first one, they need to be swapped by the + peephole. */ + if (!aarch64_mem_pair_operand (mem_1, GET_MODE (mem_1)) + && !aarch64_mem_pair_operand (mem_2, GET_MODE (mem_2))) + return false; + +But the requirement isn't just that one of the accesses must be a +valid mempair operand. It's that the lower access must be, since +that's the access that will be used for the instruction operand. + +gcc/ + PR target/111411 + * config/aarch64/aarch64.cc (aarch64_operands_ok_for_ldpstp): Require + the lower memory access to a mem-pair operand. + +gcc/testsuite/ + PR target/111411 + * gcc.dg/rtl/aarch64/pr111411.c: New test. + +Upstream-Status: Backport [https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=2d38f45bcca62ca0c7afef4b579f82c5c2a01610] +Signed-off-by: Martin Jansa <martin.jansa@gmail.com> +--- + gcc/config/aarch64/aarch64.cc | 8 ++- + gcc/testsuite/gcc.dg/rtl/aarch64/pr111411.c | 57 +++++++++++++++++++++ + 2 files changed, 60 insertions(+), 5 deletions(-) + create mode 100644 gcc/testsuite/gcc.dg/rtl/aarch64/pr111411.c + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 6118a3354ac..9b1f791ca8b 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -26154,11 +26154,9 @@ aarch64_operands_ok_for_ldpstp (rtx *operands, bool load, + gcc_assert (known_eq (GET_MODE_SIZE (GET_MODE (mem_1)), + GET_MODE_SIZE (GET_MODE (mem_2)))); + +- /* One of the memory accesses must be a mempair operand. +- If it is not the first one, they need to be swapped by the +- peephole. */ +- if (!aarch64_mem_pair_operand (mem_1, GET_MODE (mem_1)) +- && !aarch64_mem_pair_operand (mem_2, GET_MODE (mem_2))) ++ /* The lower memory access must be a mem-pair operand. */ ++ rtx lower_mem = reversed ? mem_2 : mem_1; ++ if (!aarch64_mem_pair_operand (lower_mem, GET_MODE (lower_mem))) + return false; + + if (REG_P (reg_1) && FP_REGNUM_P (REGNO (reg_1))) +diff --git a/gcc/testsuite/gcc.dg/rtl/aarch64/pr111411.c b/gcc/testsuite/gcc.dg/rtl/aarch64/pr111411.c +new file mode 100644 +index 00000000000..ad07e9c6c89 +--- /dev/null ++++ b/gcc/testsuite/gcc.dg/rtl/aarch64/pr111411.c +@@ -0,0 +1,57 @@ ++/* { dg-do compile { target aarch64*-*-* } } */ ++/* { dg-require-effective-target lp64 } */ ++/* { dg-options "-O -fdisable-rtl-postreload -fpeephole2 -fno-schedule-fusion" } */ ++ ++extern int data[]; ++ ++void __RTL (startwith ("ira")) foo (void *ptr) ++{ ++ (function "foo" ++ (param "ptr" ++ (DECL_RTL (reg/v:DI <0> [ ptr ])) ++ (DECL_RTL_INCOMING (reg/v:DI x0 [ ptr ])) ++ ) ;; param "ptr" ++ (insn-chain ++ (block 2 ++ (edge-from entry (flags "FALLTHRU")) ++ (cnote 3 [bb 2] NOTE_INSN_BASIC_BLOCK) ++ (insn 4 (set (reg:DI <0>) (reg:DI x0))) ++ (insn 5 (set (reg:DI <1>) ++ (plus:DI (reg:DI <0>) (const_int 768)))) ++ (insn 6 (set (mem:SI (plus:DI (reg:DI <0>) ++ (const_int 508)) [1 &data+508 S4 A4]) ++ (const_int 0))) ++ (insn 7 (set (mem:SI (plus:DI (reg:DI <1>) ++ (const_int -256)) [1 &data+512 S4 A4]) ++ (const_int 0))) ++ (edge-to exit (flags "FALLTHRU")) ++ ) ;; block 2 ++ ) ;; insn-chain ++ ) ;; function ++} ++ ++void __RTL (startwith ("ira")) bar (void *ptr) ++{ ++ (function "bar" ++ (param "ptr" ++ (DECL_RTL (reg/v:DI <0> [ ptr ])) ++ (DECL_RTL_INCOMING (reg/v:DI x0 [ ptr ])) ++ ) ;; param "ptr" ++ (insn-chain ++ (block 2 ++ (edge-from entry (flags "FALLTHRU")) ++ (cnote 3 [bb 2] NOTE_INSN_BASIC_BLOCK) ++ (insn 4 (set (reg:DI <0>) (reg:DI x0))) ++ (insn 5 (set (reg:DI <1>) ++ (plus:DI (reg:DI <0>) (const_int 768)))) ++ (insn 6 (set (mem:SI (plus:DI (reg:DI <1>) ++ (const_int -256)) [1 &data+512 S4 A4]) ++ (const_int 0))) ++ (insn 7 (set (mem:SI (plus:DI (reg:DI <0>) ++ (const_int 508)) [1 &data+508 S4 A4]) ++ (const_int 0))) ++ (edge-to exit (flags "FALLTHRU")) ++ ) ;; block 2 ++ ) ;; insn-chain ++ ) ;; function ++} diff --git a/poky/meta/recipes-devtools/gcc/gcc/CVE-2023-4039.patch b/poky/meta/recipes-devtools/gcc/gcc/CVE-2023-4039.patch new file mode 100644 index 0000000000..8cb52849cd --- /dev/null +++ b/poky/meta/recipes-devtools/gcc/gcc/CVE-2023-4039.patch @@ -0,0 +1,3093 @@ +From: Richard Sandiford <richard.sandiford@arm.com> +Subject: [PATCH 00/19] aarch64: Fix -fstack-protector issue +Date: Tue, 12 Sep 2023 16:25:10 +0100 + +This series of patches fixes deficiencies in GCC's -fstack-protector +implementation for AArch64 when using dynamically allocated stack space. +This is CVE-2023-4039. See: + +https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64 +https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf + +for more details. + +The fix is to put the saved registers above the locals area when +-fstack-protector is used. + +The series also fixes a stack-clash problem that I found while working +on the CVE. In unpatched sources, the stack-clash problem would only +trigger for unrealistic numbers of arguments (8K 64-bit arguments, or an +equivalent). But it would be a more significant issue with the new +-fstack-protector frame layout. It's therefore important that both +problems are fixed together. + +Some reorganisation of the code seemed necessary to fix the problems in a +cleanish way. The series is therefore quite long, but only a handful of +patches should have any effect on code generation. + +See the individual patches for a detailed description. + +Tested on aarch64-linux-gnu. Pushed to trunk and to all active branches. +I've also pushed backports to GCC 7+ to vendors/ARM/heads/CVE-2023-4039. + +CVE: CVE-2023-4039 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + + +From 62fbb215cc817e9f2c1ca80282a64f4ee30806bc Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:48 +0100 +Subject: [PATCH 01/19] aarch64: Use local frame vars in shrink-wrapping code + +aarch64_layout_frame uses a shorthand for referring to +cfun->machine->frame: + + aarch64_frame &frame = cfun->machine->frame; + +This patch does the same for some other heavy users of the structure. +No functional change intended. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_save_callee_saves): Use + a local shorthand for cfun->machine->frame. + (aarch64_restore_callee_saves, aarch64_get_separate_components): + (aarch64_process_components): Likewise. + (aarch64_allocate_and_probe_stack_space): Likewise. + (aarch64_expand_prologue, aarch64_expand_epilogue): Likewise. + (aarch64_layout_frame): Use existing shorthand for one more case. +--- + gcc/config/aarch64/aarch64.cc | 123 ++++++++++++++++++---------------- + 1 file changed, 64 insertions(+), 59 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 226dc9dffd4..ae42ffdedbe 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8351,7 +8351,7 @@ aarch64_layout_frame (void) + frame.is_scs_enabled + = (!crtl->calls_eh_return + && sanitize_flags_p (SANITIZE_SHADOW_CALL_STACK) +- && known_ge (cfun->machine->frame.reg_offset[LR_REGNUM], 0)); ++ && known_ge (frame.reg_offset[LR_REGNUM], 0)); + + /* When shadow call stack is enabled, the scs_pop in the epilogue will + restore x30, and we don't need to pop x30 again in the traditional +@@ -8763,6 +8763,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + unsigned start, unsigned limit, bool skip_wb, + bool hard_fp_valid_p) + { ++ aarch64_frame &frame = cfun->machine->frame; + rtx_insn *insn; + unsigned regno; + unsigned regno2; +@@ -8777,8 +8778,8 @@ aarch64_save_callee_saves (poly_int64 start_offset, + bool frame_related_p = aarch64_emit_cfi_for_reg_p (regno); + + if (skip_wb +- && (regno == cfun->machine->frame.wb_push_candidate1 +- || regno == cfun->machine->frame.wb_push_candidate2)) ++ && (regno == frame.wb_push_candidate1 ++ || regno == frame.wb_push_candidate2)) + continue; + + if (cfun->machine->reg_is_wrapped_separately[regno]) +@@ -8786,7 +8787,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + cfun->machine->frame.reg_offset[regno]; ++ offset = start_offset + frame.reg_offset[regno]; + rtx base_rtx = stack_pointer_rtx; + poly_int64 sp_offset = offset; + +@@ -8799,7 +8800,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + { + gcc_assert (known_eq (start_offset, 0)); + poly_int64 fp_offset +- = cfun->machine->frame.below_hard_fp_saved_regs_size; ++ = frame.below_hard_fp_saved_regs_size; + if (hard_fp_valid_p) + base_rtx = hard_frame_pointer_rtx; + else +@@ -8821,8 +8822,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + && (regno2 = aarch64_next_callee_save (regno + 1, limit)) <= limit + && !cfun->machine->reg_is_wrapped_separately[regno2] + && known_eq (GET_MODE_SIZE (mode), +- cfun->machine->frame.reg_offset[regno2] +- - cfun->machine->frame.reg_offset[regno])) ++ frame.reg_offset[regno2] - frame.reg_offset[regno])) + { + rtx reg2 = gen_rtx_REG (mode, regno2); + rtx mem2; +@@ -8872,6 +8872,7 @@ static void + aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + unsigned limit, bool skip_wb, rtx *cfi_ops) + { ++ aarch64_frame &frame = cfun->machine->frame; + unsigned regno; + unsigned regno2; + poly_int64 offset; +@@ -8888,13 +8889,13 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + rtx reg, mem; + + if (skip_wb +- && (regno == cfun->machine->frame.wb_pop_candidate1 +- || regno == cfun->machine->frame.wb_pop_candidate2)) ++ && (regno == frame.wb_pop_candidate1 ++ || regno == frame.wb_pop_candidate2)) + continue; + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + cfun->machine->frame.reg_offset[regno]; ++ offset = start_offset + frame.reg_offset[regno]; + rtx base_rtx = stack_pointer_rtx; + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg, +@@ -8905,8 +8906,7 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + && (regno2 = aarch64_next_callee_save (regno + 1, limit)) <= limit + && !cfun->machine->reg_is_wrapped_separately[regno2] + && known_eq (GET_MODE_SIZE (mode), +- cfun->machine->frame.reg_offset[regno2] +- - cfun->machine->frame.reg_offset[regno])) ++ frame.reg_offset[regno2] - frame.reg_offset[regno])) + { + rtx reg2 = gen_rtx_REG (mode, regno2); + rtx mem2; +@@ -9011,6 +9011,7 @@ offset_12bit_unsigned_scaled_p (machine_mode mode, poly_int64 offset) + static sbitmap + aarch64_get_separate_components (void) + { ++ aarch64_frame &frame = cfun->machine->frame; + sbitmap components = sbitmap_alloc (LAST_SAVED_REGNUM + 1); + bitmap_clear (components); + +@@ -9027,18 +9028,18 @@ aarch64_get_separate_components (void) + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + continue; + +- poly_int64 offset = cfun->machine->frame.reg_offset[regno]; ++ poly_int64 offset = frame.reg_offset[regno]; + + /* If the register is saved in the first SVE save slot, we use + it as a stack probe for -fstack-clash-protection. */ + if (flag_stack_clash_protection +- && maybe_ne (cfun->machine->frame.below_hard_fp_saved_regs_size, 0) ++ && maybe_ne (frame.below_hard_fp_saved_regs_size, 0) + && known_eq (offset, 0)) + continue; + + /* Get the offset relative to the register we'll use. */ + if (frame_pointer_needed) +- offset -= cfun->machine->frame.below_hard_fp_saved_regs_size; ++ offset -= frame.below_hard_fp_saved_regs_size; + else + offset += crtl->outgoing_args_size; + +@@ -9057,11 +9058,11 @@ aarch64_get_separate_components (void) + /* If the spare predicate register used by big-endian SVE code + is call-preserved, it must be saved in the main prologue + before any saves that use it. */ +- if (cfun->machine->frame.spare_pred_reg != INVALID_REGNUM) +- bitmap_clear_bit (components, cfun->machine->frame.spare_pred_reg); ++ if (frame.spare_pred_reg != INVALID_REGNUM) ++ bitmap_clear_bit (components, frame.spare_pred_reg); + +- unsigned reg1 = cfun->machine->frame.wb_push_candidate1; +- unsigned reg2 = cfun->machine->frame.wb_push_candidate2; ++ unsigned reg1 = frame.wb_push_candidate1; ++ unsigned reg2 = frame.wb_push_candidate2; + /* If registers have been chosen to be stored/restored with + writeback don't interfere with them to avoid having to output explicit + stack adjustment instructions. */ +@@ -9170,6 +9171,7 @@ aarch64_get_next_set_bit (sbitmap bmp, unsigned int start) + static void + aarch64_process_components (sbitmap components, bool prologue_p) + { ++ aarch64_frame &frame = cfun->machine->frame; + rtx ptr_reg = gen_rtx_REG (Pmode, frame_pointer_needed + ? HARD_FRAME_POINTER_REGNUM + : STACK_POINTER_REGNUM); +@@ -9184,9 +9186,9 @@ aarch64_process_components (sbitmap components, bool prologue_p) + machine_mode mode = aarch64_reg_save_mode (regno); + + rtx reg = gen_rtx_REG (mode, regno); +- poly_int64 offset = cfun->machine->frame.reg_offset[regno]; ++ poly_int64 offset = frame.reg_offset[regno]; + if (frame_pointer_needed) +- offset -= cfun->machine->frame.below_hard_fp_saved_regs_size; ++ offset -= frame.below_hard_fp_saved_regs_size; + else + offset += crtl->outgoing_args_size; + +@@ -9211,14 +9213,14 @@ aarch64_process_components (sbitmap components, bool prologue_p) + break; + } + +- poly_int64 offset2 = cfun->machine->frame.reg_offset[regno2]; ++ poly_int64 offset2 = frame.reg_offset[regno2]; + /* The next register is not of the same class or its offset is not + mergeable with the current one into a pair. */ + if (aarch64_sve_mode_p (mode) + || !satisfies_constraint_Ump (mem) + || GP_REGNUM_P (regno) != GP_REGNUM_P (regno2) + || (crtl->abi->id () == ARM_PCS_SIMD && FP_REGNUM_P (regno)) +- || maybe_ne ((offset2 - cfun->machine->frame.reg_offset[regno]), ++ || maybe_ne ((offset2 - frame.reg_offset[regno]), + GET_MODE_SIZE (mode))) + { + insn = emit_insn (set); +@@ -9240,7 +9242,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + /* REGNO2 can be saved/restored in a pair with REGNO. */ + rtx reg2 = gen_rtx_REG (mode, regno2); + if (frame_pointer_needed) +- offset2 -= cfun->machine->frame.below_hard_fp_saved_regs_size; ++ offset2 -= frame.below_hard_fp_saved_regs_size; + else + offset2 += crtl->outgoing_args_size; + rtx addr2 = plus_constant (Pmode, ptr_reg, offset2); +@@ -9335,6 +9337,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + bool frame_related_p, + bool final_adjustment_p) + { ++ aarch64_frame &frame = cfun->machine->frame; + HOST_WIDE_INT guard_size + = 1 << param_stack_clash_protection_guard_size; + HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD; +@@ -9355,25 +9358,25 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + register as a probe. We can't assume that LR was saved at position 0 + though, so treat any space below it as unprobed. */ + if (final_adjustment_p +- && known_eq (cfun->machine->frame.below_hard_fp_saved_regs_size, 0)) ++ && known_eq (frame.below_hard_fp_saved_regs_size, 0)) + { +- poly_int64 lr_offset = cfun->machine->frame.reg_offset[LR_REGNUM]; ++ poly_int64 lr_offset = frame.reg_offset[LR_REGNUM]; + if (known_ge (lr_offset, 0)) + min_probe_threshold -= lr_offset.to_constant (); + else + gcc_assert (!flag_stack_clash_protection || known_eq (poly_size, 0)); + } + +- poly_int64 frame_size = cfun->machine->frame.frame_size; ++ poly_int64 frame_size = frame.frame_size; + + /* We should always have a positive probe threshold. */ + gcc_assert (min_probe_threshold > 0); + + if (flag_stack_clash_protection && !final_adjustment_p) + { +- poly_int64 initial_adjust = cfun->machine->frame.initial_adjust; +- poly_int64 sve_callee_adjust = cfun->machine->frame.sve_callee_adjust; +- poly_int64 final_adjust = cfun->machine->frame.final_adjust; ++ poly_int64 initial_adjust = frame.initial_adjust; ++ poly_int64 sve_callee_adjust = frame.sve_callee_adjust; ++ poly_int64 final_adjust = frame.final_adjust; + + if (known_eq (frame_size, 0)) + { +@@ -9662,17 +9665,18 @@ aarch64_epilogue_uses (int regno) + void + aarch64_expand_prologue (void) + { +- poly_int64 frame_size = cfun->machine->frame.frame_size; +- poly_int64 initial_adjust = cfun->machine->frame.initial_adjust; +- HOST_WIDE_INT callee_adjust = cfun->machine->frame.callee_adjust; +- poly_int64 final_adjust = cfun->machine->frame.final_adjust; +- poly_int64 callee_offset = cfun->machine->frame.callee_offset; +- poly_int64 sve_callee_adjust = cfun->machine->frame.sve_callee_adjust; ++ aarch64_frame &frame = cfun->machine->frame; ++ poly_int64 frame_size = frame.frame_size; ++ poly_int64 initial_adjust = frame.initial_adjust; ++ HOST_WIDE_INT callee_adjust = frame.callee_adjust; ++ poly_int64 final_adjust = frame.final_adjust; ++ poly_int64 callee_offset = frame.callee_offset; ++ poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 below_hard_fp_saved_regs_size +- = cfun->machine->frame.below_hard_fp_saved_regs_size; +- unsigned reg1 = cfun->machine->frame.wb_push_candidate1; +- unsigned reg2 = cfun->machine->frame.wb_push_candidate2; +- bool emit_frame_chain = cfun->machine->frame.emit_frame_chain; ++ = frame.below_hard_fp_saved_regs_size; ++ unsigned reg1 = frame.wb_push_candidate1; ++ unsigned reg2 = frame.wb_push_candidate2; ++ bool emit_frame_chain = frame.emit_frame_chain; + rtx_insn *insn; + + if (flag_stack_clash_protection && known_eq (callee_adjust, 0)) +@@ -9703,7 +9707,7 @@ aarch64_expand_prologue (void) + } + + /* Push return address to shadow call stack. */ +- if (cfun->machine->frame.is_scs_enabled) ++ if (frame.is_scs_enabled) + emit_insn (gen_scs_push ()); + + if (flag_stack_usage_info) +@@ -9742,7 +9746,7 @@ aarch64_expand_prologue (void) + + /* The offset of the frame chain record (if any) from the current SP. */ + poly_int64 chain_offset = (initial_adjust + callee_adjust +- - cfun->machine->frame.hard_fp_offset); ++ - frame.hard_fp_offset); + gcc_assert (known_ge (chain_offset, 0)); + + /* The offset of the bottom of the save area from the current SP. */ +@@ -9845,16 +9849,17 @@ aarch64_use_return_insn_p (void) + void + aarch64_expand_epilogue (bool for_sibcall) + { +- poly_int64 initial_adjust = cfun->machine->frame.initial_adjust; +- HOST_WIDE_INT callee_adjust = cfun->machine->frame.callee_adjust; +- poly_int64 final_adjust = cfun->machine->frame.final_adjust; +- poly_int64 callee_offset = cfun->machine->frame.callee_offset; +- poly_int64 sve_callee_adjust = cfun->machine->frame.sve_callee_adjust; ++ aarch64_frame &frame = cfun->machine->frame; ++ poly_int64 initial_adjust = frame.initial_adjust; ++ HOST_WIDE_INT callee_adjust = frame.callee_adjust; ++ poly_int64 final_adjust = frame.final_adjust; ++ poly_int64 callee_offset = frame.callee_offset; ++ poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 below_hard_fp_saved_regs_size +- = cfun->machine->frame.below_hard_fp_saved_regs_size; +- unsigned reg1 = cfun->machine->frame.wb_pop_candidate1; +- unsigned reg2 = cfun->machine->frame.wb_pop_candidate2; +- unsigned int last_gpr = (cfun->machine->frame.is_scs_enabled ++ = frame.below_hard_fp_saved_regs_size; ++ unsigned reg1 = frame.wb_pop_candidate1; ++ unsigned reg2 = frame.wb_pop_candidate2; ++ unsigned int last_gpr = (frame.is_scs_enabled + ? R29_REGNUM : R30_REGNUM); + rtx cfi_ops = NULL; + rtx_insn *insn; +@@ -9888,7 +9893,7 @@ aarch64_expand_epilogue (bool for_sibcall) + /* We need to add memory barrier to prevent read from deallocated stack. */ + bool need_barrier_p + = maybe_ne (get_frame_size () +- + cfun->machine->frame.saved_varargs_size, 0); ++ + frame.saved_varargs_size, 0); + + /* Emit a barrier to prevent loads from a deallocated stack. */ + if (maybe_gt (final_adjust, crtl->outgoing_args_size) +@@ -9969,7 +9974,7 @@ aarch64_expand_epilogue (bool for_sibcall) + } + + /* Pop return address from shadow call stack. */ +- if (cfun->machine->frame.is_scs_enabled) ++ if (frame.is_scs_enabled) + { + machine_mode mode = aarch64_reg_save_mode (R30_REGNUM); + rtx reg = gen_rtx_REG (mode, R30_REGNUM); +@@ -12564,24 +12569,24 @@ aarch64_can_eliminate (const int from ATTRIBUTE_UNUSED, const int to) + poly_int64 + aarch64_initial_elimination_offset (unsigned from, unsigned to) + { ++ aarch64_frame &frame = cfun->machine->frame; ++ + if (to == HARD_FRAME_POINTER_REGNUM) + { + if (from == ARG_POINTER_REGNUM) +- return cfun->machine->frame.hard_fp_offset; ++ return frame.hard_fp_offset; + + if (from == FRAME_POINTER_REGNUM) +- return cfun->machine->frame.hard_fp_offset +- - cfun->machine->frame.locals_offset; ++ return frame.hard_fp_offset - frame.locals_offset; + } + + if (to == STACK_POINTER_REGNUM) + { + if (from == FRAME_POINTER_REGNUM) +- return cfun->machine->frame.frame_size +- - cfun->machine->frame.locals_offset; ++ return frame.frame_size - frame.locals_offset; + } + +- return cfun->machine->frame.frame_size; ++ return frame.frame_size; + } + + +-- +2.34.1 + + +From 12a8889de169f892d2e927584c00d20b8b7e456f Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:49 +0100 +Subject: [PATCH 02/19] aarch64: Avoid a use of callee_offset + +When we emit the frame chain, i.e. when we reach Here in this statement +of aarch64_expand_prologue: + + if (emit_frame_chain) + { + // Here + ... + } + +the stack is in one of two states: + +- We've allocated up to the frame chain, but no more. + +- We've allocated the whole frame, and the frame chain is within easy + reach of the new SP. + +The offset of the frame chain from the current SP is available +in aarch64_frame as callee_offset. It is also available as the +chain_offset local variable, where the latter is calculated from other +data. (However, chain_offset is not always equal to callee_offset when +!emit_frame_chain, so chain_offset isn't redundant.) + +In c600df9a4060da3c6121ff4d0b93f179eafd69d1 I switched to using +chain_offset for the initialisation of the hard frame pointer: + + aarch64_add_offset (Pmode, hard_frame_pointer_rtx, +- stack_pointer_rtx, callee_offset, ++ stack_pointer_rtx, chain_offset, + tmp1_rtx, tmp0_rtx, frame_pointer_needed); + +But the later REG_CFA_ADJUST_CFA handling still used callee_offset. + +I think the difference is harmless, but it's more logical for the +CFA note to be in sync, and it's more convenient for later patches +if it uses chain_offset. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_expand_prologue): Use + chain_offset rather than callee_offset. +--- + gcc/config/aarch64/aarch64.cc | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index ae42ffdedbe..79253322fd7 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -9670,7 +9670,6 @@ aarch64_expand_prologue (void) + poly_int64 initial_adjust = frame.initial_adjust; + HOST_WIDE_INT callee_adjust = frame.callee_adjust; + poly_int64 final_adjust = frame.final_adjust; +- poly_int64 callee_offset = frame.callee_offset; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 below_hard_fp_saved_regs_size + = frame.below_hard_fp_saved_regs_size; +@@ -9783,8 +9782,7 @@ aarch64_expand_prologue (void) + implicit. */ + if (!find_reg_note (insn, REG_CFA_ADJUST_CFA, NULL_RTX)) + { +- rtx src = plus_constant (Pmode, stack_pointer_rtx, +- callee_offset); ++ rtx src = plus_constant (Pmode, stack_pointer_rtx, chain_offset); + add_reg_note (insn, REG_CFA_ADJUST_CFA, + gen_rtx_SET (hard_frame_pointer_rtx, src)); + } +-- +2.34.1 + + +From 03d5e89e7f3be53fd7142556e8e0a2774c653dca Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:49 +0100 +Subject: [PATCH 03/19] aarch64: Explicitly handle frames with no saved + registers + +If a frame has no saved registers, it can be allocated in one go. +There is no need to treat the areas below and above the saved +registers as separate. + +And if we allocate the frame in one go, it should be allocated +as the initial_adjust rather than the final_adjust. This allows the +frame size to grow to guard_size - guard_used_by_caller before a stack +probe is needed. (A frame with no register saves is necessarily a +leaf frame.) + +This is a no-op as thing stand, since a leaf function will have +no outgoing arguments, and so all the frame will be above where +the saved registers normally go. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_layout_frame): Explicitly + allocate the frame in one go if there are no saved registers. +--- + gcc/config/aarch64/aarch64.cc | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 79253322fd7..e1f21230c15 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8378,9 +8378,11 @@ aarch64_layout_frame (void) + + HOST_WIDE_INT const_size, const_outgoing_args_size, const_fp_offset; + HOST_WIDE_INT const_saved_regs_size; +- if (frame.frame_size.is_constant (&const_size) +- && const_size < max_push_offset +- && known_eq (frame.hard_fp_offset, const_size)) ++ if (known_eq (frame.saved_regs_size, 0)) ++ frame.initial_adjust = frame.frame_size; ++ else if (frame.frame_size.is_constant (&const_size) ++ && const_size < max_push_offset ++ && known_eq (frame.hard_fp_offset, const_size)) + { + /* Simple, small frame with no outgoing arguments: + +-- +2.34.1 + + +From 49c2eb7616756c323b7f6b18d8616ec945eb1263 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:49 +0100 +Subject: [PATCH 04/19] aarch64: Add bytes_below_saved_regs to frame info + +The frame layout code currently hard-codes the assumption that +the number of bytes below the saved registers is equal to the +size of the outgoing arguments. This patch abstracts that +value into a new field of aarch64_frame. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::bytes_below_saved_regs): New + field. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Initialize it, + and use it instead of crtl->outgoing_args_size. + (aarch64_get_separate_components): Use bytes_below_saved_regs instead + of outgoing_args_size. + (aarch64_process_components): Likewise. +--- + gcc/config/aarch64/aarch64.cc | 71 ++++++++++++++++++----------------- + gcc/config/aarch64/aarch64.h | 5 +++ + 2 files changed, 41 insertions(+), 35 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index e1f21230c15..94e1b686584 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8217,6 +8217,8 @@ aarch64_layout_frame (void) + gcc_assert (crtl->is_leaf + || maybe_ne (frame.reg_offset[R30_REGNUM], SLOT_NOT_REQUIRED)); + ++ frame.bytes_below_saved_regs = crtl->outgoing_args_size; ++ + /* Now assign stack slots for the registers. Start with the predicate + registers, since predicate LDR and STR have a relatively small + offset range. These saves happen below the hard frame pointer. */ +@@ -8321,18 +8323,18 @@ aarch64_layout_frame (void) + + poly_int64 varargs_and_saved_regs_size = offset + frame.saved_varargs_size; + +- poly_int64 above_outgoing_args ++ poly_int64 saved_regs_and_above + = aligned_upper_bound (varargs_and_saved_regs_size + + get_frame_size (), + STACK_BOUNDARY / BITS_PER_UNIT); + + frame.hard_fp_offset +- = above_outgoing_args - frame.below_hard_fp_saved_regs_size; ++ = saved_regs_and_above - frame.below_hard_fp_saved_regs_size; + + /* Both these values are already aligned. */ +- gcc_assert (multiple_p (crtl->outgoing_args_size, ++ gcc_assert (multiple_p (frame.bytes_below_saved_regs, + STACK_BOUNDARY / BITS_PER_UNIT)); +- frame.frame_size = above_outgoing_args + crtl->outgoing_args_size; ++ frame.frame_size = saved_regs_and_above + frame.bytes_below_saved_regs; + + frame.locals_offset = frame.saved_varargs_size; + +@@ -8376,7 +8378,7 @@ aarch64_layout_frame (void) + else if (frame.wb_pop_candidate1 != INVALID_REGNUM) + max_push_offset = 256; + +- HOST_WIDE_INT const_size, const_outgoing_args_size, const_fp_offset; ++ HOST_WIDE_INT const_size, const_below_saved_regs, const_fp_offset; + HOST_WIDE_INT const_saved_regs_size; + if (known_eq (frame.saved_regs_size, 0)) + frame.initial_adjust = frame.frame_size; +@@ -8384,31 +8386,31 @@ aarch64_layout_frame (void) + && const_size < max_push_offset + && known_eq (frame.hard_fp_offset, const_size)) + { +- /* Simple, small frame with no outgoing arguments: ++ /* Simple, small frame with no data below the saved registers. + + stp reg1, reg2, [sp, -frame_size]! + stp reg3, reg4, [sp, 16] */ + frame.callee_adjust = const_size; + } +- else if (crtl->outgoing_args_size.is_constant (&const_outgoing_args_size) ++ else if (frame.bytes_below_saved_regs.is_constant (&const_below_saved_regs) + && frame.saved_regs_size.is_constant (&const_saved_regs_size) +- && const_outgoing_args_size + const_saved_regs_size < 512 +- /* We could handle this case even with outgoing args, provided +- that the number of args left us with valid offsets for all +- predicate and vector save slots. It's such a rare case that +- it hardly seems worth the effort though. */ +- && (!saves_below_hard_fp_p || const_outgoing_args_size == 0) ++ && const_below_saved_regs + const_saved_regs_size < 512 ++ /* We could handle this case even with data below the saved ++ registers, provided that that data left us with valid offsets ++ for all predicate and vector save slots. It's such a rare ++ case that it hardly seems worth the effort though. */ ++ && (!saves_below_hard_fp_p || const_below_saved_regs == 0) + && !(cfun->calls_alloca + && frame.hard_fp_offset.is_constant (&const_fp_offset) + && const_fp_offset < max_push_offset)) + { +- /* Frame with small outgoing arguments: ++ /* Frame with small area below the saved registers: + + sub sp, sp, frame_size +- stp reg1, reg2, [sp, outgoing_args_size] +- stp reg3, reg4, [sp, outgoing_args_size + 16] */ ++ stp reg1, reg2, [sp, bytes_below_saved_regs] ++ stp reg3, reg4, [sp, bytes_below_saved_regs + 16] */ + frame.initial_adjust = frame.frame_size; +- frame.callee_offset = const_outgoing_args_size; ++ frame.callee_offset = const_below_saved_regs; + } + else if (saves_below_hard_fp_p + && known_eq (frame.saved_regs_size, +@@ -8418,30 +8420,29 @@ aarch64_layout_frame (void) + + sub sp, sp, hard_fp_offset + below_hard_fp_saved_regs_size + save SVE registers relative to SP +- sub sp, sp, outgoing_args_size */ ++ sub sp, sp, bytes_below_saved_regs */ + frame.initial_adjust = (frame.hard_fp_offset + + frame.below_hard_fp_saved_regs_size); +- frame.final_adjust = crtl->outgoing_args_size; ++ frame.final_adjust = frame.bytes_below_saved_regs; + } + else if (frame.hard_fp_offset.is_constant (&const_fp_offset) + && const_fp_offset < max_push_offset) + { +- /* Frame with large outgoing arguments or SVE saves, but with +- a small local area: ++ /* Frame with large area below the saved registers, or with SVE saves, ++ but with a small area above: + + stp reg1, reg2, [sp, -hard_fp_offset]! + stp reg3, reg4, [sp, 16] + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] +- sub sp, sp, outgoing_args_size */ ++ sub sp, sp, bytes_below_saved_regs */ + frame.callee_adjust = const_fp_offset; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; +- frame.final_adjust = crtl->outgoing_args_size; ++ frame.final_adjust = frame.bytes_below_saved_regs; + } + else + { +- /* Frame with large local area and outgoing arguments or SVE saves, +- using frame pointer: ++ /* General case: + + sub sp, sp, hard_fp_offset + stp x29, x30, [sp, 0] +@@ -8449,10 +8450,10 @@ aarch64_layout_frame (void) + stp reg3, reg4, [sp, 16] + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] +- sub sp, sp, outgoing_args_size */ ++ sub sp, sp, bytes_below_saved_regs */ + frame.initial_adjust = frame.hard_fp_offset; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; +- frame.final_adjust = crtl->outgoing_args_size; ++ frame.final_adjust = frame.bytes_below_saved_regs; + } + + /* Make sure the individual adjustments add up to the full frame size. */ +@@ -9043,7 +9044,7 @@ aarch64_get_separate_components (void) + if (frame_pointer_needed) + offset -= frame.below_hard_fp_saved_regs_size; + else +- offset += crtl->outgoing_args_size; ++ offset += frame.bytes_below_saved_regs; + + /* Check that we can access the stack slot of the register with one + direct load with no adjustments needed. */ +@@ -9192,7 +9193,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + if (frame_pointer_needed) + offset -= frame.below_hard_fp_saved_regs_size; + else +- offset += crtl->outgoing_args_size; ++ offset += frame.bytes_below_saved_regs; + + rtx addr = plus_constant (Pmode, ptr_reg, offset); + rtx mem = gen_frame_mem (mode, addr); +@@ -9246,7 +9247,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + if (frame_pointer_needed) + offset2 -= frame.below_hard_fp_saved_regs_size; + else +- offset2 += crtl->outgoing_args_size; ++ offset2 += frame.bytes_below_saved_regs; + rtx addr2 = plus_constant (Pmode, ptr_reg, offset2); + rtx mem2 = gen_frame_mem (mode, addr2); + rtx set2 = prologue_p ? gen_rtx_SET (mem2, reg2) +@@ -9320,10 +9321,10 @@ aarch64_stack_clash_protection_alloca_probe_range (void) + registers. If POLY_SIZE is not large enough to require a probe this function + will only adjust the stack. When allocating the stack space + FRAME_RELATED_P is then used to indicate if the allocation is frame related. +- FINAL_ADJUSTMENT_P indicates whether we are allocating the outgoing +- arguments. If we are then we ensure that any allocation larger than the ABI +- defined buffer needs a probe so that the invariant of having a 1KB buffer is +- maintained. ++ FINAL_ADJUSTMENT_P indicates whether we are allocating the area below ++ the saved registers. If we are then we ensure that any allocation ++ larger than the ABI defined buffer needs a probe so that the ++ invariant of having a 1KB buffer is maintained. + + We emit barriers after each stack adjustment to prevent optimizations from + breaking the invariant that we never drop the stack more than a page. This +@@ -9532,7 +9533,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + /* Handle any residuals. Residuals of at least MIN_PROBE_THRESHOLD have to + be probed. This maintains the requirement that each page is probed at + least once. For initial probing we probe only if the allocation is +- more than GUARD_SIZE - buffer, and for the outgoing arguments we probe ++ more than GUARD_SIZE - buffer, and below the saved registers we probe + if the amount is larger than buffer. GUARD_SIZE - buffer + buffer == + GUARD_SIZE. This works that for any allocation that is large enough to + trigger a probe here, we'll have at least one, and if they're not large +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 6834c3e9922..1e105e12db8 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -871,6 +871,11 @@ struct GTY (()) aarch64_frame + /* The size of the callee-save registers with a slot in REG_OFFSET. */ + poly_int64 saved_regs_size; + ++ /* The number of bytes between the bottom of the static frame (the bottom ++ of the outgoing arguments) and the bottom of the register save area. ++ This value is always a multiple of STACK_BOUNDARY. */ ++ poly_int64 bytes_below_saved_regs; ++ + /* The size of the callee-save registers with a slot in REG_OFFSET that + are saved below the hard frame pointer. */ + poly_int64 below_hard_fp_saved_regs_size; +-- +2.34.1 + + +From 34081079ea4de0c98331843f574b5f6f94d7b234 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:50 +0100 +Subject: [PATCH 05/19] aarch64: Add bytes_below_hard_fp to frame info + +Following on from the previous bytes_below_saved_regs patch, this one +records the number of bytes that are below the hard frame pointer. +This eventually replaces below_hard_fp_saved_regs_size. + +If a frame pointer is not needed, the epilogue adds final_adjust +to the stack pointer before restoring registers: + + aarch64_add_sp (tmp1_rtx, tmp0_rtx, final_adjust, true); + +Therefore, if the epilogue needs to restore the stack pointer from +the hard frame pointer, the directly corresponding offset is: + + -bytes_below_hard_fp + final_adjust + +i.e. go from the hard frame pointer to the bottom of the frame, +then add the same amount as if we were using the stack pointer +from the outset. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::bytes_below_hard_fp): New + field. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Initialize it. + (aarch64_expand_epilogue): Use it instead of + below_hard_fp_saved_regs_size. +--- + gcc/config/aarch64/aarch64.cc | 6 +++--- + gcc/config/aarch64/aarch64.h | 5 +++++ + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 94e1b686584..c7d84245fbf 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8269,6 +8269,7 @@ aarch64_layout_frame (void) + of the callee save area. */ + bool saves_below_hard_fp_p = maybe_ne (offset, 0); + frame.below_hard_fp_saved_regs_size = offset; ++ frame.bytes_below_hard_fp = offset + frame.bytes_below_saved_regs; + if (frame.emit_frame_chain) + { + /* FP and LR are placed in the linkage record. */ +@@ -9856,8 +9857,7 @@ aarch64_expand_epilogue (bool for_sibcall) + poly_int64 final_adjust = frame.final_adjust; + poly_int64 callee_offset = frame.callee_offset; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; +- poly_int64 below_hard_fp_saved_regs_size +- = frame.below_hard_fp_saved_regs_size; ++ poly_int64 bytes_below_hard_fp = frame.bytes_below_hard_fp; + unsigned reg1 = frame.wb_pop_candidate1; + unsigned reg2 = frame.wb_pop_candidate2; + unsigned int last_gpr = (frame.is_scs_enabled +@@ -9915,7 +9915,7 @@ aarch64_expand_epilogue (bool for_sibcall) + is restored on the instruction doing the writeback. */ + aarch64_add_offset (Pmode, stack_pointer_rtx, + hard_frame_pointer_rtx, +- -callee_offset - below_hard_fp_saved_regs_size, ++ -bytes_below_hard_fp + final_adjust, + tmp1_rtx, tmp0_rtx, callee_adjust == 0); + else + /* The case where we need to re-use the register here is very rare, so +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 1e105e12db8..de68ff7202f 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -880,6 +880,11 @@ struct GTY (()) aarch64_frame + are saved below the hard frame pointer. */ + poly_int64 below_hard_fp_saved_regs_size; + ++ /* The number of bytes between the bottom of the static frame (the bottom ++ of the outgoing arguments) and the hard frame pointer. This value is ++ always a multiple of STACK_BOUNDARY. */ ++ poly_int64 bytes_below_hard_fp; ++ + /* Offset from the base of the frame (incomming SP) to the + top of the locals area. This value is always a multiple of + STACK_BOUNDARY. */ +-- +2.34.1 + + +From 187861af7c51db9eddc6f954b589c121b210fc74 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:50 +0100 +Subject: [PATCH 06/19] aarch64: Tweak aarch64_save/restore_callee_saves + +aarch64_save_callee_saves and aarch64_restore_callee_saves took +a parameter called start_offset that gives the offset of the +bottom of the saved register area from the current stack pointer. +However, it's more convenient for later patches if we use the +bottom of the entire frame as the reference point, rather than +the bottom of the saved registers. + +Doing that removes the need for the callee_offset field. +Other than that, this is not a win on its own. It only really +makes sense in combination with the follow-on patches. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::callee_offset): Delete. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Remove + callee_offset handling. + (aarch64_save_callee_saves): Replace the start_offset parameter + with a bytes_below_sp parameter. + (aarch64_restore_callee_saves): Likewise. + (aarch64_expand_prologue): Update accordingly. + (aarch64_expand_epilogue): Likewise. +--- + gcc/config/aarch64/aarch64.cc | 56 +++++++++++++++++------------------ + gcc/config/aarch64/aarch64.h | 4 --- + 2 files changed, 28 insertions(+), 32 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index c7d84245fbf..e79551af41d 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8343,7 +8343,6 @@ aarch64_layout_frame (void) + frame.final_adjust = 0; + frame.callee_adjust = 0; + frame.sve_callee_adjust = 0; +- frame.callee_offset = 0; + + frame.wb_pop_candidate1 = frame.wb_push_candidate1; + frame.wb_pop_candidate2 = frame.wb_push_candidate2; +@@ -8411,7 +8410,6 @@ aarch64_layout_frame (void) + stp reg1, reg2, [sp, bytes_below_saved_regs] + stp reg3, reg4, [sp, bytes_below_saved_regs + 16] */ + frame.initial_adjust = frame.frame_size; +- frame.callee_offset = const_below_saved_regs; + } + else if (saves_below_hard_fp_p + && known_eq (frame.saved_regs_size, +@@ -8758,12 +8756,13 @@ aarch64_add_cfa_expression (rtx_insn *insn, rtx reg, + } + + /* Emit code to save the callee-saved registers from register number START +- to LIMIT to the stack at the location starting at offset START_OFFSET, +- skipping any write-back candidates if SKIP_WB is true. HARD_FP_VALID_P +- is true if the hard frame pointer has been set up. */ ++ to LIMIT to the stack. The stack pointer is currently BYTES_BELOW_SP ++ bytes above the bottom of the static frame. Skip any write-back ++ candidates if SKIP_WB is true. HARD_FP_VALID_P is true if the hard ++ frame pointer has been set up. */ + + static void +-aarch64_save_callee_saves (poly_int64 start_offset, ++aarch64_save_callee_saves (poly_int64 bytes_below_sp, + unsigned start, unsigned limit, bool skip_wb, + bool hard_fp_valid_p) + { +@@ -8791,7 +8790,9 @@ aarch64_save_callee_saves (poly_int64 start_offset, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + frame.reg_offset[regno]; ++ offset = (frame.reg_offset[regno] ++ + frame.bytes_below_saved_regs ++ - bytes_below_sp); + rtx base_rtx = stack_pointer_rtx; + poly_int64 sp_offset = offset; + +@@ -8802,9 +8803,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + else if (GP_REGNUM_P (regno) + && (!offset.is_constant (&const_offset) || const_offset >= 512)) + { +- gcc_assert (known_eq (start_offset, 0)); +- poly_int64 fp_offset +- = frame.below_hard_fp_saved_regs_size; ++ poly_int64 fp_offset = frame.bytes_below_hard_fp - bytes_below_sp; + if (hard_fp_valid_p) + base_rtx = hard_frame_pointer_rtx; + else +@@ -8868,12 +8867,13 @@ aarch64_save_callee_saves (poly_int64 start_offset, + } + + /* Emit code to restore the callee registers from register number START +- up to and including LIMIT. Restore from the stack offset START_OFFSET, +- skipping any write-back candidates if SKIP_WB is true. Write the +- appropriate REG_CFA_RESTORE notes into CFI_OPS. */ ++ up to and including LIMIT. The stack pointer is currently BYTES_BELOW_SP ++ bytes above the bottom of the static frame. Skip any write-back ++ candidates if SKIP_WB is true. Write the appropriate REG_CFA_RESTORE ++ notes into CFI_OPS. */ + + static void +-aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, ++aarch64_restore_callee_saves (poly_int64 bytes_below_sp, unsigned start, + unsigned limit, bool skip_wb, rtx *cfi_ops) + { + aarch64_frame &frame = cfun->machine->frame; +@@ -8899,7 +8899,9 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + frame.reg_offset[regno]; ++ offset = (frame.reg_offset[regno] ++ + frame.bytes_below_saved_regs ++ - bytes_below_sp); + rtx base_rtx = stack_pointer_rtx; + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg, +@@ -9675,8 +9677,6 @@ aarch64_expand_prologue (void) + HOST_WIDE_INT callee_adjust = frame.callee_adjust; + poly_int64 final_adjust = frame.final_adjust; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; +- poly_int64 below_hard_fp_saved_regs_size +- = frame.below_hard_fp_saved_regs_size; + unsigned reg1 = frame.wb_push_candidate1; + unsigned reg2 = frame.wb_push_candidate2; + bool emit_frame_chain = frame.emit_frame_chain; +@@ -9752,8 +9752,8 @@ aarch64_expand_prologue (void) + - frame.hard_fp_offset); + gcc_assert (known_ge (chain_offset, 0)); + +- /* The offset of the bottom of the save area from the current SP. */ +- poly_int64 saved_regs_offset = chain_offset - below_hard_fp_saved_regs_size; ++ /* The offset of the current SP from the bottom of the static frame. */ ++ poly_int64 bytes_below_sp = frame_size - initial_adjust - callee_adjust; + + if (emit_frame_chain) + { +@@ -9761,7 +9761,7 @@ aarch64_expand_prologue (void) + { + reg1 = R29_REGNUM; + reg2 = R30_REGNUM; +- aarch64_save_callee_saves (saved_regs_offset, reg1, reg2, ++ aarch64_save_callee_saves (bytes_below_sp, reg1, reg2, + false, false); + } + else +@@ -9801,7 +9801,7 @@ aarch64_expand_prologue (void) + emit_insn (gen_stack_tie (stack_pointer_rtx, hard_frame_pointer_rtx)); + } + +- aarch64_save_callee_saves (saved_regs_offset, R0_REGNUM, R30_REGNUM, ++ aarch64_save_callee_saves (bytes_below_sp, R0_REGNUM, R30_REGNUM, + callee_adjust != 0 || emit_frame_chain, + emit_frame_chain); + if (maybe_ne (sve_callee_adjust, 0)) +@@ -9811,16 +9811,17 @@ aarch64_expand_prologue (void) + aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, + sve_callee_adjust, + !frame_pointer_needed, false); +- saved_regs_offset += sve_callee_adjust; ++ bytes_below_sp -= sve_callee_adjust; + } +- aarch64_save_callee_saves (saved_regs_offset, P0_REGNUM, P15_REGNUM, ++ aarch64_save_callee_saves (bytes_below_sp, P0_REGNUM, P15_REGNUM, + false, emit_frame_chain); +- aarch64_save_callee_saves (saved_regs_offset, V0_REGNUM, V31_REGNUM, ++ aarch64_save_callee_saves (bytes_below_sp, V0_REGNUM, V31_REGNUM, + callee_adjust != 0 || emit_frame_chain, + emit_frame_chain); + + /* We may need to probe the final adjustment if it is larger than the guard + that is assumed by the called. */ ++ gcc_assert (known_eq (bytes_below_sp, final_adjust)); + aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, final_adjust, + !frame_pointer_needed, true); + } +@@ -9855,7 +9856,6 @@ aarch64_expand_epilogue (bool for_sibcall) + poly_int64 initial_adjust = frame.initial_adjust; + HOST_WIDE_INT callee_adjust = frame.callee_adjust; + poly_int64 final_adjust = frame.final_adjust; +- poly_int64 callee_offset = frame.callee_offset; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 bytes_below_hard_fp = frame.bytes_below_hard_fp; + unsigned reg1 = frame.wb_pop_candidate1; +@@ -9925,9 +9925,9 @@ aarch64_expand_epilogue (bool for_sibcall) + + /* Restore the vector registers before the predicate registers, + so that we can use P4 as a temporary for big-endian SVE frames. */ +- aarch64_restore_callee_saves (callee_offset, V0_REGNUM, V31_REGNUM, ++ aarch64_restore_callee_saves (final_adjust, V0_REGNUM, V31_REGNUM, + callee_adjust != 0, &cfi_ops); +- aarch64_restore_callee_saves (callee_offset, P0_REGNUM, P15_REGNUM, ++ aarch64_restore_callee_saves (final_adjust, P0_REGNUM, P15_REGNUM, + false, &cfi_ops); + if (maybe_ne (sve_callee_adjust, 0)) + aarch64_add_sp (NULL_RTX, NULL_RTX, sve_callee_adjust, true); +@@ -9935,7 +9935,7 @@ aarch64_expand_epilogue (bool for_sibcall) + /* When shadow call stack is enabled, the scs_pop in the epilogue will + restore x30, we don't need to restore x30 again in the traditional + way. */ +- aarch64_restore_callee_saves (callee_offset - sve_callee_adjust, ++ aarch64_restore_callee_saves (final_adjust + sve_callee_adjust, + R0_REGNUM, last_gpr, + callee_adjust != 0, &cfi_ops); + +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index de68ff7202f..94fca4b9471 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -907,10 +907,6 @@ struct GTY (()) aarch64_frame + It is zero when no push is used. */ + HOST_WIDE_INT callee_adjust; + +- /* The offset from SP to the callee-save registers after initial_adjust. +- It may be non-zero if no push is used (ie. callee_adjust == 0). */ +- poly_int64 callee_offset; +- + /* The size of the stack adjustment before saving or after restoring + SVE registers. */ + poly_int64 sve_callee_adjust; +-- +2.34.1 + + +From 2b983f9064d808daf909bde1d4a13980934a7e6e Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:51 +0100 +Subject: [PATCH 07/19] aarch64: Only calculate chain_offset if there is a + chain + +After previous patches, it is no longer necessary to calculate +a chain_offset in cases where there is no chain record. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_expand_prologue): Move the + calculation of chain_offset into the emit_frame_chain block. +--- + gcc/config/aarch64/aarch64.cc | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index e79551af41d..d71a042d611 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -9747,16 +9747,16 @@ aarch64_expand_prologue (void) + if (callee_adjust != 0) + aarch64_push_regs (reg1, reg2, callee_adjust); + +- /* The offset of the frame chain record (if any) from the current SP. */ +- poly_int64 chain_offset = (initial_adjust + callee_adjust +- - frame.hard_fp_offset); +- gcc_assert (known_ge (chain_offset, 0)); +- + /* The offset of the current SP from the bottom of the static frame. */ + poly_int64 bytes_below_sp = frame_size - initial_adjust - callee_adjust; + + if (emit_frame_chain) + { ++ /* The offset of the frame chain record (if any) from the current SP. */ ++ poly_int64 chain_offset = (initial_adjust + callee_adjust ++ - frame.hard_fp_offset); ++ gcc_assert (known_ge (chain_offset, 0)); ++ + if (callee_adjust == 0) + { + reg1 = R29_REGNUM; +-- +2.34.1 + + +From 0a0a824808d1dec51004fb5805c1a0ae2a35433f Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:51 +0100 +Subject: [PATCH 08/19] aarch64: Rename locals_offset to bytes_above_locals +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +locals_offset was described as: + + /* Offset from the base of the frame (incomming SP) to the + top of the locals area. This value is always a multiple of + STACK_BOUNDARY. */ + +This is implicitly an “upside down” view of the frame: the incoming +SP is at offset 0, and anything N bytes below the incoming SP is at +offset N (rather than -N). + +However, reg_offset instead uses a “right way up” view; that is, +it views offsets in address terms. Something above X is at a +positive offset from X and something below X is at a negative +offset from X. + +Also, even on FRAME_GROWS_DOWNWARD targets like AArch64, +target-independent code views offsets in address terms too: +locals are allocated at negative offsets to virtual_stack_vars. + +It seems confusing to have *_offset fields of the same structure +using different polarities like this. This patch tries to avoid +that by renaming locals_offset to bytes_above_locals. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::locals_offset): Rename to... + (aarch64_frame::bytes_above_locals): ...this. + * config/aarch64/aarch64.cc (aarch64_layout_frame) + (aarch64_initial_elimination_offset): Update accordingly. +--- + gcc/config/aarch64/aarch64.cc | 6 +++--- + gcc/config/aarch64/aarch64.h | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index d71a042d611..d4ec352ba98 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8337,7 +8337,7 @@ aarch64_layout_frame (void) + STACK_BOUNDARY / BITS_PER_UNIT)); + frame.frame_size = saved_regs_and_above + frame.bytes_below_saved_regs; + +- frame.locals_offset = frame.saved_varargs_size; ++ frame.bytes_above_locals = frame.saved_varargs_size; + + frame.initial_adjust = 0; + frame.final_adjust = 0; +@@ -12578,13 +12578,13 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to) + return frame.hard_fp_offset; + + if (from == FRAME_POINTER_REGNUM) +- return frame.hard_fp_offset - frame.locals_offset; ++ return frame.hard_fp_offset - frame.bytes_above_locals; + } + + if (to == STACK_POINTER_REGNUM) + { + if (from == FRAME_POINTER_REGNUM) +- return frame.frame_size - frame.locals_offset; ++ return frame.frame_size - frame.bytes_above_locals; + } + + return frame.frame_size; +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 94fca4b9471..bf46e6124aa 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -885,10 +885,10 @@ struct GTY (()) aarch64_frame + always a multiple of STACK_BOUNDARY. */ + poly_int64 bytes_below_hard_fp; + +- /* Offset from the base of the frame (incomming SP) to the +- top of the locals area. This value is always a multiple of ++ /* The number of bytes between the top of the locals area and the top ++ of the frame (the incomming SP). This value is always a multiple of + STACK_BOUNDARY. */ +- poly_int64 locals_offset; ++ poly_int64 bytes_above_locals; + + /* Offset from the base of the frame (incomming SP) to the + hard_frame_pointer. This value is always a multiple of +-- +2.34.1 + + +From 3fbf0789202b30a67b12e1fb785c7130f098d665 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:52 +0100 +Subject: [PATCH 09/19] aarch64: Rename hard_fp_offset to bytes_above_hard_fp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Similarly to the previous locals_offset patch, hard_fp_offset +was described as: + + /* Offset from the base of the frame (incomming SP) to the + hard_frame_pointer. This value is always a multiple of + STACK_BOUNDARY. */ + poly_int64 hard_fp_offset; + +which again took an “upside-down” view: higher offsets meant lower +addresses. This patch renames the field to bytes_above_hard_fp instead. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::hard_fp_offset): Rename + to... + (aarch64_frame::bytes_above_hard_fp): ...this. + * config/aarch64/aarch64.cc (aarch64_layout_frame) + (aarch64_expand_prologue): Update accordingly. + (aarch64_initial_elimination_offset): Likewise. +--- + gcc/config/aarch64/aarch64.cc | 26 +++++++++++++------------- + gcc/config/aarch64/aarch64.h | 6 +++--- + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index d4ec352ba98..3c4052740e7 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8329,7 +8329,7 @@ aarch64_layout_frame (void) + + get_frame_size (), + STACK_BOUNDARY / BITS_PER_UNIT); + +- frame.hard_fp_offset ++ frame.bytes_above_hard_fp + = saved_regs_and_above - frame.below_hard_fp_saved_regs_size; + + /* Both these values are already aligned. */ +@@ -8378,13 +8378,13 @@ aarch64_layout_frame (void) + else if (frame.wb_pop_candidate1 != INVALID_REGNUM) + max_push_offset = 256; + +- HOST_WIDE_INT const_size, const_below_saved_regs, const_fp_offset; ++ HOST_WIDE_INT const_size, const_below_saved_regs, const_above_fp; + HOST_WIDE_INT const_saved_regs_size; + if (known_eq (frame.saved_regs_size, 0)) + frame.initial_adjust = frame.frame_size; + else if (frame.frame_size.is_constant (&const_size) + && const_size < max_push_offset +- && known_eq (frame.hard_fp_offset, const_size)) ++ && known_eq (frame.bytes_above_hard_fp, const_size)) + { + /* Simple, small frame with no data below the saved registers. + +@@ -8401,8 +8401,8 @@ aarch64_layout_frame (void) + case that it hardly seems worth the effort though. */ + && (!saves_below_hard_fp_p || const_below_saved_regs == 0) + && !(cfun->calls_alloca +- && frame.hard_fp_offset.is_constant (&const_fp_offset) +- && const_fp_offset < max_push_offset)) ++ && frame.bytes_above_hard_fp.is_constant (&const_above_fp) ++ && const_above_fp < max_push_offset)) + { + /* Frame with small area below the saved registers: + +@@ -8420,12 +8420,12 @@ aarch64_layout_frame (void) + sub sp, sp, hard_fp_offset + below_hard_fp_saved_regs_size + save SVE registers relative to SP + sub sp, sp, bytes_below_saved_regs */ +- frame.initial_adjust = (frame.hard_fp_offset ++ frame.initial_adjust = (frame.bytes_above_hard_fp + + frame.below_hard_fp_saved_regs_size); + frame.final_adjust = frame.bytes_below_saved_regs; + } +- else if (frame.hard_fp_offset.is_constant (&const_fp_offset) +- && const_fp_offset < max_push_offset) ++ else if (frame.bytes_above_hard_fp.is_constant (&const_above_fp) ++ && const_above_fp < max_push_offset) + { + /* Frame with large area below the saved registers, or with SVE saves, + but with a small area above: +@@ -8435,7 +8435,7 @@ aarch64_layout_frame (void) + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ +- frame.callee_adjust = const_fp_offset; ++ frame.callee_adjust = const_above_fp; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } +@@ -8450,7 +8450,7 @@ aarch64_layout_frame (void) + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ +- frame.initial_adjust = frame.hard_fp_offset; ++ frame.initial_adjust = frame.bytes_above_hard_fp; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } +@@ -9754,7 +9754,7 @@ aarch64_expand_prologue (void) + { + /* The offset of the frame chain record (if any) from the current SP. */ + poly_int64 chain_offset = (initial_adjust + callee_adjust +- - frame.hard_fp_offset); ++ - frame.bytes_above_hard_fp); + gcc_assert (known_ge (chain_offset, 0)); + + if (callee_adjust == 0) +@@ -12575,10 +12575,10 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to) + if (to == HARD_FRAME_POINTER_REGNUM) + { + if (from == ARG_POINTER_REGNUM) +- return frame.hard_fp_offset; ++ return frame.bytes_above_hard_fp; + + if (from == FRAME_POINTER_REGNUM) +- return frame.hard_fp_offset - frame.bytes_above_locals; ++ return frame.bytes_above_hard_fp - frame.bytes_above_locals; + } + + if (to == STACK_POINTER_REGNUM) +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index bf46e6124aa..dd1f403f939 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -890,10 +890,10 @@ struct GTY (()) aarch64_frame + STACK_BOUNDARY. */ + poly_int64 bytes_above_locals; + +- /* Offset from the base of the frame (incomming SP) to the +- hard_frame_pointer. This value is always a multiple of ++ /* The number of bytes between the hard_frame_pointer and the top of ++ the frame (the incomming SP). This value is always a multiple of + STACK_BOUNDARY. */ +- poly_int64 hard_fp_offset; ++ poly_int64 bytes_above_hard_fp; + + /* The size of the frame. This value is the offset from base of the + frame (incomming SP) to the stack_pointer. This value is always +-- +2.34.1 + + +From aac8b31379ac3bbd14fc6427dce23f56e54e8485 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:52 +0100 +Subject: [PATCH 10/19] aarch64: Tweak frame_size comment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch fixes another case in which a value was described with +an “upside-down” view. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::frame_size): Tweak comment. +--- + gcc/config/aarch64/aarch64.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index dd1f403f939..700524ae22b 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -895,8 +895,8 @@ struct GTY (()) aarch64_frame + STACK_BOUNDARY. */ + poly_int64 bytes_above_hard_fp; + +- /* The size of the frame. This value is the offset from base of the +- frame (incomming SP) to the stack_pointer. This value is always ++ /* The size of the frame, i.e. the number of bytes between the bottom ++ of the outgoing arguments and the incoming SP. This value is always + a multiple of STACK_BOUNDARY. */ + poly_int64 frame_size; + +-- +2.34.1 + + +From 8d5506a8aeb8dd7e8b209a3663b07688478f76b9 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:53 +0100 +Subject: [PATCH 11/19] aarch64: Measure reg_offset from the bottom of the + frame + +reg_offset was measured from the bottom of the saved register area. +This made perfect sense with the original layout, since the bottom +of the saved register area was also the hard frame pointer address. +It became slightly less obvious with SVE, since we save SVE +registers below the hard frame pointer, but it still made sense. + +However, if we want to allow different frame layouts, it's more +convenient and obvious to measure reg_offset from the bottom of +the frame. After previous patches, it's also a slight simplification +in its own right. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame): Add comment above + reg_offset. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Walk offsets + from the bottom of the frame, rather than the bottom of the saved + register area. Measure reg_offset from the bottom of the frame + rather than the bottom of the saved register area. + (aarch64_save_callee_saves): Update accordingly. + (aarch64_restore_callee_saves): Likewise. + (aarch64_get_separate_components): Likewise. + (aarch64_process_components): Likewise. +--- + gcc/config/aarch64/aarch64.cc | 53 ++++++++++++++++------------------- + gcc/config/aarch64/aarch64.h | 3 ++ + 2 files changed, 27 insertions(+), 29 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 3c4052740e7..97dd077844b 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8139,7 +8139,6 @@ aarch64_needs_frame_chain (void) + static void + aarch64_layout_frame (void) + { +- poly_int64 offset = 0; + int regno, last_fp_reg = INVALID_REGNUM; + machine_mode vector_save_mode = aarch64_reg_save_mode (V8_REGNUM); + poly_int64 vector_save_size = GET_MODE_SIZE (vector_save_mode); +@@ -8217,7 +8216,9 @@ aarch64_layout_frame (void) + gcc_assert (crtl->is_leaf + || maybe_ne (frame.reg_offset[R30_REGNUM], SLOT_NOT_REQUIRED)); + +- frame.bytes_below_saved_regs = crtl->outgoing_args_size; ++ poly_int64 offset = crtl->outgoing_args_size; ++ gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); ++ frame.bytes_below_saved_regs = offset; + + /* Now assign stack slots for the registers. Start with the predicate + registers, since predicate LDR and STR have a relatively small +@@ -8229,7 +8230,8 @@ aarch64_layout_frame (void) + offset += BYTES_PER_SVE_PRED; + } + +- if (maybe_ne (offset, 0)) ++ poly_int64 saved_prs_size = offset - frame.bytes_below_saved_regs; ++ if (maybe_ne (saved_prs_size, 0)) + { + /* If we have any vector registers to save above the predicate registers, + the offset of the vector register save slots need to be a multiple +@@ -8247,10 +8249,10 @@ aarch64_layout_frame (void) + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + else + { +- if (known_le (offset, vector_save_size)) +- offset = vector_save_size; +- else if (known_le (offset, vector_save_size * 2)) +- offset = vector_save_size * 2; ++ if (known_le (saved_prs_size, vector_save_size)) ++ offset = frame.bytes_below_saved_regs + vector_save_size; ++ else if (known_le (saved_prs_size, vector_save_size * 2)) ++ offset = frame.bytes_below_saved_regs + vector_save_size * 2; + else + gcc_unreachable (); + } +@@ -8267,9 +8269,10 @@ aarch64_layout_frame (void) + + /* OFFSET is now the offset of the hard frame pointer from the bottom + of the callee save area. */ +- bool saves_below_hard_fp_p = maybe_ne (offset, 0); +- frame.below_hard_fp_saved_regs_size = offset; +- frame.bytes_below_hard_fp = offset + frame.bytes_below_saved_regs; ++ frame.below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; ++ bool saves_below_hard_fp_p ++ = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); ++ frame.bytes_below_hard_fp = offset; + if (frame.emit_frame_chain) + { + /* FP and LR are placed in the linkage record. */ +@@ -8320,9 +8323,10 @@ aarch64_layout_frame (void) + + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + +- frame.saved_regs_size = offset; ++ frame.saved_regs_size = offset - frame.bytes_below_saved_regs; + +- poly_int64 varargs_and_saved_regs_size = offset + frame.saved_varargs_size; ++ poly_int64 varargs_and_saved_regs_size ++ = frame.saved_regs_size + frame.saved_varargs_size; + + poly_int64 saved_regs_and_above + = aligned_upper_bound (varargs_and_saved_regs_size +@@ -8790,9 +8794,7 @@ aarch64_save_callee_saves (poly_int64 bytes_below_sp, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = (frame.reg_offset[regno] +- + frame.bytes_below_saved_regs +- - bytes_below_sp); ++ offset = frame.reg_offset[regno] - bytes_below_sp; + rtx base_rtx = stack_pointer_rtx; + poly_int64 sp_offset = offset; + +@@ -8899,9 +8901,7 @@ aarch64_restore_callee_saves (poly_int64 bytes_below_sp, unsigned start, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = (frame.reg_offset[regno] +- + frame.bytes_below_saved_regs +- - bytes_below_sp); ++ offset = frame.reg_offset[regno] - bytes_below_sp; + rtx base_rtx = stack_pointer_rtx; + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg, +@@ -9040,14 +9040,12 @@ aarch64_get_separate_components (void) + it as a stack probe for -fstack-clash-protection. */ + if (flag_stack_clash_protection + && maybe_ne (frame.below_hard_fp_saved_regs_size, 0) +- && known_eq (offset, 0)) ++ && known_eq (offset, frame.bytes_below_saved_regs)) + continue; + + /* Get the offset relative to the register we'll use. */ + if (frame_pointer_needed) +- offset -= frame.below_hard_fp_saved_regs_size; +- else +- offset += frame.bytes_below_saved_regs; ++ offset -= frame.bytes_below_hard_fp; + + /* Check that we can access the stack slot of the register with one + direct load with no adjustments needed. */ +@@ -9194,9 +9192,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + rtx reg = gen_rtx_REG (mode, regno); + poly_int64 offset = frame.reg_offset[regno]; + if (frame_pointer_needed) +- offset -= frame.below_hard_fp_saved_regs_size; +- else +- offset += frame.bytes_below_saved_regs; ++ offset -= frame.bytes_below_hard_fp; + + rtx addr = plus_constant (Pmode, ptr_reg, offset); + rtx mem = gen_frame_mem (mode, addr); +@@ -9248,9 +9244,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + /* REGNO2 can be saved/restored in a pair with REGNO. */ + rtx reg2 = gen_rtx_REG (mode, regno2); + if (frame_pointer_needed) +- offset2 -= frame.below_hard_fp_saved_regs_size; +- else +- offset2 += frame.bytes_below_saved_regs; ++ offset2 -= frame.bytes_below_hard_fp; + rtx addr2 = plus_constant (Pmode, ptr_reg, offset2); + rtx mem2 = gen_frame_mem (mode, addr2); + rtx set2 = prologue_p ? gen_rtx_SET (mem2, reg2) +@@ -9366,7 +9360,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + if (final_adjustment_p + && known_eq (frame.below_hard_fp_saved_regs_size, 0)) + { +- poly_int64 lr_offset = frame.reg_offset[LR_REGNUM]; ++ poly_int64 lr_offset = (frame.reg_offset[LR_REGNUM] ++ - frame.bytes_below_saved_regs); + if (known_ge (lr_offset, 0)) + min_probe_threshold -= lr_offset.to_constant (); + else +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 700524ae22b..b6135837073 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -860,6 +860,9 @@ extern enum aarch64_processor aarch64_tune; + #ifdef HAVE_POLY_INT_H + struct GTY (()) aarch64_frame + { ++ /* The offset from the bottom of the static frame (the bottom of the ++ outgoing arguments) of each register save slot, or -2 if no save is ++ needed. */ + poly_int64 reg_offset[LAST_SAVED_REGNUM + 1]; + + /* The number of extra stack bytes taken up by register varargs. +-- +2.34.1 + + +From b47766614df3b9df878262efb2ad73aaac108363 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:53 +0100 +Subject: [PATCH 12/19] aarch64: Simplify top of frame allocation + +After previous patches, it no longer really makes sense to allocate +the top of the frame in terms of varargs_and_saved_regs_size and +saved_regs_and_above. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_layout_frame): Simplify + the allocation of the top of the frame. +--- + gcc/config/aarch64/aarch64.cc | 23 ++++++++--------------- + 1 file changed, 8 insertions(+), 15 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 97dd077844b..81935852d5b 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8325,23 +8325,16 @@ aarch64_layout_frame (void) + + frame.saved_regs_size = offset - frame.bytes_below_saved_regs; + +- poly_int64 varargs_and_saved_regs_size +- = frame.saved_regs_size + frame.saved_varargs_size; +- +- poly_int64 saved_regs_and_above +- = aligned_upper_bound (varargs_and_saved_regs_size +- + get_frame_size (), +- STACK_BOUNDARY / BITS_PER_UNIT); +- +- frame.bytes_above_hard_fp +- = saved_regs_and_above - frame.below_hard_fp_saved_regs_size; ++ offset += get_frame_size (); ++ offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); ++ auto top_of_locals = offset; + +- /* Both these values are already aligned. */ +- gcc_assert (multiple_p (frame.bytes_below_saved_regs, +- STACK_BOUNDARY / BITS_PER_UNIT)); +- frame.frame_size = saved_regs_and_above + frame.bytes_below_saved_regs; ++ offset += frame.saved_varargs_size; ++ gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); ++ frame.frame_size = offset; + +- frame.bytes_above_locals = frame.saved_varargs_size; ++ frame.bytes_above_hard_fp = frame.frame_size - frame.bytes_below_hard_fp; ++ frame.bytes_above_locals = frame.frame_size - top_of_locals; + + frame.initial_adjust = 0; + frame.final_adjust = 0; +-- +2.34.1 + + +From 08f71b4bb28fb74d20e8d2927a557e8119ce9f4d Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:54 +0100 +Subject: [PATCH 13/19] aarch64: Minor initial adjustment tweak + +This patch just changes a calculation of initial_adjust +to one that makes it slightly more obvious that the total +adjustment is frame.frame_size. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_layout_frame): Tweak + calculation of initial_adjust for frames in which all saves + are SVE saves. +--- + gcc/config/aarch64/aarch64.cc | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 81935852d5b..4d9fcf3d162 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8414,11 +8414,10 @@ aarch64_layout_frame (void) + { + /* Frame in which all saves are SVE saves: + +- sub sp, sp, hard_fp_offset + below_hard_fp_saved_regs_size ++ sub sp, sp, frame_size - bytes_below_saved_regs + save SVE registers relative to SP + sub sp, sp, bytes_below_saved_regs */ +- frame.initial_adjust = (frame.bytes_above_hard_fp +- + frame.below_hard_fp_saved_regs_size); ++ frame.initial_adjust = frame.frame_size - frame.bytes_below_saved_regs; + frame.final_adjust = frame.bytes_below_saved_regs; + } + else if (frame.bytes_above_hard_fp.is_constant (&const_above_fp) +-- +2.34.1 + + +From f22315d5c19e8310e4dc880fd509678fd291fca8 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:54 +0100 +Subject: [PATCH 14/19] aarch64: Tweak stack clash boundary condition + +The AArch64 ABI says that, when stack clash protection is used, +there can be a maximum of 1KiB of unprobed space at sp on entry +to a function. Therefore, we need to probe when allocating +>= guard_size - 1KiB of data (>= rather than >). This is what +GCC does. + +If an allocation is exactly guard_size bytes, it is enough to allocate +those bytes and probe once at offset 1024. It isn't possible to use a +single probe at any other offset: higher would conmplicate later code, +by leaving more unprobed space than usual, while lower would risk +leaving an entire page unprobed. For simplicity, the code probes all +allocations at offset 1024. + +Some register saves also act as probes. If we need to allocate +more space below the last such register save probe, we need to +probe the allocation if it is > 1KiB. Again, this allocation is +then sometimes (but not always) probed at offset 1024. This sort of +allocation is currently only used for outgoing arguments, which are +rarely this big. + +However, the code also probed if this final outgoing-arguments +allocation was == 1KiB, rather than just > 1KiB. This isn't +necessary, since the register save then probes at offset 1024 +as required. Continuing to probe allocations of exactly 1KiB +would complicate later patches. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_allocate_and_probe_stack_space): + Don't probe final allocations that are exactly 1KiB in size (after + unprobed space above the final allocation has been deducted). + +gcc/testsuite/ + * gcc.target/aarch64/stack-check-prologue-17.c: New test. +--- + gcc/config/aarch64/aarch64.cc | 4 +- + .../aarch64/stack-check-prologue-17.c | 55 +++++++++++++++++++ + 2 files changed, 58 insertions(+), 1 deletion(-) + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 4d9fcf3d162..34c1d8614cd 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -9333,9 +9333,11 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + HOST_WIDE_INT guard_size + = 1 << param_stack_clash_protection_guard_size; + HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD; ++ HOST_WIDE_INT byte_sp_alignment = STACK_BOUNDARY / BITS_PER_UNIT; ++ gcc_assert (multiple_p (poly_size, byte_sp_alignment)); + HOST_WIDE_INT min_probe_threshold + = (final_adjustment_p +- ? guard_used_by_caller ++ ? guard_used_by_caller + byte_sp_alignment + : guard_size - guard_used_by_caller); + /* When doing the final adjustment for the outgoing arguments, take into + account any unprobed space there is above the current SP. There are +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +new file mode 100644 +index 00000000000..0d8a25d73a2 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +@@ -0,0 +1,55 @@ ++/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++void f(int, ...); ++void g(); ++ ++/* ++** test1: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1024 ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test1(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test2: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1040 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test2(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x); ++ } ++ g(); ++ return 1; ++} +-- +2.34.1 + + +From 15e18831bf98fd25af098b970ebf0c9a6200a34b Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:55 +0100 +Subject: [PATCH 15/19] aarch64: Put LR save probe in first 16 bytes + +-fstack-clash-protection uses the save of LR as a probe for the next +allocation. The next allocation could be: + +* another part of the static frame, e.g. when allocating SVE save slots + or outgoing arguments + +* an alloca in the same function + +* an allocation made by a callee function + +However, when -fomit-frame-pointer is used, the LR save slot is placed +above the other GPR save slots. It could therefore be up to 80 bytes +above the base of the GPR save area (which is also the hard fp address). + +aarch64_allocate_and_probe_stack_space took this into account when +deciding how much subsequent space could be allocated without needing +a probe. However, it interacted badly with: + + /* If doing a small final adjustment, we always probe at offset 0. + This is done to avoid issues when LR is not at position 0 or when + the final adjustment is smaller than the probing offset. */ + else if (final_adjustment_p && rounded_size == 0) + residual_probe_offset = 0; + +which forces any allocation that is smaller than the guard page size +to be probed at offset 0 rather than the usual offset 1024. It was +therefore possible to construct cases in which we had: + +* a probe using LR at SP + 80 bytes (or some other value >= 16) +* an allocation of the guard page size - 16 bytes +* a probe at SP + 0 + +which allocates guard page size + 64 consecutive unprobed bytes. + +This patch requires the LR probe to be in the first 16 bytes of the +save area when stack clash protection is active. Doing it +unconditionally would cause code-quality regressions. + +Putting LR before other registers prevents push/pop allocation +when shadow call stacks are enabled, since LR is restored +separately from the other callee-saved registers. + +The new comment doesn't say that the probe register is required +to be LR, since a later patch removes that restriction. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_layout_frame): Ensure that + the LR save slot is in the first 16 bytes of the register save area. + Only form STP/LDP push/pop candidates if both registers are valid. + (aarch64_allocate_and_probe_stack_space): Remove workaround for + when LR was not in the first 16 bytes. + +gcc/testsuite/ + * gcc.target/aarch64/stack-check-prologue-18.c: New test. + * gcc.target/aarch64/stack-check-prologue-19.c: Likewise. + * gcc.target/aarch64/stack-check-prologue-20.c: Likewise. +--- + gcc/config/aarch64/aarch64.cc | 72 ++++++------- + .../aarch64/stack-check-prologue-18.c | 100 ++++++++++++++++++ + .../aarch64/stack-check-prologue-19.c | 100 ++++++++++++++++++ + .../aarch64/stack-check-prologue-20.c | 3 + + 4 files changed, 233 insertions(+), 42 deletions(-) + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 34c1d8614cd..16433fb70f4 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8273,26 +8273,34 @@ aarch64_layout_frame (void) + bool saves_below_hard_fp_p + = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); + frame.bytes_below_hard_fp = offset; ++ ++ auto allocate_gpr_slot = [&](unsigned int regno) ++ { ++ frame.reg_offset[regno] = offset; ++ if (frame.wb_push_candidate1 == INVALID_REGNUM) ++ frame.wb_push_candidate1 = regno; ++ else if (frame.wb_push_candidate2 == INVALID_REGNUM) ++ frame.wb_push_candidate2 = regno; ++ offset += UNITS_PER_WORD; ++ }; ++ + if (frame.emit_frame_chain) + { + /* FP and LR are placed in the linkage record. */ +- frame.reg_offset[R29_REGNUM] = offset; +- frame.wb_push_candidate1 = R29_REGNUM; +- frame.reg_offset[R30_REGNUM] = offset + UNITS_PER_WORD; +- frame.wb_push_candidate2 = R30_REGNUM; +- offset += 2 * UNITS_PER_WORD; ++ allocate_gpr_slot (R29_REGNUM); ++ allocate_gpr_slot (R30_REGNUM); + } ++ else if (flag_stack_clash_protection ++ && known_eq (frame.reg_offset[R30_REGNUM], SLOT_REQUIRED)) ++ /* Put the LR save slot first, since it makes a good choice of probe ++ for stack clash purposes. The idea is that the link register usually ++ has to be saved before a call anyway, and so we lose little by ++ stopping it from being individually shrink-wrapped. */ ++ allocate_gpr_slot (R30_REGNUM); + + for (regno = R0_REGNUM; regno <= R30_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) +- { +- frame.reg_offset[regno] = offset; +- if (frame.wb_push_candidate1 == INVALID_REGNUM) +- frame.wb_push_candidate1 = regno; +- else if (frame.wb_push_candidate2 == INVALID_REGNUM) +- frame.wb_push_candidate2 = regno; +- offset += UNITS_PER_WORD; +- } ++ allocate_gpr_slot (regno); + + poly_int64 max_int_offset = offset; + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +@@ -8370,10 +8378,13 @@ aarch64_layout_frame (void) + max_push_offset to 0, because no registers are popped at this time, + so callee_adjust cannot be adjusted. */ + HOST_WIDE_INT max_push_offset = 0; +- if (frame.wb_pop_candidate2 != INVALID_REGNUM) +- max_push_offset = 512; +- else if (frame.wb_pop_candidate1 != INVALID_REGNUM) +- max_push_offset = 256; ++ if (frame.wb_pop_candidate1 != INVALID_REGNUM) ++ { ++ if (frame.wb_pop_candidate2 != INVALID_REGNUM) ++ max_push_offset = 512; ++ else ++ max_push_offset = 256; ++ } + + HOST_WIDE_INT const_size, const_below_saved_regs, const_above_fp; + HOST_WIDE_INT const_saved_regs_size; +@@ -9339,29 +9350,6 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + = (final_adjustment_p + ? guard_used_by_caller + byte_sp_alignment + : guard_size - guard_used_by_caller); +- /* When doing the final adjustment for the outgoing arguments, take into +- account any unprobed space there is above the current SP. There are +- two cases: +- +- - When saving SVE registers below the hard frame pointer, we force +- the lowest save to take place in the prologue before doing the final +- adjustment (i.e. we don't allow the save to be shrink-wrapped). +- This acts as a probe at SP, so there is no unprobed space. +- +- - When there are no SVE register saves, we use the store of the link +- register as a probe. We can't assume that LR was saved at position 0 +- though, so treat any space below it as unprobed. */ +- if (final_adjustment_p +- && known_eq (frame.below_hard_fp_saved_regs_size, 0)) +- { +- poly_int64 lr_offset = (frame.reg_offset[LR_REGNUM] +- - frame.bytes_below_saved_regs); +- if (known_ge (lr_offset, 0)) +- min_probe_threshold -= lr_offset.to_constant (); +- else +- gcc_assert (!flag_stack_clash_protection || known_eq (poly_size, 0)); +- } +- + poly_int64 frame_size = frame.frame_size; + + /* We should always have a positive probe threshold. */ +@@ -9541,8 +9529,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + if (final_adjustment_p && rounded_size != 0) + min_probe_threshold = 0; + /* If doing a small final adjustment, we always probe at offset 0. +- This is done to avoid issues when LR is not at position 0 or when +- the final adjustment is smaller than the probing offset. */ ++ This is done to avoid issues when the final adjustment is smaller ++ than the probing offset. */ + else if (final_adjustment_p && rounded_size == 0) + residual_probe_offset = 0; + +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +new file mode 100644 +index 00000000000..82447d20fff +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +@@ -0,0 +1,100 @@ ++/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++void f(int, ...); ++void g(); ++ ++/* ++** test1: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #4064 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++** str x26, \[sp, #?4128\] ++** ... ++*/ ++int test1(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test2: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1040 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test2(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test3: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1024 ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test3(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c +new file mode 100644 +index 00000000000..73ac3e4e4eb +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c +@@ -0,0 +1,100 @@ ++/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12 -fsanitize=shadow-call-stack -ffixed-x18" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++void f(int, ...); ++void g(); ++ ++/* ++** test1: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #4064 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++** str x26, \[sp, #?4128\] ++** ... ++*/ ++int test1(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test2: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1040 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test2(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test3: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1024 ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test3(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c +new file mode 100644 +index 00000000000..690aae8dfd5 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c +@@ -0,0 +1,3 @@ ++/* { dg-options "-O2 -fstack-protector-all -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12 -fsanitize=shadow-call-stack -ffixed-x18" } */ ++ ++#include "stack-check-prologue-19.c" +-- +2.34.1 + + +From c4f0e121faa36342f1d21919e54a05ad841c4f86 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:55 +0100 +Subject: [PATCH 16/19] aarch64: Simplify probe of final frame allocation + +Previous patches ensured that the final frame allocation only needs +a probe when the size is strictly greater than 1KiB. It's therefore +safe to use the normal 1024 probe offset in all cases. + +The main motivation for doing this is to simplify the code and +remove the number of special cases. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_allocate_and_probe_stack_space): + Always probe the residual allocation at offset 1024, asserting + that that is in range. + +gcc/testsuite/ + * gcc.target/aarch64/stack-check-prologue-17.c: Expect the probe + to be at offset 1024 rather than offset 0. + * gcc.target/aarch64/stack-check-prologue-18.c: Likewise. + * gcc.target/aarch64/stack-check-prologue-19.c: Likewise. +--- + gcc/config/aarch64/aarch64.cc | 12 ++++-------- + .../gcc.target/aarch64/stack-check-prologue-17.c | 2 +- + .../gcc.target/aarch64/stack-check-prologue-18.c | 4 ++-- + .../gcc.target/aarch64/stack-check-prologue-19.c | 4 ++-- + 4 files changed, 9 insertions(+), 13 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 16433fb70f4..8abf3d7a1e2 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -9523,16 +9523,12 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + are still safe. */ + if (residual) + { +- HOST_WIDE_INT residual_probe_offset = guard_used_by_caller; ++ gcc_assert (guard_used_by_caller + byte_sp_alignment <= size); ++ + /* If we're doing final adjustments, and we've done any full page + allocations then any residual needs to be probed. */ + if (final_adjustment_p && rounded_size != 0) + min_probe_threshold = 0; +- /* If doing a small final adjustment, we always probe at offset 0. +- This is done to avoid issues when the final adjustment is smaller +- than the probing offset. */ +- else if (final_adjustment_p && rounded_size == 0) +- residual_probe_offset = 0; + + aarch64_sub_sp (temp1, temp2, residual, frame_related_p); + if (residual >= min_probe_threshold) +@@ -9543,8 +9539,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + HOST_WIDE_INT_PRINT_DEC " bytes, probing will be required." + "\n", residual); + +- emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx, +- residual_probe_offset)); ++ emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx, ++ guard_used_by_caller)); + emit_insn (gen_blockage ()); + } + } +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +index 0d8a25d73a2..f0ec1389771 100644 +--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +@@ -33,7 +33,7 @@ int test1(int z) { + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #1040 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +index 82447d20fff..6383bec5ebc 100644 +--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +@@ -9,7 +9,7 @@ void g(); + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #4064 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +@@ -50,7 +50,7 @@ int test1(int z) { + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #1040 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c +index 73ac3e4e4eb..562039b5e9b 100644 +--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c +@@ -9,7 +9,7 @@ void g(); + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #4064 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +@@ -50,7 +50,7 @@ int test1(int z) { + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #1040 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +-- +2.34.1 + + +From 6f0ab0a9f46a17b68349ff6035aa776bf65f0575 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:56 +0100 +Subject: [PATCH 17/19] aarch64: Explicitly record probe registers in frame + info + +The stack frame is currently divided into three areas: + +A: the area above the hard frame pointer +B: the SVE saves below the hard frame pointer +C: the outgoing arguments + +If the stack frame is allocated in one chunk, the allocation needs a +probe if the frame size is >= guard_size - 1KiB. In addition, if the +function is not a leaf function, it must probe an address no more than +1KiB above the outgoing SP. We ensured the second condition by + +(1) using single-chunk allocations for non-leaf functions only if + the link register save slot is within 512 bytes of the bottom + of the frame; and + +(2) using the link register save as a probe (meaning, for instance, + that it can't be individually shrink wrapped) + +If instead the stack is allocated in multiple chunks, then: + +* an allocation involving only the outgoing arguments (C above) requires + a probe if the allocation size is > 1KiB + +* any other allocation requires a probe if the allocation size + is >= guard_size - 1KiB + +* second and subsequent allocations require the previous allocation + to probe at the bottom of the allocated area, regardless of the size + of that previous allocation + +The final point means that, unlike for single allocations, +it can be necessary to have both a non-SVE register probe and +an SVE register probe. For example: + +* allocate A, probe using a non-SVE register save +* allocate B, probe using an SVE register save +* allocate C + +The non-SVE register used in this case was again the link register. +It was previously used even if the link register save slot was some +bytes above the bottom of the non-SVE register saves, but an earlier +patch avoided that by putting the link register save slot first. + +As a belt-and-braces fix, this patch explicitly records which +probe registers we're using and allows the non-SVE probe to be +whichever register comes first (as for SVE). + +The patch also avoids unnecessary probes in sve/pcs/stack_clash_3.c. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::sve_save_and_probe) + (aarch64_frame::hard_fp_save_and_probe): New fields. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Initialize them. + Rather than asserting that a leaf function saves LR, instead assert + that a leaf function saves something. + (aarch64_get_separate_components): Prevent the chosen probe + registers from being individually shrink-wrapped. + (aarch64_allocate_and_probe_stack_space): Remove workaround for + probe registers that aren't at the bottom of the previous allocation. + +gcc/testsuite/ + * gcc.target/aarch64/sve/pcs/stack_clash_3.c: Avoid redundant probes. +--- + gcc/config/aarch64/aarch64.cc | 68 +++++++++++++++---- + gcc/config/aarch64/aarch64.h | 8 +++ + .../aarch64/sve/pcs/stack_clash_3.c | 6 +- + 3 files changed, 64 insertions(+), 18 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index 8abf3d7a1e2..a8d907df884 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8210,15 +8210,11 @@ aarch64_layout_frame (void) + && !crtl->abi->clobbers_full_reg_p (regno)) + frame.reg_offset[regno] = SLOT_REQUIRED; + +- /* With stack-clash, LR must be saved in non-leaf functions. The saving of +- LR counts as an implicit probe which allows us to maintain the invariant +- described in the comment at expand_prologue. */ +- gcc_assert (crtl->is_leaf +- || maybe_ne (frame.reg_offset[R30_REGNUM], SLOT_NOT_REQUIRED)); + + poly_int64 offset = crtl->outgoing_args_size; + gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); + frame.bytes_below_saved_regs = offset; ++ frame.sve_save_and_probe = INVALID_REGNUM; + + /* Now assign stack slots for the registers. Start with the predicate + registers, since predicate LDR and STR have a relatively small +@@ -8226,6 +8222,8 @@ aarch64_layout_frame (void) + for (regno = P0_REGNUM; regno <= P15_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) + { ++ if (frame.sve_save_and_probe == INVALID_REGNUM) ++ frame.sve_save_and_probe = regno; + frame.reg_offset[regno] = offset; + offset += BYTES_PER_SVE_PRED; + } +@@ -8263,6 +8261,8 @@ aarch64_layout_frame (void) + for (regno = V0_REGNUM; regno <= V31_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) + { ++ if (frame.sve_save_and_probe == INVALID_REGNUM) ++ frame.sve_save_and_probe = regno; + frame.reg_offset[regno] = offset; + offset += vector_save_size; + } +@@ -8272,10 +8272,18 @@ aarch64_layout_frame (void) + frame.below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; + bool saves_below_hard_fp_p + = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); ++ gcc_assert (!saves_below_hard_fp_p ++ || (frame.sve_save_and_probe != INVALID_REGNUM ++ && known_eq (frame.reg_offset[frame.sve_save_and_probe], ++ frame.bytes_below_saved_regs))); ++ + frame.bytes_below_hard_fp = offset; ++ frame.hard_fp_save_and_probe = INVALID_REGNUM; + + auto allocate_gpr_slot = [&](unsigned int regno) + { ++ if (frame.hard_fp_save_and_probe == INVALID_REGNUM) ++ frame.hard_fp_save_and_probe = regno; + frame.reg_offset[regno] = offset; + if (frame.wb_push_candidate1 == INVALID_REGNUM) + frame.wb_push_candidate1 = regno; +@@ -8309,6 +8317,8 @@ aarch64_layout_frame (void) + for (regno = V0_REGNUM; regno <= V31_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) + { ++ if (frame.hard_fp_save_and_probe == INVALID_REGNUM) ++ frame.hard_fp_save_and_probe = regno; + /* If there is an alignment gap between integer and fp callee-saves, + allocate the last fp register to it if possible. */ + if (regno == last_fp_reg +@@ -8332,6 +8342,17 @@ aarch64_layout_frame (void) + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + + frame.saved_regs_size = offset - frame.bytes_below_saved_regs; ++ gcc_assert (known_eq (frame.saved_regs_size, ++ frame.below_hard_fp_saved_regs_size) ++ || (frame.hard_fp_save_and_probe != INVALID_REGNUM ++ && known_eq (frame.reg_offset[frame.hard_fp_save_and_probe], ++ frame.bytes_below_hard_fp))); ++ ++ /* With stack-clash, a register must be saved in non-leaf functions. ++ The saving of the bottommost register counts as an implicit probe, ++ which allows us to maintain the invariant described in the comment ++ at expand_prologue. */ ++ gcc_assert (crtl->is_leaf || maybe_ne (frame.saved_regs_size, 0)); + + offset += get_frame_size (); + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +@@ -8462,6 +8483,25 @@ aarch64_layout_frame (void) + frame.final_adjust = frame.bytes_below_saved_regs; + } + ++ /* The frame is allocated in pieces, with each non-final piece ++ including a register save at offset 0 that acts as a probe for ++ the following piece. In addition, the save of the bottommost register ++ acts as a probe for callees and allocas. Roll back any probes that ++ aren't needed. ++ ++ A probe isn't needed if it is associated with the final allocation ++ (including callees and allocas) that happens before the epilogue is ++ executed. */ ++ if (crtl->is_leaf ++ && !cfun->calls_alloca ++ && known_eq (frame.final_adjust, 0)) ++ { ++ if (maybe_ne (frame.sve_callee_adjust, 0)) ++ frame.sve_save_and_probe = INVALID_REGNUM; ++ else ++ frame.hard_fp_save_and_probe = INVALID_REGNUM; ++ } ++ + /* Make sure the individual adjustments add up to the full frame size. */ + gcc_assert (known_eq (frame.initial_adjust + + frame.callee_adjust +@@ -9039,13 +9079,6 @@ aarch64_get_separate_components (void) + + poly_int64 offset = frame.reg_offset[regno]; + +- /* If the register is saved in the first SVE save slot, we use +- it as a stack probe for -fstack-clash-protection. */ +- if (flag_stack_clash_protection +- && maybe_ne (frame.below_hard_fp_saved_regs_size, 0) +- && known_eq (offset, frame.bytes_below_saved_regs)) +- continue; +- + /* Get the offset relative to the register we'll use. */ + if (frame_pointer_needed) + offset -= frame.bytes_below_hard_fp; +@@ -9080,6 +9113,13 @@ aarch64_get_separate_components (void) + + bitmap_clear_bit (components, LR_REGNUM); + bitmap_clear_bit (components, SP_REGNUM); ++ if (flag_stack_clash_protection) ++ { ++ if (frame.sve_save_and_probe != INVALID_REGNUM) ++ bitmap_clear_bit (components, frame.sve_save_and_probe); ++ if (frame.hard_fp_save_and_probe != INVALID_REGNUM) ++ bitmap_clear_bit (components, frame.hard_fp_save_and_probe); ++ } + + return components; + } +@@ -9616,8 +9656,8 @@ aarch64_epilogue_uses (int regno) + When probing is needed, we emit a probe at the start of the prologue + and every PARAM_STACK_CLASH_PROTECTION_GUARD_SIZE bytes thereafter. + +- We have to track how much space has been allocated and the only stores +- to the stack we track as implicit probes are the FP/LR stores. ++ We can also use register saves as probes. These are stored in ++ sve_save_and_probe and hard_fp_save_and_probe. + + For outgoing arguments we probe if the size is larger than 1KB, such that + the ABI specified buffer is maintained for the next callee. +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index b6135837073..46d4693e206 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -957,6 +957,14 @@ struct GTY (()) aarch64_frame + This is the register they should use. */ + unsigned spare_pred_reg; + ++ /* An SVE register that is saved below the hard frame pointer and that acts ++ as a probe for later allocations, or INVALID_REGNUM if none. */ ++ unsigned sve_save_and_probe; ++ ++ /* A register that is saved at the hard frame pointer and that acts ++ as a probe for later allocations, or INVALID_REGNUM if none. */ ++ unsigned hard_fp_save_and_probe; ++ + bool laid_out; + + /* True if shadow call stack should be enabled for the current function. */ +diff --git a/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c b/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c +index 3e01ec36c3a..3530a0d504b 100644 +--- a/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c ++++ b/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c +@@ -11,11 +11,10 @@ + ** mov x11, sp + ** ... + ** sub sp, sp, x13 +-** str p4, \[sp\] + ** cbz w0, [^\n]* ++** str p4, \[sp\] + ** ... + ** ptrue p0\.b, all +-** ldr p4, \[sp\] + ** addvl sp, sp, #1 + ** ldr x24, \[sp\], 32 + ** ret +@@ -39,13 +38,12 @@ test_1 (int n) + ** mov x11, sp + ** ... + ** sub sp, sp, x13 +-** str p4, \[sp\] + ** cbz w0, [^\n]* ++** str p4, \[sp\] + ** str p5, \[sp, #1, mul vl\] + ** str p6, \[sp, #2, mul vl\] + ** ... + ** ptrue p0\.b, all +-** ldr p4, \[sp\] + ** addvl sp, sp, #1 + ** ldr x24, \[sp\], 32 + ** ret +-- +2.34.1 + + +From 8254e1b9cd500e0c278465a3657543477e9d1250 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:56 +0100 +Subject: [PATCH 18/19] aarch64: Remove below_hard_fp_saved_regs_size + +After previous patches, it's no longer necessary to store +saved_regs_size and below_hard_fp_saved_regs_size in the frame info. +All measurements instead use the top or bottom of the frame as +reference points. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::saved_regs_size) + (aarch64_frame::below_hard_fp_saved_regs_size): Delete. + * config/aarch64/aarch64.cc (aarch64_layout_frame): Update accordingly. +--- + gcc/config/aarch64/aarch64.cc | 45 ++++++++++++++++------------------- + gcc/config/aarch64/aarch64.h | 7 ------ + 2 files changed, 21 insertions(+), 31 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index a8d907df884..ac3d3b336a3 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8269,9 +8269,8 @@ aarch64_layout_frame (void) + + /* OFFSET is now the offset of the hard frame pointer from the bottom + of the callee save area. */ +- frame.below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; +- bool saves_below_hard_fp_p +- = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); ++ auto below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; ++ bool saves_below_hard_fp_p = maybe_ne (below_hard_fp_saved_regs_size, 0); + gcc_assert (!saves_below_hard_fp_p + || (frame.sve_save_and_probe != INVALID_REGNUM + && known_eq (frame.reg_offset[frame.sve_save_and_probe], +@@ -8341,9 +8340,8 @@ aarch64_layout_frame (void) + + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + +- frame.saved_regs_size = offset - frame.bytes_below_saved_regs; +- gcc_assert (known_eq (frame.saved_regs_size, +- frame.below_hard_fp_saved_regs_size) ++ auto saved_regs_size = offset - frame.bytes_below_saved_regs; ++ gcc_assert (known_eq (saved_regs_size, below_hard_fp_saved_regs_size) + || (frame.hard_fp_save_and_probe != INVALID_REGNUM + && known_eq (frame.reg_offset[frame.hard_fp_save_and_probe], + frame.bytes_below_hard_fp))); +@@ -8352,7 +8350,7 @@ aarch64_layout_frame (void) + The saving of the bottommost register counts as an implicit probe, + which allows us to maintain the invariant described in the comment + at expand_prologue. */ +- gcc_assert (crtl->is_leaf || maybe_ne (frame.saved_regs_size, 0)); ++ gcc_assert (crtl->is_leaf || maybe_ne (saved_regs_size, 0)); + + offset += get_frame_size (); + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +@@ -8409,7 +8407,7 @@ aarch64_layout_frame (void) + + HOST_WIDE_INT const_size, const_below_saved_regs, const_above_fp; + HOST_WIDE_INT const_saved_regs_size; +- if (known_eq (frame.saved_regs_size, 0)) ++ if (known_eq (saved_regs_size, 0)) + frame.initial_adjust = frame.frame_size; + else if (frame.frame_size.is_constant (&const_size) + && const_size < max_push_offset +@@ -8422,7 +8420,7 @@ aarch64_layout_frame (void) + frame.callee_adjust = const_size; + } + else if (frame.bytes_below_saved_regs.is_constant (&const_below_saved_regs) +- && frame.saved_regs_size.is_constant (&const_saved_regs_size) ++ && saved_regs_size.is_constant (&const_saved_regs_size) + && const_below_saved_regs + const_saved_regs_size < 512 + /* We could handle this case even with data below the saved + registers, provided that that data left us with valid offsets +@@ -8441,8 +8439,7 @@ aarch64_layout_frame (void) + frame.initial_adjust = frame.frame_size; + } + else if (saves_below_hard_fp_p +- && known_eq (frame.saved_regs_size, +- frame.below_hard_fp_saved_regs_size)) ++ && known_eq (saved_regs_size, below_hard_fp_saved_regs_size)) + { + /* Frame in which all saves are SVE saves: + +@@ -8464,7 +8461,7 @@ aarch64_layout_frame (void) + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ + frame.callee_adjust = const_above_fp; +- frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; ++ frame.sve_callee_adjust = below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } + else +@@ -8479,7 +8476,7 @@ aarch64_layout_frame (void) + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ + frame.initial_adjust = frame.bytes_above_hard_fp; +- frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; ++ frame.sve_callee_adjust = below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } + +@@ -9621,17 +9618,17 @@ aarch64_epilogue_uses (int regno) + | local variables | <-- frame_pointer_rtx + | | + +-------------------------------+ +- | padding | \ +- +-------------------------------+ | +- | callee-saved registers | | frame.saved_regs_size +- +-------------------------------+ | +- | LR' | | +- +-------------------------------+ | +- | FP' | | +- +-------------------------------+ |<- hard_frame_pointer_rtx (aligned) +- | SVE vector registers | | \ +- +-------------------------------+ | | below_hard_fp_saved_regs_size +- | SVE predicate registers | / / ++ | padding | ++ +-------------------------------+ ++ | callee-saved registers | ++ +-------------------------------+ ++ | LR' | ++ +-------------------------------+ ++ | FP' | ++ +-------------------------------+ <-- hard_frame_pointer_rtx (aligned) ++ | SVE vector registers | ++ +-------------------------------+ ++ | SVE predicate registers | + +-------------------------------+ + | dynamic allocation | + +-------------------------------+ +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 46d4693e206..01f7751bc78 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -871,18 +871,11 @@ struct GTY (()) aarch64_frame + STACK_BOUNDARY. */ + HOST_WIDE_INT saved_varargs_size; + +- /* The size of the callee-save registers with a slot in REG_OFFSET. */ +- poly_int64 saved_regs_size; +- + /* The number of bytes between the bottom of the static frame (the bottom + of the outgoing arguments) and the bottom of the register save area. + This value is always a multiple of STACK_BOUNDARY. */ + poly_int64 bytes_below_saved_regs; + +- /* The size of the callee-save registers with a slot in REG_OFFSET that +- are saved below the hard frame pointer. */ +- poly_int64 below_hard_fp_saved_regs_size; +- + /* The number of bytes between the bottom of the static frame (the bottom + of the outgoing arguments) and the hard frame pointer. This value is + always a multiple of STACK_BOUNDARY. */ +-- +2.34.1 + + +From 75c37e031408262263442f5b4cdb83d3777b6422 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:08:57 +0100 +Subject: [PATCH 19/19] aarch64: Make stack smash canary protect saved + registers + +AArch64 normally puts the saved registers near the bottom of the frame, +immediately above any dynamic allocations. But this means that a +stack-smash attack on those dynamic allocations could overwrite the +saved registers without needing to reach as far as the stack smash +canary. + +The same thing could also happen for variable-sized arguments that are +passed by value, since those are allocated before a call and popped on +return. + +This patch avoids that by putting the locals (and thus the canary) below +the saved registers when stack smash protection is active. + +The patch fixes CVE-2023-4039. + +gcc/ + * config/aarch64/aarch64.cc (aarch64_save_regs_above_locals_p): + New function. + (aarch64_layout_frame): Use it to decide whether locals should + go above or below the saved registers. + (aarch64_expand_prologue): Update stack layout comment. + Emit a stack tie after the final adjustment. + +gcc/testsuite/ + * gcc.target/aarch64/stack-protector-8.c: New test. + * gcc.target/aarch64/stack-protector-9.c: Likewise. +--- + gcc/config/aarch64/aarch64.cc | 46 +++++++-- + .../gcc.target/aarch64/stack-protector-8.c | 95 +++++++++++++++++++ + .../gcc.target/aarch64/stack-protector-9.c | 33 +++++++ + 3 files changed, 168 insertions(+), 6 deletions(-) + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-8.c + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-9.c + +diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc +index ac3d3b336a3..96c3f48fdc4 100644 +--- a/gcc/config/aarch64/aarch64.cc ++++ b/gcc/config/aarch64/aarch64.cc +@@ -8133,6 +8133,20 @@ aarch64_needs_frame_chain (void) + return aarch64_use_frame_pointer; + } + ++/* Return true if the current function should save registers above ++ the locals area, rather than below it. */ ++ ++static bool ++aarch64_save_regs_above_locals_p () ++{ ++ /* When using stack smash protection, make sure that the canary slot ++ comes between the locals and the saved registers. Otherwise, ++ it would be possible for a carefully sized smash attack to change ++ the saved registers (particularly LR and FP) without reaching the ++ canary. */ ++ return crtl->stack_protect_guard; ++} ++ + /* Mark the registers that need to be saved by the callee and calculate + the size of the callee-saved registers area and frame record (both FP + and LR may be omitted). */ +@@ -8144,6 +8158,7 @@ aarch64_layout_frame (void) + poly_int64 vector_save_size = GET_MODE_SIZE (vector_save_mode); + bool frame_related_fp_reg_p = false; + aarch64_frame &frame = cfun->machine->frame; ++ poly_int64 top_of_locals = -1; + + frame.emit_frame_chain = aarch64_needs_frame_chain (); + +@@ -8210,9 +8225,16 @@ aarch64_layout_frame (void) + && !crtl->abi->clobbers_full_reg_p (regno)) + frame.reg_offset[regno] = SLOT_REQUIRED; + ++ bool regs_at_top_p = aarch64_save_regs_above_locals_p (); + + poly_int64 offset = crtl->outgoing_args_size; + gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); ++ if (regs_at_top_p) ++ { ++ offset += get_frame_size (); ++ offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); ++ top_of_locals = offset; ++ } + frame.bytes_below_saved_regs = offset; + frame.sve_save_and_probe = INVALID_REGNUM; + +@@ -8352,15 +8374,18 @@ aarch64_layout_frame (void) + at expand_prologue. */ + gcc_assert (crtl->is_leaf || maybe_ne (saved_regs_size, 0)); + +- offset += get_frame_size (); +- offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +- auto top_of_locals = offset; +- ++ if (!regs_at_top_p) ++ { ++ offset += get_frame_size (); ++ offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); ++ top_of_locals = offset; ++ } + offset += frame.saved_varargs_size; + gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); + frame.frame_size = offset; + + frame.bytes_above_hard_fp = frame.frame_size - frame.bytes_below_hard_fp; ++ gcc_assert (known_ge (top_of_locals, 0)); + frame.bytes_above_locals = frame.frame_size - top_of_locals; + + frame.initial_adjust = 0; +@@ -9615,10 +9640,10 @@ aarch64_epilogue_uses (int regno) + | for register varargs | + | | + +-------------------------------+ +- | local variables | <-- frame_pointer_rtx ++ | local variables (1) | <-- frame_pointer_rtx + | | + +-------------------------------+ +- | padding | ++ | padding (1) | + +-------------------------------+ + | callee-saved registers | + +-------------------------------+ +@@ -9630,6 +9655,10 @@ aarch64_epilogue_uses (int regno) + +-------------------------------+ + | SVE predicate registers | + +-------------------------------+ ++ | local variables (2) | ++ +-------------------------------+ ++ | padding (2) | ++ +-------------------------------+ + | dynamic allocation | + +-------------------------------+ + | padding | +@@ -9639,6 +9668,9 @@ aarch64_epilogue_uses (int regno) + +-------------------------------+ + | | <-- stack_pointer_rtx (aligned) + ++ The regions marked (1) and (2) are mutually exclusive. (2) is used ++ when aarch64_save_regs_above_locals_p is true. ++ + Dynamic stack allocations via alloca() decrease stack_pointer_rtx + but leave frame_pointer_rtx and hard_frame_pointer_rtx + unchanged. +@@ -9834,6 +9866,8 @@ aarch64_expand_prologue (void) + gcc_assert (known_eq (bytes_below_sp, final_adjust)); + aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, final_adjust, + !frame_pointer_needed, true); ++ if (emit_frame_chain && maybe_ne (final_adjust, 0)) ++ emit_insn (gen_stack_tie (stack_pointer_rtx, hard_frame_pointer_rtx)); + } + + /* Return TRUE if we can use a simple_return insn. +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c +new file mode 100644 +index 00000000000..e71d820e365 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c +@@ -0,0 +1,95 @@ ++/* { dg-options " -O -fstack-protector-strong -mstack-protector-guard=sysreg -mstack-protector-guard-reg=tpidr2_el0 -mstack-protector-guard-offset=16" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++void g(void *); ++__SVBool_t *h(void *); ++ ++/* ++** test1: ++** sub sp, sp, #288 ++** stp x29, x30, \[sp, #?272\] ++** add x29, sp, #?272 ++** mrs (x[0-9]+), tpidr2_el0 ++** ldr (x[0-9]+), \[\1, #?16\] ++** str \2, \[sp, #?264\] ++** mov \2, #?0 ++** add x0, sp, #?8 ++** bl g ++** ... ++** mrs .* ++** ... ++** bne .* ++** ... ++** ldp x29, x30, \[sp, #?272\] ++** add sp, sp, #?288 ++** ret ++** bl __stack_chk_fail ++*/ ++int test1() { ++ int y[0x40]; ++ g(y); ++ return 1; ++} ++ ++/* ++** test2: ++** stp x29, x30, \[sp, #?-16\]! ++** mov x29, sp ++** sub sp, sp, #1040 ++** mrs (x[0-9]+), tpidr2_el0 ++** ldr (x[0-9]+), \[\1, #?16\] ++** str \2, \[sp, #?1032\] ++** mov \2, #?0 ++** add x0, sp, #?8 ++** bl g ++** ... ++** mrs .* ++** ... ++** bne .* ++** ... ++** add sp, sp, #?1040 ++** ldp x29, x30, \[sp\], #?16 ++** ret ++** bl __stack_chk_fail ++*/ ++int test2() { ++ int y[0x100]; ++ g(y); ++ return 1; ++} ++ ++#pragma GCC target "+sve" ++ ++/* ++** test3: ++** stp x29, x30, \[sp, #?-16\]! ++** mov x29, sp ++** addvl sp, sp, #-18 ++** ... ++** str p4, \[sp\] ++** ... ++** sub sp, sp, #272 ++** mrs (x[0-9]+), tpidr2_el0 ++** ldr (x[0-9]+), \[\1, #?16\] ++** str \2, \[sp, #?264\] ++** mov \2, #?0 ++** add x0, sp, #?8 ++** bl h ++** ... ++** mrs .* ++** ... ++** bne .* ++** ... ++** add sp, sp, #?272 ++** ... ++** ldr p4, \[sp\] ++** ... ++** addvl sp, sp, #18 ++** ldp x29, x30, \[sp\], #?16 ++** ret ++** bl __stack_chk_fail ++*/ ++__SVBool_t test3() { ++ int y[0x40]; ++ return *h(y); ++} +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c +new file mode 100644 +index 00000000000..58f322aa480 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c +@@ -0,0 +1,33 @@ ++/* { dg-options "-O2 -mcpu=neoverse-v1 -fstack-protector-all" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++/* ++** main: ++** ... ++** stp x29, x30, \[sp, #?-[0-9]+\]! ++** ... ++** sub sp, sp, #[0-9]+ ++** ... ++** str x[0-9]+, \[x29, #?-8\] ++** ... ++*/ ++int f(const char *); ++void g(void *); ++int main(int argc, char* argv[]) ++{ ++ int a; ++ int b; ++ char c[2+f(argv[1])]; ++ int d[0x100]; ++ char y; ++ ++ y=42; a=4; b=10; ++ c[0] = 'h'; c[1] = '\0'; ++ ++ c[f(argv[2])] = '\0'; ++ ++ __builtin_printf("%d %d\n%s\n", a, b, c); ++ g(d); ++ ++ return 0; ++} +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/gcc/gcc_12.2.bb b/poky/meta/recipes-devtools/gcc/gcc_12.3.bb index 255fe552bd..255fe552bd 100644 --- a/poky/meta/recipes-devtools/gcc/gcc_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/gcc_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/libgcc-initial_12.2.bb b/poky/meta/recipes-devtools/gcc/libgcc-initial_12.3.bb index a259082b47..a259082b47 100644 --- a/poky/meta/recipes-devtools/gcc/libgcc-initial_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/libgcc-initial_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/libgcc_12.2.bb b/poky/meta/recipes-devtools/gcc/libgcc_12.3.bb index f88963b0a4..f88963b0a4 100644 --- a/poky/meta/recipes-devtools/gcc/libgcc_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/libgcc_12.3.bb diff --git a/poky/meta/recipes-devtools/gcc/libgfortran_12.2.bb b/poky/meta/recipes-devtools/gcc/libgfortran_12.3.bb index 71dd8b4bdc..71dd8b4bdc 100644 --- a/poky/meta/recipes-devtools/gcc/libgfortran_12.2.bb +++ b/poky/meta/recipes-devtools/gcc/libgfortran_12.3.bb diff --git a/poky/meta/recipes-devtools/gdb/gdb-cross-canadian_13.1.bb b/poky/meta/recipes-devtools/gdb/gdb-cross-canadian_13.2.bb index 4ab2b7156d..4ab2b7156d 100644 --- a/poky/meta/recipes-devtools/gdb/gdb-cross-canadian_13.1.bb +++ b/poky/meta/recipes-devtools/gdb/gdb-cross-canadian_13.2.bb diff --git a/poky/meta/recipes-devtools/gdb/gdb-cross_13.1.bb b/poky/meta/recipes-devtools/gdb/gdb-cross_13.2.bb index 3b654a2f0d..3b654a2f0d 100644 --- a/poky/meta/recipes-devtools/gdb/gdb-cross_13.1.bb +++ b/poky/meta/recipes-devtools/gdb/gdb-cross_13.2.bb diff --git a/poky/meta/recipes-devtools/gdb/gdb.inc b/poky/meta/recipes-devtools/gdb/gdb.inc index 8589de62ff..2437a96ae7 100644 --- a/poky/meta/recipes-devtools/gdb/gdb.inc +++ b/poky/meta/recipes-devtools/gdb/gdb.inc @@ -13,10 +13,9 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0006-resolve-restrict-keyword-conflict.patch \ file://0007-Fix-invalid-sigprocmask-call.patch \ file://0008-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ - file://0009-gdbserver-linux-low.cc-Fix-a-typo-in-ternary-operato.patch \ file://add-missing-ldflags.patch \ - file://0001-aarch64-Check-for-valid-inferior-thread-regcache-bef.patch \ + file://0009-CVE-2023-39128.patch \ " -SRC_URI[sha256sum] = "115ad5c18d69a6be2ab15882d365dda2a2211c14f480b3502c6eba576e2e95a0" +SRC_URI[sha256sum] = "fd5bebb7be1833abdb6e023c2f498a354498281df9d05523d8915babeb893f0a" TOOLCHAIN = "gcc" diff --git a/poky/meta/recipes-devtools/gdb/gdb/0001-aarch64-Check-for-valid-inferior-thread-regcache-bef.patch b/poky/meta/recipes-devtools/gdb/gdb/0001-aarch64-Check-for-valid-inferior-thread-regcache-bef.patch deleted file mode 100644 index 9adf4a4db5..0000000000 --- a/poky/meta/recipes-devtools/gdb/gdb/0001-aarch64-Check-for-valid-inferior-thread-regcache-bef.patch +++ /dev/null @@ -1,286 +0,0 @@ -From b3eff3e15576229af9bae026c5c23ee694b90389 Mon Sep 17 00:00:00 2001 -From: Luis Machado <luis.machado@arm.com> -Date: Fri, 24 Mar 2023 07:58:38 +0000 -Subject: [PATCH] aarch64: Check for valid inferior thread/regcache before - reading pauth registers - -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - -There were reports of gdb throwing internal errors when calling -inferior_thread ()/get_current_regcache () on a system with -Pointer Authentication enabled. - -In such cases, gdb produces the following backtrace, or a variation -of it (for gdb's with the non-address removal implemented only in -the aarch64-linux-tdep.c file). - -../../../repos/binutils-gdb/gdb/thread.c:86: internal-error: inferior_thread: Assertion `current_thread_ != nullptr' failed. -A problem internal to GDB has been detected, -further debugging may prove unreliable. ------ Backtrace ----- -0xaaaae04a571f gdb_internal_backtrace_1 - ../../../repos/binutils-gdb/gdb/bt-utils.c:122 -0xaaaae04a57f3 _Z22gdb_internal_backtracev - ../../../repos/binutils-gdb/gdb/bt-utils.c:168 -0xaaaae0b52ccf internal_vproblem - ../../../repos/binutils-gdb/gdb/utils.c:401 -0xaaaae0b5310b _Z15internal_verrorPKciS0_St9__va_list - ../../../repos/binutils-gdb/gdb/utils.c:481 -0xaaaae0e24b8f _Z18internal_error_locPKciS0_z - ../../../repos/binutils-gdb/gdbsupport/errors.cc:58 -0xaaaae0a88983 _Z15inferior_threadv - ../../../repos/binutils-gdb/gdb/thread.c:86 -0xaaaae0956c87 _Z20get_current_regcachev - ../../../repos/binutils-gdb/gdb/regcache.c:428 -0xaaaae035223f aarch64_remove_non_address_bits - ../../../repos/binutils-gdb/gdb/aarch64-tdep.c:3572 -0xaaaae03e8abb _Z31gdbarch_remove_non_address_bitsP7gdbarchm - ../../../repos/binutils-gdb/gdb/gdbarch.c:3109 -0xaaaae0a692d7 memory_xfer_partial - ../../../repos/binutils-gdb/gdb/target.c:1620 -0xaaaae0a695e3 _Z19target_xfer_partialP10target_ops13target_objectPKcPhPKhmmPm - ../../../repos/binutils-gdb/gdb/target.c:1684 -0xaaaae0a69e9f target_read_partial - ../../../repos/binutils-gdb/gdb/target.c:1937 -0xaaaae0a69fdf _Z11target_readP10target_ops13target_objectPKcPhml - ../../../repos/binutils-gdb/gdb/target.c:1977 -0xaaaae0a69937 _Z18target_read_memorymPhl - ../../../repos/binutils-gdb/gdb/target.c:1773 -0xaaaae08be523 ps_xfer_memory - ../../../repos/binutils-gdb/gdb/proc-service.c:90 -0xaaaae08be6db ps_pdread - ../../../repos/binutils-gdb/gdb/proc-service.c:124 -0x40001ed7c3b3 _td_fetch_value - /build/glibc-RIFKjK/glibc-2.31/nptl_db/fetch-value.c:115 -0x40001ed791ef td_ta_map_lwp2thr - /build/glibc-RIFKjK/glibc-2.31/nptl_db/td_ta_map_lwp2thr.c:194 -0xaaaae07f4473 thread_from_lwp - ../../../repos/binutils-gdb/gdb/linux-thread-db.c:413 -0xaaaae07f6d6f _ZN16thread_db_target4waitE6ptid_tP17target_waitstatus10enum_flagsI16target_wait_flagE - ../../../repos/binutils-gdb/gdb/linux-thread-db.c:1420 -0xaaaae0a6b33b _Z11target_wait6ptid_tP17target_waitstatus10enum_flagsI16target_wait_flagE - ../../../repos/binutils-gdb/gdb/target.c:2586 -0xaaaae0789cf7 do_target_wait_1 - ../../../repos/binutils-gdb/gdb/infrun.c:3825 -0xaaaae0789e6f operator() - ../../../repos/binutils-gdb/gdb/infrun.c:3884 -0xaaaae078a167 do_target_wait - ../../../repos/binutils-gdb/gdb/infrun.c:3903 -0xaaaae078b0af _Z20fetch_inferior_eventv - ../../../repos/binutils-gdb/gdb/infrun.c:4314 -0xaaaae076652f _Z22inferior_event_handler19inferior_event_type - ../../../repos/binutils-gdb/gdb/inf-loop.c:41 -0xaaaae07dc68b handle_target_event - ../../../repos/binutils-gdb/gdb/linux-nat.c:4206 -0xaaaae0e25fbb handle_file_event - ../../../repos/binutils-gdb/gdbsupport/event-loop.cc:573 -0xaaaae0e264f3 gdb_wait_for_event - ../../../repos/binutils-gdb/gdbsupport/event-loop.cc:694 -0xaaaae0e24f9b _Z16gdb_do_one_eventi - ../../../repos/binutils-gdb/gdbsupport/event-loop.cc:217 -0xaaaae080f033 start_event_loop - ../../../repos/binutils-gdb/gdb/main.c:411 -0xaaaae080f1b7 captured_command_loop - ../../../repos/binutils-gdb/gdb/main.c:475 -0xaaaae0810b97 captured_main - ../../../repos/binutils-gdb/gdb/main.c:1318 -0xaaaae0810c1b _Z8gdb_mainP18captured_main_args - ../../../repos/binutils-gdb/gdb/main.c:1337 -0xaaaae0338453 main - ../../../repos/binutils-gdb/gdb/gdb.c:32 ---------------------- -../../../repos/binutils-gdb/gdb/thread.c:86: internal-error: inferior_thread: Assertion `current_thread_ != nullptr' failed. -A problem internal to GDB has been detected, -further debugging may prove unreliable. -Quit this debugging session? (y or n) - -We also see failures across the testsuite if the tests get executed on a target -that has native support for the pointer authentication feature. But -gdb.base/break.exp and gdb.base/access-mem-running.exp are two examples of -tests that run into errors and internal errors. - -This issue started after commit d88cb738e6a7a7179dfaff8af78d69250c852af1, which -enabled more broad use of pointer authentication masks to remove non-address -bits of pointers, but wasn't immediately detected because systems with native -support for pointer authentication are not that common yet. - -The above crash happens because gdb is in the middle of handling an event, -and do_target_wait_1 calls switch_to_inferior_no_thread, nullifying the -current thread. This means a call to inferior_thread () will assert, and -attempting to call get_current_regcache () will also call inferior_thread (), -resulting in an assertion as well. - -target_has_registers was one function that seemed useful for detecting these -types of situation where we don't have a register cache. The problem with that -is the inconsistent state of inferior_ptid, which is used by -target_has_registers. - -Despite the call to switch_to_no_thread in switch_to_inferior_no_thread from -do_target_wait_1 in the backtrace above clearing inferior_ptid, the call to -ps_xfer_memory sets inferior_ptid momentarily before reading memory: - -static ps_err_e -ps_xfer_memory (const struct ps_prochandle *ph, psaddr_t addr, - gdb_byte *buf, size_t len, int write) -{ - scoped_restore_current_inferior restore_inferior; - set_current_inferior (ph->thread->inf); - - scoped_restore_current_program_space restore_current_progspace; - set_current_program_space (ph->thread->inf->pspace); - - scoped_restore save_inferior_ptid = make_scoped_restore (&inferior_ptid); - inferior_ptid = ph->thread->ptid; - - CORE_ADDR core_addr = ps_addr_to_core_addr (addr); - - int ret; - if (write) - ret = target_write_memory (core_addr, buf, len); - else - ret = target_read_memory (core_addr, buf, len); - return (ret == 0 ? PS_OK : PS_ERR); -} - -Maybe this shouldn't happen, or maybe it is just an unfortunate state to be -in. But this prevents the use of target_has_registers to guard against the -lack of registers, since, although current_thread_ is still nullptr, -inferior_ptid is valid and is not null_ptid. - -There is another crash scenario after we kill a previously active inferior, in -which case the gdbarch will still say we support pointer authentication but we -will also have no current thread (inferior_thread () will assert etc). - -If the target has support for pointer authentication, gdb needs to use -a couple (or 4, for bare-metal) mask registers to mask off some bits of -pointers, and for that it needs to access the registers. - -At some points, like the one from the backtrace above, there is no active -thread/current regcache because gdb is in the middle of doing event handling -and switching between threads. - -Simon suggested the use of inferior_ptid to fetch the register cache, as -opposed to relying on the current register cache. Though we need to make sure -inferior_ptid is valid (not null_ptid), I think this works nicely. - -With inferior_ptid, we can do safety checks along the way, making sure we have -a thread to fetch a register cache from and checking if the thread is actually -stopped or running. - -The following patch implements this idea with safety checks to make sure we -don't run into assertions or errors. If any of the checks fail, we fallback to -using a default mask to remove non-address bits of a pointer. - -I discussed with Pedro the possibility of caching the mask register values -(which are per-process and can change mid-execution), but there isn't a good -spot to cache those values. Besides, the mask registers can change constantly -for bare-metal debugging when switching between exception levels. - -In some cases, it is just not possible to get access to these mask registers, -like the case where threads are running. In those cases, using a default mask -to remove the non-address bits should be enough. - -This can happen when we let threads run in the background and then we attempt -to access a memory address (now that gdb is capable of reading memory even -with threads running). Thus gdb will attempt to remove non-address bits -of that memory access, will attempt to access registers, running into errors. - -Regression-tested on aarch64-linux Ubuntu 20.04. ---- - gdb/aarch64-linux-tdep.c | 64 ++++++++++++++++++++++++++++++---------- - 1 file changed, 49 insertions(+), 15 deletions(-) - -diff --git a/gdb/aarch64-linux-tdep.c b/gdb/aarch64-linux-tdep.c -index 20a041c599e..4b2915b8e99 100644 ---- a/gdb/aarch64-linux-tdep.c -+++ b/gdb/aarch64-linux-tdep.c -@@ -57,6 +57,9 @@ - #include "elf/common.h" - #include "elf/aarch64.h" - -+/* For inferior_ptid and current_inferior (). */ -+#include "inferior.h" -+ - /* Signal frame handling. - - +------------+ ^ -@@ -1986,29 +1989,60 @@ aarch64_linux_decode_memtag_section (struct gdbarch *gdbarch, - static CORE_ADDR - aarch64_remove_non_address_bits (struct gdbarch *gdbarch, CORE_ADDR pointer) - { -- aarch64_gdbarch_tdep *tdep = gdbarch_tdep<aarch64_gdbarch_tdep> (gdbarch); -- - /* By default, we assume TBI and discard the top 8 bits plus the VA range -- select bit (55). */ -+ select bit (55). Below we try to fetch information about pointer -+ authentication masks in order to make non-address removal more -+ precise. */ - CORE_ADDR mask = AARCH64_TOP_BITS_MASK; - -- if (tdep->has_pauth ()) -+ /* Check if we have an inferior first. If not, just use the default -+ mask. -+ -+ We use the inferior_ptid here because the pointer authentication masks -+ should be the same across threads of a process. Since we may not have -+ access to the current thread (gdb may have switched to no inferiors -+ momentarily), we use the inferior ptid. */ -+ if (inferior_ptid != null_ptid) - { -- /* Fetch the PAC masks. These masks are per-process, so we can just -- fetch data from whatever thread we have at the moment. -+ /* If we do have an inferior, attempt to fetch its thread's thread_info -+ struct. */ -+ thread_info *thread -+ = find_thread_ptid (current_inferior ()->process_target (), -+ inferior_ptid); - -- Also, we have both a code mask and a data mask. For now they are the -- same, but this may change in the future. */ -- struct regcache *regs = get_current_regcache (); -- CORE_ADDR cmask, dmask; -+ /* If the thread is running, we will not be able to fetch the mask -+ registers. */ -+ if (thread != nullptr && thread->state != THREAD_RUNNING) -+ { -+ /* Otherwise, fetch the register cache and the masks. */ -+ struct regcache *regs -+ = get_thread_regcache (current_inferior ()->process_target (), -+ inferior_ptid); -+ -+ /* Use the gdbarch from the register cache to check for pointer -+ authentication support, as it matches the features found in -+ that particular thread. */ -+ aarch64_gdbarch_tdep *tdep -+ = gdbarch_tdep<aarch64_gdbarch_tdep> (regs->arch ()); -+ -+ /* Is there pointer authentication support? */ -+ if (tdep->has_pauth ()) -+ { -+ /* We have both a code mask and a data mask. For now they are -+ the same, but this may change in the future. */ -+ CORE_ADDR cmask, dmask; - -- if (regs->cooked_read (tdep->pauth_reg_base, &dmask) != REG_VALID) -- dmask = mask; -+ if (regs->cooked_read (tdep->pauth_reg_base, &dmask) -+ != REG_VALID) -+ dmask = mask; - -- if (regs->cooked_read (tdep->pauth_reg_base + 1, &cmask) != REG_VALID) -- cmask = mask; -+ if (regs->cooked_read (tdep->pauth_reg_base + 1, &cmask) -+ != REG_VALID) -+ cmask = mask; - -- mask |= aarch64_mask_from_pac_registers (cmask, dmask); -+ mask |= aarch64_mask_from_pac_registers (cmask, dmask); -+ } -+ } - } - - return aarch64_remove_top_bits (pointer, mask); --- -2.34.1 - diff --git a/poky/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch b/poky/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch new file mode 100644 index 0000000000..88e39eaa59 --- /dev/null +++ b/poky/meta/recipes-devtools/gdb/gdb/0009-CVE-2023-39128.patch @@ -0,0 +1,75 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey <tromey@adacore.com> +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz <keiths@redhat.com> + +Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] +CVE: CVE-2023-39128 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + gdb/ada-lang.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 40f8591..06ac46b 100644 +--- a/gdb/ada-lang.c ++++ b/gdb/ada-lang.c +@@ -57,6 +57,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include <algorithm> + #include "ada-exp.h" + #include "charset.h" +@@ -1388,7 +1389,7 @@ ada_decode (const char *encoded, bool wrap, bool operators) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1585,6 +1586,18 @@ ada_decode (const char *encoded, bool wrap, bool operators) + return decoded; + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once + allocated, names in this table are never released. While this is a + storage leak, it should not be significant unless there are massive +@@ -14084,4 +14097,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); + gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); + gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/gdb/gdb/0009-gdbserver-linux-low.cc-Fix-a-typo-in-ternary-operato.patch b/poky/meta/recipes-devtools/gdb/gdb/0009-gdbserver-linux-low.cc-Fix-a-typo-in-ternary-operato.patch deleted file mode 100644 index 32eba089bc..0000000000 --- a/poky/meta/recipes-devtools/gdb/gdb/0009-gdbserver-linux-low.cc-Fix-a-typo-in-ternary-operato.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 9a85132c4ba7d37a5df146239b3ab1a5854ce478 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Wed, 22 Feb 2023 16:24:07 -0800 -Subject: [PATCH] gdbserver/linux-low.cc: Fix a typo in ternary operator - -Upstream-Status: Submitted [https://sourceware.org/pipermail/gdb-patches/2023-February/197298.html] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - gdbserver/linux-low.cc | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/gdbserver/linux-low.cc b/gdbserver/linux-low.cc -index 7e1de397893..95ec871d436 100644 ---- a/gdbserver/linux-low.cc -+++ b/gdbserver/linux-low.cc -@@ -5390,7 +5390,7 @@ proc_xfer_memory (CORE_ADDR memaddr, unsigned char *readbuf, - if (lseek (fd, memaddr, SEEK_SET) != -1) - bytes = (readbuf != nullptr - ? read (fd, readbuf, len) -- ? write (fd, writebuf, len)); -+ : write (fd, writebuf, len)); - #endif - - if (bytes < 0) diff --git a/poky/meta/recipes-devtools/gdb/gdb_13.1.bb b/poky/meta/recipes-devtools/gdb/gdb_13.2.bb index 9c6db4ca2c..9c6db4ca2c 100644 --- a/poky/meta/recipes-devtools/gdb/gdb_13.1.bb +++ b/poky/meta/recipes-devtools/gdb/gdb_13.2.bb diff --git a/poky/meta/recipes-devtools/git/git_2.39.2.bb b/poky/meta/recipes-devtools/git/git_2.39.3.bb index 9fac9d13f8..6fdf1caa74 100644 --- a/poky/meta/recipes-devtools/git/git_2.39.2.bb +++ b/poky/meta/recipes-devtools/git/git_2.39.3.bb @@ -170,4 +170,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ " EXTRA_OEMAKE += "NO_GETTEXT=1" -SRC_URI[tarball.sha256sum] = "fb6807d1eb4094bb2349ab97d203fe1e6c3eb28af73ea391decfbd3a03c02e85" +SRC_URI[tarball.sha256sum] = "2f9aa93c548941cc5aff641cedc24add15b912ad8c9b36ff5a41b1a9dcad783e" diff --git a/poky/meta/recipes-devtools/go/go-1.20.4.inc b/poky/meta/recipes-devtools/go/go-1.20.7.inc index 05bc168e0c..009a67e89e 100644 --- a/poky/meta/recipes-devtools/go/go-1.20.4.inc +++ b/poky/meta/recipes-devtools/go/go-1.20.7.inc @@ -14,5 +14,7 @@ SRC_URI += "\ file://0007-exec.go-do-not-write-linker-flags-into-buildids.patch \ file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \ + file://CVE-2023-24531_1.patch \ + file://CVE-2023-24531_2.patch \ " -SRC_URI[main.sha256sum] = "9f34ace128764b7a3a4b238b805856cc1b2184304df9e5690825b0710f4202d6" +SRC_URI[main.sha256sum] = "2c5ee9c9ec1e733b0dbbc2bdfed3f62306e51d8172bf38f4f4e542b27520f597" diff --git a/poky/meta/recipes-devtools/go/go-binary-native_1.20.4.bb b/poky/meta/recipes-devtools/go/go-binary-native_1.20.7.bb index 87ce8a558f..3decde1954 100644 --- a/poky/meta/recipes-devtools/go/go-binary-native_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-binary-native_1.20.7.bb @@ -9,9 +9,9 @@ PROVIDES = "go-native" # Checksums available at https://go.dev/dl/ SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}" -SRC_URI[go_linux_amd64.sha256sum] = "698ef3243972a51ddb4028e4a1ac63dc6d60821bf18e59a807e051fee0a385bd" -SRC_URI[go_linux_arm64.sha256sum] = "105889992ee4b1d40c7c108555222ca70ae43fccb42e20fbf1eebb822f5e72c6" -SRC_URI[go_linux_ppc64le.sha256sum] = "8c6f44b96c2719c90eebabe2dd866f9c39538648f7897a212cac448587e9a408" +SRC_URI[go_linux_amd64.sha256sum] = "f0a87f1bcae91c4b69f8dc2bc6d7e6bfcd7524fceec130af525058c0c17b1b44" +SRC_URI[go_linux_arm64.sha256sum] = "44781ae3b153c3b07651d93b6bc554e835a36e2d72a696281c1e4dad9efffe43" +SRC_URI[go_linux_ppc64le.sha256sum] = "6318a1db307c12b8afe68808bd6fae4fba1e558a85b958216096869ed506dcb3" UPSTREAM_CHECK_URI = "https://golang.org/dl/" UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux" diff --git a/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb b/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.7.bb index 7ac9449e47..7ac9449e47 100644 --- a/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-cross-canadian_1.20.7.bb diff --git a/poky/meta/recipes-devtools/go/go-cross_1.20.4.bb b/poky/meta/recipes-devtools/go/go-cross_1.20.7.bb index 80b5a03f6c..80b5a03f6c 100644 --- a/poky/meta/recipes-devtools/go/go-cross_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-cross_1.20.7.bb diff --git a/poky/meta/recipes-devtools/go/go-crosssdk_1.20.4.bb b/poky/meta/recipes-devtools/go/go-crosssdk_1.20.7.bb index 1857c8a577..1857c8a577 100644 --- a/poky/meta/recipes-devtools/go/go-crosssdk_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-crosssdk_1.20.7.bb diff --git a/poky/meta/recipes-devtools/go/go-native_1.20.4.bb b/poky/meta/recipes-devtools/go/go-native_1.20.7.bb index ddf25b2c9b..ddf25b2c9b 100644 --- a/poky/meta/recipes-devtools/go/go-native_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-native_1.20.7.bb diff --git a/poky/meta/recipes-devtools/go/go-runtime_1.20.4.bb b/poky/meta/recipes-devtools/go/go-runtime_1.20.7.bb index 63464a1501..63464a1501 100644 --- a/poky/meta/recipes-devtools/go/go-runtime_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go-runtime_1.20.7.bb diff --git a/poky/meta/recipes-devtools/go/go/CVE-2023-24531_1.patch b/poky/meta/recipes-devtools/go/go/CVE-2023-24531_1.patch new file mode 100644 index 0000000000..9de701b64b --- /dev/null +++ b/poky/meta/recipes-devtools/go/go/CVE-2023-24531_1.patch @@ -0,0 +1,266 @@ +From c5463ec922a57d8b175c6639186ba9cbe15e6bc1 Mon Sep 17 00:00:00 2001 +From: Michael Matloob <matloob@golang.org> +Date: Mon, 24 Apr 2023 16:57:28 -0400 +Subject: [PATCH 1/2] cmd/go: sanitize go env outputs + +go env, without any arguments, outputs the environment variables in +the form of a script that can be run on the host OS. On Unix, single +quote the strings and place single quotes themselves outside the +single quoted strings. On windows use the set "var=val" syntax with +the quote starting before the variable. + +Fixes #58508 + +Change-Id: Iecd379a4af7285ea9b2024f0202250c74fd9a2bd +Reviewed-on: https://go-review.googlesource.com/c/go/+/488375 +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Michael Matloob <matloob@golang.org> +Reviewed-by: Damien Neil <dneil@google.com> +Run-TryBot: Michael Matloob <matloob@golang.org> +Reviewed-by: Bryan Mills <bcmills@google.com> +Reviewed-by: Quim Muntal <quimmuntal@gmail.com> + +CVE: CVE-2023-24531 +Upstream-Status: Backport [f379e78951a405e7e99a60fb231eeedbf976c108] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/cmd/go/internal/envcmd/env.go | 60 ++++++++++++- + src/cmd/go/internal/envcmd/env_test.go | 94 +++++++++++++++++++++ + src/cmd/go/testdata/script/env_sanitize.txt | 5 ++ + src/cmd/go/testdata/script/work_env.txt | 2 +- + 4 files changed, 158 insertions(+), 3 deletions(-) + create mode 100644 src/cmd/go/internal/envcmd/env_test.go + create mode 100644 src/cmd/go/testdata/script/env_sanitize.txt + +diff --git a/src/cmd/go/internal/envcmd/env.go b/src/cmd/go/internal/envcmd/env.go +index fb7448a..5b52fad 100644 +--- a/src/cmd/go/internal/envcmd/env.go ++++ b/src/cmd/go/internal/envcmd/env.go +@@ -6,6 +6,7 @@ + package envcmd + + import ( ++ "bytes" + "context" + "encoding/json" + "fmt" +@@ -17,6 +18,7 @@ import ( + "runtime" + "sort" + "strings" ++ "unicode" + "unicode/utf8" + + "cmd/go/internal/base" +@@ -413,9 +415,12 @@ func checkBuildConfig(add map[string]string, del map[string]bool) error { + func PrintEnv(w io.Writer, env []cfg.EnvVar) { + for _, e := range env { + if e.Name != "TERM" { ++ if runtime.GOOS != "plan9" && bytes.Contains([]byte(e.Value), []byte{0}) { ++ base.Fatalf("go: internal error: encountered null byte in environment variable %s on non-plan9 platform", e.Name) ++ } + switch runtime.GOOS { + default: +- fmt.Fprintf(w, "%s=\"%s\"\n", e.Name, e.Value) ++ fmt.Fprintf(w, "%s=%s\n", e.Name, shellQuote(e.Value)) + case "plan9": + if strings.IndexByte(e.Value, '\x00') < 0 { + fmt.Fprintf(w, "%s='%s'\n", e.Name, strings.ReplaceAll(e.Value, "'", "''")) +@@ -426,17 +431,68 @@ func PrintEnv(w io.Writer, env []cfg.EnvVar) { + if x > 0 { + fmt.Fprintf(w, " ") + } ++ // TODO(#59979): Does this need to be quoted like above? + fmt.Fprintf(w, "%s", s) + } + fmt.Fprintf(w, ")\n") + } + case "windows": +- fmt.Fprintf(w, "set %s=%s\n", e.Name, e.Value) ++ if hasNonGraphic(e.Value) { ++ base.Errorf("go: stripping unprintable or unescapable characters from %%%q%%", e.Name) ++ } ++ fmt.Fprintf(w, "set %s=%s\n", e.Name, batchEscape(e.Value)) + } + } + } + } + ++func hasNonGraphic(s string) bool { ++ for _, c := range []byte(s) { ++ if c == '\r' || c == '\n' || (!unicode.IsGraphic(rune(c)) && !unicode.IsSpace(rune(c))) { ++ return true ++ } ++ } ++ return false ++} ++ ++func shellQuote(s string) string { ++ var b bytes.Buffer ++ b.WriteByte('\'') ++ for _, x := range []byte(s) { ++ if x == '\'' { ++ // Close the single quoted string, add an escaped single quote, ++ // and start another single quoted string. ++ b.WriteString(`'\''`) ++ } else { ++ b.WriteByte(x) ++ } ++ } ++ b.WriteByte('\'') ++ return b.String() ++} ++ ++func batchEscape(s string) string { ++ var b bytes.Buffer ++ for _, x := range []byte(s) { ++ if x == '\r' || x == '\n' || (!unicode.IsGraphic(rune(x)) && !unicode.IsSpace(rune(x))) { ++ b.WriteRune(unicode.ReplacementChar) ++ continue ++ } ++ switch x { ++ case '%': ++ b.WriteString("%%") ++ case '<', '>', '|', '&', '^': ++ // These are special characters that need to be escaped with ^. See ++ // https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1. ++ b.WriteByte('^') ++ b.WriteByte(x) ++ default: ++ b.WriteByte(x) ++ } ++ } ++ return b.String() ++} ++ + func printEnvAsJSON(env []cfg.EnvVar) { + m := make(map[string]string) + for _, e := range env { +diff --git a/src/cmd/go/internal/envcmd/env_test.go b/src/cmd/go/internal/envcmd/env_test.go +new file mode 100644 +index 0000000..32d99fd +--- /dev/null ++++ b/src/cmd/go/internal/envcmd/env_test.go +@@ -0,0 +1,94 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++//go:build unix || windows ++ ++package envcmd ++ ++import ( ++ "bytes" ++ "cmd/go/internal/cfg" ++ "fmt" ++ "internal/testenv" ++ "os" ++ "os/exec" ++ "path/filepath" ++ "runtime" ++ "testing" ++ "unicode" ++) ++ ++func FuzzPrintEnvEscape(f *testing.F) { ++ f.Add(`$(echo 'cc"'; echo 'OOPS="oops')`) ++ f.Add("$(echo shell expansion 1>&2)") ++ f.Add("''") ++ f.Add(`C:\"Program Files"\`) ++ f.Add(`\\"Quoted Host"\\share`) ++ f.Add("\xfb") ++ f.Add("0") ++ f.Add("") ++ f.Add("''''''''") ++ f.Add("\r") ++ f.Add("\n") ++ f.Add("E,%") ++ f.Fuzz(func(t *testing.T, s string) { ++ t.Parallel() ++ ++ for _, c := range []byte(s) { ++ if c == 0 { ++ t.Skipf("skipping %q: contains a null byte. Null bytes can't occur in the environment"+ ++ " outside of Plan 9, which has different code path than Windows and Unix that this test"+ ++ " isn't testing.", s) ++ } ++ if c > unicode.MaxASCII { ++ t.Skipf("skipping %#q: contains a non-ASCII character %q", s, c) ++ } ++ if !unicode.IsGraphic(rune(c)) && !unicode.IsSpace(rune(c)) { ++ t.Skipf("skipping %#q: contains non-graphic character %q", s, c) ++ } ++ if runtime.GOOS == "windows" && c == '\r' || c == '\n' { ++ t.Skipf("skipping %#q on Windows: contains unescapable character %q", s, c) ++ } ++ } ++ ++ var b bytes.Buffer ++ if runtime.GOOS == "windows" { ++ b.WriteString("@echo off\n") ++ } ++ PrintEnv(&b, []cfg.EnvVar{{Name: "var", Value: s}}) ++ var want string ++ if runtime.GOOS == "windows" { ++ fmt.Fprintf(&b, "echo \"%%var%%\"\n") ++ want += "\"" + s + "\"\r\n" ++ } else { ++ fmt.Fprintf(&b, "printf '%%s\\n' \"$var\"\n") ++ want += s + "\n" ++ } ++ scriptfilename := "script.sh" ++ if runtime.GOOS == "windows" { ++ scriptfilename = "script.bat" ++ } ++ scriptfile := filepath.Join(t.TempDir(), scriptfilename) ++ if err := os.WriteFile(scriptfile, b.Bytes(), 0777); err != nil { ++ t.Fatal(err) ++ } ++ t.Log(b.String()) ++ var cmd *exec.Cmd ++ if runtime.GOOS == "windows" { ++ cmd = testenv.Command(t, "cmd.exe", "/C", scriptfile) ++ } else { ++ cmd = testenv.Command(t, "sh", "-c", scriptfile) ++ } ++ out, err := cmd.Output() ++ t.Log(string(out)) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ if string(out) != want { ++ t.Fatalf("output of running PrintEnv script and echoing variable: got: %q, want: %q", ++ string(out), want) ++ } ++ }) ++} +diff --git a/src/cmd/go/testdata/script/env_sanitize.txt b/src/cmd/go/testdata/script/env_sanitize.txt +new file mode 100644 +index 0000000..cc4d23a +--- /dev/null ++++ b/src/cmd/go/testdata/script/env_sanitize.txt +@@ -0,0 +1,5 @@ ++env GOFLAGS='$(echo ''cc"''; echo ''OOPS="oops'')' ++go env ++[GOOS:darwin] stdout 'GOFLAGS=''\$\(echo ''\\''''cc"''\\''''; echo ''\\''''OOPS="oops''\\''''\)''' ++[GOOS:linux] stdout 'GOFLAGS=''\$\(echo ''\\''''cc"''\\''''; echo ''\\''''OOPS="oops''\\''''\)''' ++[GOOS:windows] stdout 'set GOFLAGS=\$\(echo ''cc"''; echo ''OOPS="oops''\)' +diff --git a/src/cmd/go/testdata/script/work_env.txt b/src/cmd/go/testdata/script/work_env.txt +index 511bb4e..8b1779e 100644 +--- a/src/cmd/go/testdata/script/work_env.txt ++++ b/src/cmd/go/testdata/script/work_env.txt +@@ -1,7 +1,7 @@ + go env GOWORK + stdout '^'$GOPATH'[\\/]src[\\/]go.work$' + go env +-stdout '^(set )?GOWORK="?'$GOPATH'[\\/]src[\\/]go.work"?$' ++stdout '^(set )?GOWORK=''?'$GOPATH'[\\/]src[\\/]go.work''?$' + + cd .. + go env GOWORK +-- +2.39.0 + diff --git a/poky/meta/recipes-devtools/go/go/CVE-2023-24531_2.patch b/poky/meta/recipes-devtools/go/go/CVE-2023-24531_2.patch new file mode 100644 index 0000000000..dec36f9d42 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go/CVE-2023-24531_2.patch @@ -0,0 +1,47 @@ +From 24f1def536c5344e0067a3119790b83ee6224058 Mon Sep 17 00:00:00 2001 +From: miller <millerresearch@gmail.com> +Date: Mon, 8 May 2023 16:56:21 +0100 +Subject: [PATCH 2/2] cmd/go: quote entries in list-valued variables for go env + in plan9 + +When 'go env' without an argument prints environment variables as +a script which can be executed by the shell, variables with a +list value in Plan 9 (such as GOPATH) need to be printed with each +element enclosed in single quotes in case it contains characters +significant to the Plan 9 shell (such as ' ' or '='). + +For #58508 + +Change-Id: Ia30f51307cc6d07a7e3ada6bf9d60bf9951982ff +Reviewed-on: https://go-review.googlesource.com/c/go/+/493535 +Run-TryBot: Cherry Mui <cherryyz@google.com> +Reviewed-by: Cherry Mui <cherryyz@google.com> +Reviewed-by: Russ Cox <rsc@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> +Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> + +CVE: CVE-2023-24531 +Upstream-Status: Backport [05cc9e55876874462a4726ca0101c970838c80e5] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/cmd/go/internal/envcmd/env.go | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/cmd/go/internal/envcmd/env.go b/src/cmd/go/internal/envcmd/env.go +index 5b52fad..d4fc399 100644 +--- a/src/cmd/go/internal/envcmd/env.go ++++ b/src/cmd/go/internal/envcmd/env.go +@@ -431,8 +431,7 @@ func PrintEnv(w io.Writer, env []cfg.EnvVar) { + if x > 0 { + fmt.Fprintf(w, " ") + } +- // TODO(#59979): Does this need to be quoted like above? +- fmt.Fprintf(w, "%s", s) ++ fmt.Fprintf(w, "'%s'", strings.ReplaceAll(s, "'", "''")) + } + fmt.Fprintf(w, ")\n") + } +-- +2.39.0 + diff --git a/poky/meta/recipes-devtools/go/go_1.20.4.bb b/poky/meta/recipes-devtools/go/go_1.20.7.bb index 46f5fbc6be..46f5fbc6be 100644 --- a/poky/meta/recipes-devtools/go/go_1.20.4.bb +++ b/poky/meta/recipes-devtools/go/go_1.20.7.bb diff --git a/poky/meta/recipes-devtools/libdnf/libdnf_0.70.0.bb b/poky/meta/recipes-devtools/libdnf/libdnf_0.70.1.bb index 14d6a37de1..c44ae2729b 100644 --- a/poky/meta/recipes-devtools/libdnf/libdnf_0.70.0.bb +++ b/poky/meta/recipes-devtools/libdnf/libdnf_0.70.1.bb @@ -12,7 +12,7 @@ SRC_URI = "git://github.com/rpm-software-management/libdnf;branch=dnf-4-master;p file://0001-drop-FindPythonInstDir.cmake.patch \ " -SRCREV = "93759bc5cac262906e52b6a173d7b157914ec29e" +SRCREV = "3b8e59ad8ed3a3eb736d8a2e16b4fc04313d1f12" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(?!4\.90)\d+(\.\d+)+)" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/ninja/ninja_1.11.1.bb b/poky/meta/recipes-devtools/ninja/ninja_1.11.1.bb index 255f5efb70..83d2f01263 100644 --- a/poky/meta/recipes-devtools/ninja/ninja_1.11.1.bb +++ b/poky/meta/recipes-devtools/ninja/ninja_1.11.1.bb @@ -29,3 +29,6 @@ do_install() { } BBCLASSEXTEND = "native nativesdk" + +# This is a different Ninja +CVE_CHECK_IGNORE += "CVE-2021-4336" diff --git a/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb b/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.6.2.bb index b27e3ded33..eb88b9b734 100644 --- a/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb +++ b/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.6.2.bb @@ -10,7 +10,7 @@ PROVIDES += "${@bb.utils.contains('PACKAGECONFIG', 'update-alternatives', 'virtu SRC_URI = "git://git.yoctoproject.org/opkg-utils;protocol=https;branch=master \ file://0001-update-alternatives-correctly-match-priority.patch \ " -SRCREV = "9239541f14a2529b9d01c0a253ab11afa2822dab" +SRCREV = "67994e62dc598282830385da75ba9b1abbbda941" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/opkg/opkg/0001-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch b/poky/meta/recipes-devtools/opkg/opkg/0001-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch deleted file mode 100644 index 3406878a1d..0000000000 --- a/poky/meta/recipes-devtools/opkg/opkg/0001-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 4089affd371e6d62dd8c1e57b344f8cc329005ea Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Sat, 14 Jan 2023 23:11:08 -0800 -Subject: [PATCH] Define alignof using _Alignof when using C11 or newer - -WG14 N2350 made very clear that it is an UB having type definitions -within "offsetof" [1]. This patch enhances the implementation of macro -alignof_slot to use builtin "_Alignof" to avoid undefined behavior on -when using std=c11 or newer - -clang 16+ has started to flag this [2] - -Fixes build when using -std >= gnu11 and using clang16+ - -Older compilers gcc < 4.9 or clang < 8 has buggy _Alignof even though it -may support C11, exclude those compilers too - -[1] https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2350.htm -[2] https://reviews.llvm.org/D133574 - -Upstream-Status: Submitted [https://groups.google.com/g/opkg-devel/c/gjcQPZgT_jI] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - libopkg/md5.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/libopkg/md5.c b/libopkg/md5.c -index 981b9b8..ccb645e 100644 ---- a/libopkg/md5.c -+++ b/libopkg/md5.c -@@ -237,7 +237,17 @@ void md5_process_bytes(const void *buffer, size_t len, struct md5_ctx *ctx) - /* Process available complete blocks. */ - if (len >= 64) { - #if !_STRING_ARCH_unaligned -+/* GCC releases before GCC 4.9 had a bug in _Alignof. See GCC bug 52023 -+ <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=52023>. -+ clang versions < 8.0.0 have the same bug. */ -+#if (!defined __STDC_VERSION__ || __STDC_VERSION__ < 201112 \ -+ || (defined __GNUC__ && __GNUC__ < 4 + (__GNUC_MINOR__ < 9) \ -+ && !defined __clang__) \ -+ || (defined __clang__ && __clang_major__ < 8)) - #define alignof(type) offsetof (struct { char c; type x; }, x) -+#else -+#define alignof(type) _Alignof(type) -+#endif - #define UNALIGNED_P(p) (((size_t) p) % alignof (uint32_t) != 0) - if (UNALIGNED_P(buffer)) - while (len > 64) { --- -2.39.0 - diff --git a/poky/meta/recipes-devtools/opkg/opkg/0002-opkg-key-remove-no-options-flag-from-gpg-calls.patch b/poky/meta/recipes-devtools/opkg/opkg/0002-opkg-key-remove-no-options-flag-from-gpg-calls.patch deleted file mode 100644 index f216950002..0000000000 --- a/poky/meta/recipes-devtools/opkg/opkg/0002-opkg-key-remove-no-options-flag-from-gpg-calls.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a658e6402382250f0164c5b47b744740e04f3611 Mon Sep 17 00:00:00 2001 -From: Charlie Johnston <charlie.johnston@ni.com> -Date: Fri, 30 Dec 2022 15:21:14 -0600 -Subject: [PATCH] opkg-key: Remove --no-options flag from gpg calls. - -The opkg-key script was always passing the --no-options -flag to gpg, which uses /dev/null as the options file. -As a result, the opkg gpg.conf file was not getting -used. This change removes that flag so that gpg.conf -in the GPGHOMEDIR for opkg (currently /etc/opkg/gpg/) -will be used if present. - -Upstream-Status: Accepted [https://git.yoctoproject.org/opkg/commit/?id=cee294e72d257417b5e55ef7a76a0fd15313e46b] -Signed-off-by: Charlie Johnston <charlie.johnston@ni.com> ---- - utils/opkg-key | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/utils/opkg-key b/utils/opkg-key -index e395a59..8645ebc 100755 ---- a/utils/opkg-key -+++ b/utils/opkg-key -@@ -53,7 +53,7 @@ else - exit 1 - fi - --GPG="$GPGCMD --no-options --homedir $GPGHOMEDIR" -+GPG="$GPGCMD --homedir $GPGHOMEDIR" - - # Gpg home dir isn't created automatically when --homedir option is used - if [ ! -e "$GPGHOMEDIR" ]; then --- -2.30.2 - diff --git a/poky/meta/recipes-devtools/opkg/opkg_0.6.1.bb b/poky/meta/recipes-devtools/opkg/opkg_0.6.2.bb index 4c25fe963a..46be137354 100644 --- a/poky/meta/recipes-devtools/opkg/opkg_0.6.1.bb +++ b/poky/meta/recipes-devtools/opkg/opkg_0.6.2.bb @@ -15,12 +15,10 @@ PE = "1" SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz \ file://opkg.conf \ file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \ - file://0002-opkg-key-remove-no-options-flag-from-gpg-calls.patch \ - file://0001-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \ file://run-ptest \ -" + " -SRC_URI[sha256sum] = "e87fccb575c64d3ac0559444016a2795f12125986a0da896bab97c4a1a2f1b2a" +SRC_URI[sha256sum] = "ac73a90a2549cd04948e563d915912c78e1b8ba0f43af75c5a53fcca474adbd5" # This needs to be before ptest inherit, otherwise all ptest files end packaged # in libopkg package if OPKGLIBDIR == libdir, because default diff --git a/poky/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/poky/meta/recipes-devtools/perl/files/CVE-2023-31484.patch new file mode 100644 index 0000000000..1f7cbd0da1 --- /dev/null +++ b/poky/meta/recipes-devtools/perl/files/CVE-2023-31484.patch @@ -0,0 +1,29 @@ +From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001 +From: Stig Palmquist <git@stig.io> +Date: Tue, 28 Feb 2023 11:54:06 +0100 +Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server + identity + +Upstream-Status: Backport [https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0] + +CVE: CVE-2023-31484 + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- + cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm +index 4fc792c..a616fee 100644 +--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm ++++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm +@@ -32,6 +32,7 @@ sub mirror { + + my $want_proxy = $self->_want_proxy($uri); + my $http = HTTP::Tiny->new( ++ verify_SSL => 1, + $want_proxy ? (proxy => $self->{proxy}) : () + ); + +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch b/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch new file mode 100644 index 0000000000..e2a2216a0d --- /dev/null +++ b/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch @@ -0,0 +1,217 @@ +From e1ca8defeff496000fc96600ebfca7250065c1f1 Mon Sep 17 00:00:00 2001 +From: Stig Palmquist <git@stig.io> +Date: Thu, 29 Jun 2023 14:36:05 +0000 +Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable + insecure default + +- Changes the `verify_SSL` default parameter from `0` to `1` + + Based on patch by Dominic Hargreaves: + https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 + + Fixes CVE-2023-31486 + +- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that + enables the previous insecure default behaviour if set to `1`. + + This provides a workaround for users who encounter problems with the + new `verify_SSL` default. + + Example to disable certificate checks: + ``` + $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl + ``` + +- Updates to documentation: + - Describe changing the verify_SSL value + - Describe the escape-hatch environment variable + - Remove rationale for not enabling verify_SSL + - Add missing certificate search paths + - Replace "SSL" with "TLS/SSL" where appropriate + - Use "machine-in-the-middle" instead of "man-in-the-middle" + +Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d] + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++++++++++++++++++++++----------- + 1 file changed, 57 insertions(+), 29 deletions(-) + +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +index 83ca06d..5f6ced8 100644 +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm ++++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +@@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) } + #pod * C<timeout> — Request timeout in seconds (default is 60) If a socket open, + #pod read or write takes longer than the timeout, the request response status code + #pod will be 599. +-#pod * C<verify_SSL> — A boolean that indicates whether to validate the SSL +-#pod certificate of an C<https> — connection (default is false) ++#pod * C<verify_SSL> — A boolean that indicates whether to validate the TLS/SSL ++#pod certificate of an C<https> — connection (default is true). Changed from false ++#pod to true in version 0.083. + #pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to + #pod L<IO::Socket::SSL> ++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default ++#pod certificate verification behavior to not check server identity if set to 1. ++#pod Only effective if C<verify_SSL> is not set. Added in version 0.083. + #pod + #pod An accessor/mutator method exists for each attribute. + #pod +@@ -111,11 +115,17 @@ sub timeout { + sub new { + my($class, %args) = @_; + ++ # Support lower case verify_ssl argument, but only if verify_SSL is not ++ # true. ++ if ( exists $args{verify_ssl} ) { ++ $args{verify_SSL} ||= $args{verify_ssl}; ++ } ++ + my $self = { + max_redirect => 5, + timeout => defined $args{timeout} ? $args{timeout} : 60, + keep_alive => 1, +- verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default ++ verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(), + no_proxy => $ENV{no_proxy}, + }; + +@@ -134,6 +144,13 @@ sub new { + return $self; + } + ++sub _verify_SSL_default { ++ my ($self) = @_; ++ # Check if insecure default certificate verification behaviour has been ++ # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ++ return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; ++} ++ + sub _set_proxies { + my ($self) = @_; + +@@ -1055,7 +1072,7 @@ sub new { + timeout => 60, + max_line_size => 16384, + max_header_lines => 64, +- verify_SSL => 0, ++ verify_SSL => HTTP::Tiny::_verify_SSL_default(), + SSL_options => {}, + %args + }, $class; +@@ -2043,11 +2060,11 @@ proxy + timeout + verify_SSL + +-=head1 SSL SUPPORT ++=head1 TLS/SSL SUPPORT + + Direct C<https> connections are supported only if L<IO::Socket::SSL> 1.56 or + greater and L<Net::SSLeay> 1.49 or greater are installed. An error will occur +-if new enough versions of these modules are not installed or if the SSL ++if new enough versions of these modules are not installed or if the TLS + encryption fails. You can also use C<HTTP::Tiny::can_ssl()> utility function + that returns boolean to see if the required modules are installed. + +@@ -2055,7 +2072,7 @@ An C<https> connection may be made via an C<http> proxy that supports the CONNEC + command (i.e. RFC 2817). You may not proxy C<https> via a proxy that itself + requires C<https> to communicate. + +-SSL provides two distinct capabilities: ++TLS/SSL provides two distinct capabilities: + + =over 4 + +@@ -2069,24 +2086,17 @@ Verification of server identity + + =back + +-B<By default, HTTP::Tiny does not verify server identity>. +- +-Server identity verification is controversial and potentially tricky because it +-depends on a (usually paid) third-party Certificate Authority (CA) trust model +-to validate a certificate as legitimate. This discriminates against servers +-with self-signed certificates or certificates signed by free, community-driven +-CA's such as L<CAcert.org|http://cacert.org>. ++B<By default, HTTP::Tiny verifies server identity>. + +-By default, HTTP::Tiny does not make any assumptions about your trust model, +-threat level or risk tolerance. It just aims to give you an encrypted channel +-when you need one. ++This was changed in version 0.083 due to security concerns. The previous default ++behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> ++to 1. + +-Setting the C<verify_SSL> attribute to a true value will make HTTP::Tiny verify +-that an SSL connection has a valid SSL certificate corresponding to the host +-name of the connection and that the SSL certificate has been verified by a CA. +-Assuming you trust the CA, this will protect against a L<man-in-the-middle +-attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>. If you are +-concerned about security, you should enable this option. ++Verification is done by checking that that the TLS/SSL connection has a valid ++certificate corresponding to the host name of the connection and that the ++certificate has been verified by a CA. Assuming you trust the CA, this will ++protect against L<machine-in-the-middle ++attacks|http://en.wikipedia.org/wiki/Machine-in-the-middle_attack>. + + Certificate verification requires a file containing trusted CA certificates. + +@@ -2094,9 +2104,7 @@ If the environment variable C<SSL_CERT_FILE> is present, HTTP::Tiny + will try to find a CA certificate file in that location. + + If the L<Mozilla::CA> module is installed, HTTP::Tiny will use the CA file +-included with it as a source of trusted CA's. (This means you trust Mozilla, +-the author of Mozilla::CA, the CPAN mirror where you got Mozilla::CA, the +-toolchain used to install it, and your operating system security, right?) ++included with it as a source of trusted CA's. + + If that module is not available, then HTTP::Tiny will search several + system-specific default locations for a CA certificate file: +@@ -2115,13 +2123,33 @@ system-specific default locations for a CA certificate file: + + /etc/ssl/ca-bundle.pem + ++=item * ++ ++/etc/openssl/certs/ca-certificates.crt ++ ++=item * ++ ++/etc/ssl/cert.pem ++ ++=item * ++ ++/usr/local/share/certs/ca-root-nss.crt ++ ++=item * ++ ++/etc/pki/tls/cacert.pem ++ ++=item * ++ ++/etc/certs/ca-certificates.crt ++ + =back + + An error will be occur if C<verify_SSL> is true and no CA certificate file + is available. + +-If you desire complete control over SSL connections, the C<SSL_options> attribute +-lets you provide a hash reference that will be passed through to ++If you desire complete control over TLS/SSL connections, the C<SSL_options> ++attribute lets you provide a hash reference that will be passed through to + C<IO::Socket::SSL::start_SSL()>, overriding any options set by HTTP::Tiny. For + example, to provide your own trusted CA file: + +@@ -2131,7 +2159,7 @@ example, to provide your own trusted CA file: + + The C<SSL_options> attribute could also be used for such things as providing a + client certificate for authentication to a server or controlling the choice of +-cipher used for the SSL connection. See L<IO::Socket::SSL> documentation for ++cipher used for the TLS/SSL connection. See L<IO::Socket::SSL> documentation for + details. + + =head1 PROXY SUPPORT +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch b/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch new file mode 100644 index 0000000000..e41e140cf9 --- /dev/null +++ b/poky/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch @@ -0,0 +1,30 @@ +commit a22785783b17cbaa28afaee4a024d81a1903701d +From: Stig Palmquist <git@stig.io> +Date: Sun Jun 18 11:36:05 2023 +0200 + + Fix incorrect env var name for verify_SSL default + + The variable to override the verify_SSL default differed slightly in the + documentation from what was checked for in the code. + + This commit makes the code use `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT` + as documented, instead of `PERL_HTTP_TINY_INSECURE_BY_DEFAULT` which was + missing `SSL_` + +Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d] + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- +diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm +index bf455b6..7240b65 100644 +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm ++++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +@@ -149,7 +149,7 @@ sub _verify_SSL_default { + my ($self) = @_; + # Check if insecure default certificate verification behaviour has been + # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 +- return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; ++ return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; + } + + sub _set_proxies { diff --git a/poky/meta/recipes-devtools/perl/perl_5.36.0.bb b/poky/meta/recipes-devtools/perl/perl_5.36.0.bb index b8dba00f18..c3ca28ed23 100644 --- a/poky/meta/recipes-devtools/perl/perl_5.36.0.bb +++ b/poky/meta/recipes-devtools/perl/perl_5.36.0.bb @@ -18,6 +18,9 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \ file://determinism.patch \ file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \ file://0001-Fix-build-with-gcc-12.patch \ + file://CVE-2023-31484.patch \ + file://CVE-2023-31486-0001.patch \ + file://CVE-2023-31486-0002.patch \ " SRC_URI:append:class-native = " \ file://perl-configpm-switch.patch \ diff --git a/poky/meta/recipes-devtools/pkgconf/pkgconf_1.9.4.bb b/poky/meta/recipes-devtools/pkgconf/pkgconf_1.9.5.bb index ab0f371093..ab1d1c84e8 100644 --- a/poky/meta/recipes-devtools/pkgconf/pkgconf_1.9.4.bb +++ b/poky/meta/recipes-devtools/pkgconf/pkgconf_1.9.5.bb @@ -15,12 +15,12 @@ LICENSE = "pkgconf" LIC_FILES_CHKSUM = "file://COPYING;md5=2214222ec1a820bd6cc75167a56925e0" SRC_URI = "\ - https://distfiles.dereferenced.org/pkgconf/pkgconf-${PV}.tar.xz \ + https://distfiles.ariadne.space/pkgconf/pkgconf-${PV}.tar.xz \ file://pkg-config-wrapper \ file://pkg-config-native.in \ file://pkg-config-esdk.in \ " -SRC_URI[sha256sum] = "daccf1bbe5a30d149b556c7d2ffffeafd76d7b514e249271abdd501533c1d8ae" +SRC_URI[sha256sum] = "1ac1656debb27497563036f7bffc281490f83f9b8457c0d60bcfb638fb6b6171" inherit autotools diff --git a/poky/meta/recipes-devtools/pseudo/files/glibc238.patch b/poky/meta/recipes-devtools/pseudo/files/glibc238.patch new file mode 100644 index 0000000000..76ca8c11eb --- /dev/null +++ b/poky/meta/recipes-devtools/pseudo/files/glibc238.patch @@ -0,0 +1,72 @@ +glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by +_GNU_SOURCE but we have to set that for other definitions. Therefore play with defines +to turn this off within pseudo_wrappers.c. Elsewhere we can switch to _DEFAULT_SOURCE +rather than _GNU_SOURCE. + +Upstream-Status: Pending + +Index: git/pseudo_wrappers.c +=================================================================== +--- git.orig/pseudo_wrappers.c ++++ git/pseudo_wrappers.c +@@ -6,6 +6,15 @@ + * SPDX-License-Identifier: LGPL-2.1-only + * + */ ++/* glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by ++ * _GNU_SOURCE but we have to set that for other definitions. Therefore play with defines ++ * to turn this off. ++ */ ++#include <features.h> ++#undef __GLIBC_USE_ISOC2X ++#undef __GLIBC_USE_C2X_STRTOL ++#define __GLIBC_USE_C2X_STRTOL 0 ++ + #include <assert.h> + #include <stdlib.h> + #include <limits.h> +Index: git/pseudo_util.c +=================================================================== +--- git.orig/pseudo_util.c ++++ git/pseudo_util.c +@@ -8,6 +8,14 @@ + */ + /* we need access to RTLD_NEXT for a horrible workaround */ + #define _GNU_SOURCE ++/* glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by ++ * _GNU_SOURCE but we have to set that for other definitions. Therefore play with defines ++ * to turn this off. ++ */ ++#include <features.h> ++#undef __GLIBC_USE_ISOC2X ++#undef __GLIBC_USE_C2X_STRTOL ++#define __GLIBC_USE_C2X_STRTOL 0 + + #include <ctype.h> + #include <errno.h> +Index: git/pseudolog.c +=================================================================== +--- git.orig/pseudolog.c ++++ git/pseudolog.c +@@ -8,7 +8,7 @@ + */ + /* We need _XOPEN_SOURCE for strptime(), but if we define that, + * we then don't get S_IFSOCK... _GNU_SOURCE turns on everything. */ +-#define _GNU_SOURCE ++#define _DEFAULT_SOURCE + + #include <ctype.h> + #include <limits.h> +Index: git/pseudo_client.c +=================================================================== +--- git.orig/pseudo_client.c ++++ git/pseudo_client.c +@@ -6,7 +6,7 @@ + * SPDX-License-Identifier: LGPL-2.1-only + * + */ +-#define _GNU_SOURCE ++#define _DEFAULT_SOURCE + + #include <stdio.h> + #include <signal.h> diff --git a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb index c3c4bb0ed9..9260a3faa3 100644 --- a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -2,6 +2,7 @@ require pseudo.inc SRC_URI = "git://git.yoctoproject.org/pseudo;branch=master;protocol=https \ file://0001-configure-Prune-PIE-flags.patch \ + file://glibc238.patch \ file://fallback-passwd \ file://fallback-group \ " diff --git a/poky/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb b/poky/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb index 9f5b81330b..42d5d4dfce 100644 --- a/poky/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb +++ b/poky/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb @@ -4,6 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8f7bb094c7232b058c7e9f2e431f389c" HOMEPAGE = "https://pypi.org/project/bcrypt/" DEPENDS += "${PYTHON_PN}-cffi-native" +LDFLAGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', ' -fuse-ld=bfd', '', d)}" SRC_URI[sha256sum] = "27d375903ac8261cfe4047f6709d16f7d18d39b1ec92aaf72af989552a650ebd" diff --git a/poky/meta/recipes-devtools/python/python3-certifi_2022.12.7.bb b/poky/meta/recipes-devtools/python/python3-certifi_2023.7.22.bb index dca3d26811..f63b0b6cb8 100644 --- a/poky/meta/recipes-devtools/python/python3-certifi_2022.12.7.bb +++ b/poky/meta/recipes-devtools/python/python3-certifi_2023.7.22.bb @@ -7,7 +7,7 @@ HOMEPAGE = " http://certifi.io/" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=3c2b7404369c587c3559afb604fce2f2" -SRC_URI[sha256sum] = "35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3" +SRC_URI[sha256sum] = "539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082" inherit pypi setuptools3 diff --git a/poky/meta/recipes-devtools/python/python3-git_3.1.31.bb b/poky/meta/recipes-devtools/python/python3-git_3.1.37.bb index 08b9f66bcb..56a335a79e 100644 --- a/poky/meta/recipes-devtools/python/python3-git_3.1.31.bb +++ b/poky/meta/recipes-devtools/python/python3-git_3.1.37.bb @@ -6,13 +6,13 @@ access with big-files support." HOMEPAGE = "http://github.com/gitpython-developers/GitPython" SECTION = "devel/python" LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=8b8d26c37c1d5a04f9b0186edbebc183" +LIC_FILES_CHKSUM = "file://LICENSE;md5=5279a7ab369ba336989dcf2a107e5c8e" PYPI_PACKAGE = "GitPython" inherit pypi python_setuptools_build_meta -SRC_URI[sha256sum] = "8ce3bcf69adfdf7c7d503e78fd3b1c492af782d58893b650adb2ac8912ddd573" +SRC_URI[sha256sum] = "f9b9ddc0761c125d5780eab2d64be4873fc6817c2899cbcb34b02344bdc7bc54" DEPENDS += " ${PYTHON_PN}-gitdb" diff --git a/poky/meta/recipes-devtools/python/python3-numpy/0001-simd.inc.src-Change-NPY_INLINE-to-inline.patch b/poky/meta/recipes-devtools/python/python3-numpy/0001-simd.inc.src-Change-NPY_INLINE-to-inline.patch new file mode 100644 index 0000000000..d733dda333 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-numpy/0001-simd.inc.src-Change-NPY_INLINE-to-inline.patch @@ -0,0 +1,135 @@ +From f2a722aa30a29709bb9b5f60fc6d20a10fe6b4f5 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Wed, 28 Jun 2023 17:58:52 +0800 +Subject: [PATCH] simd.inc.src: Change NPY_INLINE to inline +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: + | numpy/core/src/umath/simd.inc.src:977:20: note: called from here + | 977 | @vtype@ zeros = _mm512_setzero_@vsuffix@(); + | ^~~~~~~~~~~~~~~~~~~ + | numpy/core/src/umath/simd.inc.src:596:1: error: inlining failed in call to ‘always_inline’ ‘avx512_get_full_load_mask_ps’: target specific option mismatch + 596 | avx512_get_full_load_mask_ps(void) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + | numpy/core/src/umath/simd.inc.src:976:27: note: called from here + 976 | @mask@ load_mask = avx512_get_full_load_mask_@vsuffix@(); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + | /usr/lib/gcc/x86_64-redhat-linux/13/include/avx512fintrin.h:6499:1: error: inlining failed in call to ‘always_inline’ ‘_mm512_loadu_si512’: target specific option mismatch + +Upstream-Status: Inappropriate [The file simd.inc.src have been removed in new version as + https://github.com/numpy/numpy/commit/640e85017aa8eac3e9be68b475acf27d623b16b7] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + numpy/core/src/umath/simd.inc.src | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/numpy/core/src/umath/simd.inc.src b/numpy/core/src/umath/simd.inc.src +index d6c9a7e..39aec9a 100644 +--- a/numpy/core/src/umath/simd.inc.src ++++ b/numpy/core/src/umath/simd.inc.src +@@ -61,11 +61,11 @@ + */ + + #if defined HAVE_ATTRIBUTE_TARGET_AVX512F_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS +-static NPY_INLINE NPY_GCC_TARGET_AVX512F void ++static inline NPY_GCC_TARGET_AVX512F void + AVX512F_@func@_@TYPE@(@type@*, @type@*, const npy_intp n, const npy_intp stride); + #endif + +-static NPY_INLINE int ++static inline int + run_unary_avx512f_@func@_@TYPE@(char **args, const npy_intp *dimensions, const npy_intp *steps) + { + #if defined HAVE_ATTRIBUTE_TARGET_AVX512F_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS +@@ -99,11 +99,11 @@ run_unary_avx512f_@func@_@TYPE@(char **args, const npy_intp *dimensions, const n + */ + + #if defined HAVE_ATTRIBUTE_TARGET_AVX512_SKX_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS && @EXISTS@ +-static NPY_INLINE NPY_GCC_TARGET_AVX512_SKX void ++static inline NPY_GCC_TARGET_AVX512_SKX void + AVX512_SKX_@func@_@TYPE@(npy_bool*, @type@*, const npy_intp n, const npy_intp stride); + #endif + +-static NPY_INLINE int ++static inline int + run_@func@_avx512_skx_@TYPE@(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if defined HAVE_ATTRIBUTE_TARGET_AVX512_SKX_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS && @EXISTS@ +@@ -144,7 +144,7 @@ sse2_@func@_@TYPE@(@type@ *, @type@ *, const npy_intp n); + + #endif + +-static NPY_INLINE int ++static inline int + run_@name@_simd_@func@_@TYPE@(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if @vector@ && defined NPY_HAVE_SSE2_INTRINSICS +@@ -169,7 +169,7 @@ sse2_@kind@_@TYPE@(npy_bool * op, @type@ * ip1, npy_intp n); + + #endif + +-static NPY_INLINE int ++static inline int + run_@kind@_simd_@TYPE@(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if @vector@ && defined NPY_HAVE_SSE2_INTRINSICS +@@ -205,7 +205,7 @@ static void + sse2_reduce_@kind@_BOOL(npy_bool * op, npy_bool * ip, npy_intp n); + #endif + +-static NPY_INLINE int ++static inline int + run_binary_simd_@kind@_BOOL(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if defined NPY_HAVE_SSE2_INTRINSICS +@@ -220,7 +220,7 @@ run_binary_simd_@kind@_BOOL(char **args, npy_intp const *dimensions, npy_intp co + } + + +-static NPY_INLINE int ++static inline int + run_reduce_simd_@kind@_BOOL(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if defined NPY_HAVE_SSE2_INTRINSICS +@@ -245,7 +245,7 @@ static void + sse2_@kind@_BOOL(npy_bool *, npy_bool *, const npy_intp n); + #endif + +-static NPY_INLINE int ++static inline int + run_unary_simd_@kind@_BOOL(char **args, npy_intp const *dimensions, npy_intp const *steps) + { + #if defined NPY_HAVE_SSE2_INTRINSICS +@@ -875,7 +875,7 @@ NPY_FINLINE NPY_GCC_OPT_3 NPY_GCC_TARGET_@ISA@ @vtype@d + */ + + #if defined HAVE_ATTRIBUTE_TARGET_AVX512_SKX_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS +-static NPY_INLINE NPY_GCC_TARGET_AVX512_SKX void ++static inline NPY_GCC_TARGET_AVX512_SKX void + AVX512_SKX_@func@_@TYPE@(npy_bool* op, @type@* ip, const npy_intp array_size, const npy_intp steps) + { + const npy_intp stride_ip = steps/(npy_intp)sizeof(@type@); +@@ -954,7 +954,7 @@ AVX512_SKX_@func@_@TYPE@(npy_bool* op, @type@* ip, const npy_intp array_size, co + */ + + #if defined HAVE_ATTRIBUTE_TARGET_AVX512F_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS +-static NPY_GCC_OPT_3 NPY_INLINE NPY_GCC_TARGET_AVX512F void ++static NPY_GCC_OPT_3 inline NPY_GCC_TARGET_AVX512F void + AVX512F_@func@_@TYPE@(@type@ * op, + @type@ * ip, + const npy_intp array_size, +@@ -1001,7 +1001,7 @@ AVX512F_@func@_@TYPE@(@type@ * op, + /**end repeat1**/ + + #if defined HAVE_ATTRIBUTE_TARGET_AVX512F_WITH_INTRINSICS && defined NPY_HAVE_SSE2_INTRINSICS +-static NPY_GCC_OPT_3 NPY_INLINE NPY_GCC_TARGET_AVX512F void ++static NPY_GCC_OPT_3 inline NPY_GCC_TARGET_AVX512F void + AVX512F_absolute_@TYPE@(@type@ * op, + @type@ * ip, + const npy_intp array_size, +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/python/python3-numpy_1.24.2.bb b/poky/meta/recipes-devtools/python/python3-numpy_1.24.2.bb index bfcfc52729..5f88948de2 100644 --- a/poky/meta/recipes-devtools/python/python3-numpy_1.24.2.bb +++ b/poky/meta/recipes-devtools/python/python3-numpy_1.24.2.bb @@ -10,6 +10,7 @@ SRCNAME = "numpy" SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${SRCNAME}-${PV}.tar.gz \ file://0001-Don-t-search-usr-and-so-on-for-libraries-by-default-.patch \ file://0001-numpy-core-Define-RISCV-32-support.patch \ + file://0001-simd.inc.src-Change-NPY_INLINE-to-inline.patch \ file://run-ptest \ " SRC_URI[sha256sum] = "003a9f530e880cb2cd177cba1af7220b9aa42def9c4afc2a2fc3ee6be7eb2b22" diff --git a/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch b/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch new file mode 100644 index 0000000000..d7fc87fec8 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch @@ -0,0 +1,49 @@ +From 9a73f2a80e5cf869d473ddcbfceaab229fb99b5e Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Mon, 28 Aug 2023 15:04:14 +0000 +Subject: [PATCH] SQL+Jinja: use a simpler regex in analyse_text + +Fixes catastrophic backtracking + +Fixes #2355 + +CVE: CVE-2022-40896 + +Upstream-Status: Backport [https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + CHANGES | 1 + + pygments/lexers/templates.py | 6 +----- + 2 files changed, 2 insertions(+), 5 deletions(-) + +diff --git a/CHANGES b/CHANGES +index 2aa54fa..4c84fa6 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -61,6 +61,7 @@ Version 2.14.0 + * Spice: Add ``enum`` keyword and fix a bug regarding binary, + hexadecimal and octal number tokens (#2227) + * YAML: Accept colons in key names (#2277) ++ * SQL+Jinja (``analyse_text`` method): fix catastrophic backtracking [Backported] + + - Fix `make mapfiles` when Pygments is not installed in editable mode + (#2223) +diff --git a/pygments/lexers/templates.py b/pygments/lexers/templates.py +index 1fcf708..1066294 100644 +--- a/pygments/lexers/templates.py ++++ b/pygments/lexers/templates.py +@@ -2291,10 +2291,6 @@ class SqlJinjaLexer(DelegatingLexer): + if re.search(r'\{\{\s*source\(.*\)\s*\}\}', text): + rv += 0.25 + # Jinja macro +- if re.search( +- r'\{%-?\s*macro \w+\(.*\)\s*-?%\}\s+.*\s+\{%-?\s*endmacro\s*-?%\}', +- text, +- re.S, +- ): ++ if re.search(r'\{%-?\s*macro \w+\(.*\)\s*-?%\}', text): + rv += 0.15 + return rv +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch b/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch new file mode 100644 index 0000000000..61ebe5dad5 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch @@ -0,0 +1,301 @@ +From 45ff8eabe0363f829c397372aefc3b23aeb135b3 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Tue, 29 Aug 2023 10:45:34 +0000 +Subject: [PATCH] Improve Java properties lexer (#2404) + +Use special lexer rules for escapes; fixes catastrophic backtracking, +and highlights them too. + +Fixes #2356 + +CVE: CVE-2022-40896 + +Upstream-Status: Backport [https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + pygments/lexers/configs.py | 50 +++++--- + tests/examplefiles/properties/java.properties | 11 ++ + .../properties/java.properties.output | 110 +++++++++++++++--- + .../test_escaped_space_in_value.txt | 4 +- + .../properties/test_just_key_with_space.txt | 4 +- + 5 files changed, 143 insertions(+), 36 deletions(-) + +diff --git a/pygments/lexers/configs.py b/pygments/lexers/configs.py +index e04c722..b28b56a 100644 +--- a/pygments/lexers/configs.py ++++ b/pygments/lexers/configs.py +@@ -129,26 +129,42 @@ class PropertiesLexer(RegexLexer): + + tokens = { + 'root': [ +- (r'\s+', Whitespace), ++ # comments + (r'[!#].*|/{2}.*', Comment.Single), +- # search for first separator +- (r'([^\\\n]|\\.)*?(?=[ \f\t=:])', Name.Attribute, "separator"), +- # empty key +- (r'.+?$', Name.Attribute), ++ # ending a comment or whitespace-only line ++ (r'\n', Whitespace), ++ # eat whitespace at the beginning of a line ++ (r'^[^\S\n]+', Whitespace), ++ # start lexing a key ++ default('key'), + ], +- 'separator': [ +- # search for line continuation escape +- (r'([ \f\t]*)([=:]*)([ \f\t]*)(.*(?<!\\)(?:\\{2})*)(\\)(?!\\)$', +- bygroups(Whitespace, Operator, Whitespace, String, Text), "value", "#pop"), +- (r'([ \f\t]*)([=:]*)([ \f\t]*)(.*)', +- bygroups(Whitespace, Operator, Whitespace, String), "#pop"), ++ 'key': [ ++ # non-escaped key characters ++ (r'[^\\:=\s]+', Name.Attribute), ++ # escapes ++ include('escapes'), ++ # separator is the first non-escaped whitespace or colon or '=' on the line; ++ # if it's whitespace, = and : are gobbled after it ++ (r'([^\S\n]*)([:=])([^\S\n]*)', ++ bygroups(Whitespace, Operator, Whitespace), ++ ('#pop', 'value')), ++ (r'[^\S\n]+', Whitespace, ('#pop', 'value')), ++ # maybe we got no value after all ++ (r'\n', Whitespace, '#pop'), + ], +- 'value': [ # line continuation +- (r'\s+', Whitespace), +- # search for line continuation escape +- (r'(\s*)(.*(?<!\\)(?:\\{2})*)(\\)(?!\\)([ \t]*)', +- bygroups(Whitespace, String, Text, Whitespace)), +- (r'.*$', String, "#pop"), ++ 'value': [ ++ # non-escaped value characters ++ (r'[^\\\n]+', String), ++ # escapes ++ include('escapes'), ++ # end the value on an unescaped newline ++ (r'\n', Whitespace, '#pop'), ++ ], ++ 'escapes': [ ++ # line continuations; these gobble whitespace at the beginning of the next line ++ (r'(\\\n)([^\S\n]*)', bygroups(String.Escape, Whitespace)), ++ # other escapes ++ (r'\\(.|\n)', String.Escape), + ], + } + +diff --git a/tests/examplefiles/properties/java.properties b/tests/examplefiles/properties/java.properties +index d5b594e..7fe915c 100644 +--- a/tests/examplefiles/properties/java.properties ++++ b/tests/examplefiles/properties/java.properties +@@ -14,6 +14,8 @@ key = \ + and value2\\ + key\ 2 = value + key\\ 3 = value3 ++key \ ++ = value + + ! empty keys and edge cases + key1 = +@@ -22,3 +24,12 @@ key3 the value3 + key4 the:value4 + key5 the=value5 + key6=the value6 ++ ++! escapes in keys ++key\ with\ spaces = value ++key\nwith\nnewlines = value\nwith\nnewlines ++ ++ ! indented comment ++ ++! line continuations do \ ++not = work for comments +diff --git a/tests/examplefiles/properties/java.properties.output b/tests/examplefiles/properties/java.properties.output +index 0c1fdee..4822575 100644 +--- a/tests/examplefiles/properties/java.properties.output ++++ b/tests/examplefiles/properties/java.properties.output +@@ -2,13 +2,17 @@ + '\n' Text.Whitespace + + '# mixing spaces' Comment.Single +-'\n\t' Text.Whitespace ++'\n' Text.Whitespace ++ ++'\t' Text.Whitespace + 'Truth' Name.Attribute + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace + 'Beauty' Literal.String +-'\n ' Text.Whitespace ++'\n' Text.Whitespace ++ ++' ' Text.Whitespace + 'Truth' Name.Attribute + ':' Operator + 'Beauty' Literal.String +@@ -23,18 +27,24 @@ + ' ' Text.Whitespace + ':' Operator + 'Beauty' Literal.String +-'\n \n' Text.Whitespace ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace + + '! line continuations and escapes' Comment.Single +-'\n ' Text.Whitespace ++'\n' Text.Whitespace ++ ++' ' Text.Whitespace + 'fruits' Name.Attribute + ' ' Text.Whitespace + 'apple, banana, pear, ' Literal.String +-'\\' Text +-'\n ' Text.Whitespace ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace + 'cantaloupe, watermelon, ' Literal.String +-'\\' Text +-'\n ' Text.Whitespace ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace + 'kiwi, mango' Literal.String + '\n' Text.Whitespace + +@@ -42,25 +52,42 @@ + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace +-'\\' Text +-'\n ' Text.Whitespace +-'value1 \\\\' Literal.String +-'\\' Text +-'\n ' Text.Whitespace +-'and value2\\\\' Literal.String ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace ++'value1 ' Literal.String ++'\\\\' Literal.String.Escape ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace ++'and value2' Literal.String ++'\\\\' Literal.String.Escape + '\n' Text.Whitespace + +-'key\\ 2' Name.Attribute ++'key' Name.Attribute ++'\\ ' Literal.String.Escape ++'2' Name.Attribute + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace + 'value' Literal.String + '\n' Text.Whitespace + +-'key\\\\' Name.Attribute ++'key' Name.Attribute ++'\\\\' Literal.String.Escape + ' ' Text.Whitespace + '3 = value3' Literal.String +-'\n\n' Text.Whitespace ++'\n' Text.Whitespace ++ ++'key' Name.Attribute ++' ' Text.Whitespace ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace ++'= value' Literal.String ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace + + '! empty keys and edge cases' Comment.Single + '\n' Text.Whitespace +@@ -92,3 +119,52 @@ + '=' Operator + 'the value6' Literal.String + '\n' Text.Whitespace ++ ++'\n' Text.Whitespace ++ ++'! escapes in keys' Comment.Single ++'\n' Text.Whitespace ++ ++'key' Name.Attribute ++'\\ ' Literal.String.Escape ++'with' Name.Attribute ++'\\ ' Literal.String.Escape ++'spaces' Name.Attribute ++' ' Text.Whitespace ++'=' Operator ++' ' Text.Whitespace ++'value' Literal.String ++'\n' Text.Whitespace ++ ++'key' Name.Attribute ++'\\n' Literal.String.Escape ++'with' Name.Attribute ++'\\n' Literal.String.Escape ++'newlines' Name.Attribute ++' ' Text.Whitespace ++'=' Operator ++' ' Text.Whitespace ++'value' Literal.String ++'\\n' Literal.String.Escape ++'with' Literal.String ++'\\n' Literal.String.Escape ++'newlines' Literal.String ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace ++ ++' ' Text.Whitespace ++'! indented comment' Comment.Single ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace ++ ++'! line continuations do \\' Comment.Single ++'\n' Text.Whitespace ++ ++'not' Name.Attribute ++' ' Text.Whitespace ++'=' Operator ++' ' Text.Whitespace ++'work for comments' Literal.String ++'\n' Text.Whitespace +diff --git a/tests/snippets/properties/test_escaped_space_in_value.txt b/tests/snippets/properties/test_escaped_space_in_value.txt +index f76507f..44772d8 100644 +--- a/tests/snippets/properties/test_escaped_space_in_value.txt ++++ b/tests/snippets/properties/test_escaped_space_in_value.txt +@@ -6,5 +6,7 @@ key = doubleword\ value + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace +-'doubleword\\ value' Literal.String ++'doubleword' Literal.String ++'\\ ' Literal.String.Escape ++'value' Literal.String + '\n' Text.Whitespace +diff --git a/tests/snippets/properties/test_just_key_with_space.txt b/tests/snippets/properties/test_just_key_with_space.txt +index 660c37c..833fe40 100644 +--- a/tests/snippets/properties/test_just_key_with_space.txt ++++ b/tests/snippets/properties/test_just_key_with_space.txt +@@ -2,5 +2,7 @@ + just\ key + + ---tokens--- +-'just\\ key' Name.Attribute ++'just' Name.Attribute ++'\\ ' Literal.String.Escape ++'key' Name.Attribute + '\n' Text.Whitespace +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/python/python3-pygments_2.14.0.bb b/poky/meta/recipes-devtools/python/python3-pygments_2.14.0.bb index 16769e9263..b5b8abc113 100644 --- a/poky/meta/recipes-devtools/python/python3-pygments_2.14.0.bb +++ b/poky/meta/recipes-devtools/python/python3-pygments_2.14.0.bb @@ -7,6 +7,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=36a13c90514e2899f1eba7f41c3ee592" inherit setuptools3 SRC_URI[sha256sum] = "b3ed06a9e8ac9a9aae5a6f5dbe78a8a58655d17b43b93c078f094ddc476ae297" +SRC_URI += "file://CVE-2022-40896-0001.patch \ + file://CVE-2022-40896-0002.patch \ + " + DEPENDS += "\ ${PYTHON_PN} \ " diff --git a/poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch b/poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch new file mode 100644 index 0000000000..0110615572 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch @@ -0,0 +1,61 @@ +From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt <nate.prewitt@gmail.com> +Date: Mon, 22 May 2023 08:08:57 -0700 +Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q + +CVE: CVE-2023-32681 +Upstream-Status: Backport +[https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +--- + requests/sessions.py | 4 +++- + tests/test_requests.py | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/requests/sessions.py b/requests/sessions.py +index 6cb3b4dae3..dbcf2a7b0e 100644 +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -324,7 +324,9 @@ def rebuild_proxies(self, prepared_request, proxies): + except KeyError: + username, password = None, None + +- if username and password: ++ # urllib3 handles proxy authorization for us in the standard adapter. ++ # Avoid appending this to TLS tunneled requests where it may be leaked. ++ if not scheme.startswith('https') and username and password: + headers["Proxy-Authorization"] = _basic_auth_str(username, password) + + return new_proxies +diff --git a/tests/test_requests.py b/tests/test_requests.py +index b1c8dd4534..b420c44d73 100644 +--- a/tests/test_requests.py ++++ b/tests/test_requests.py +@@ -647,6 +647,26 @@ def test_proxy_authorization_preserved_on_request(self, httpbin): + + assert sent_headers.get("Proxy-Authorization") == proxy_auth_value + ++ ++ @pytest.mark.parametrize( ++ "url,has_proxy_auth", ++ ( ++ ('http://example.com', True), ++ ('https://example.com', False), ++ ), ++ ) ++ def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): ++ session = requests.Session() ++ proxies = { ++ 'http': 'http://test:pass@localhost:8080', ++ 'https': 'http://test:pass@localhost:8090', ++ } ++ req = requests.Request('GET', url) ++ prep = req.prepare() ++ session.rebuild_proxies(prep, proxies) ++ ++ assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth ++ + def test_basicauth_with_netrc(self, httpbin): + auth = ("user", "pass") + wrong_auth = ("wronguser", "wrongpass") diff --git a/poky/meta/recipes-devtools/python/python3-requests_2.28.2.bb b/poky/meta/recipes-devtools/python/python3-requests_2.28.2.bb index 2f397ddaad..b57f71673c 100644 --- a/poky/meta/recipes-devtools/python/python3-requests_2.28.2.bb +++ b/poky/meta/recipes-devtools/python/python3-requests_2.28.2.bb @@ -5,6 +5,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658" SRC_URI[sha256sum] = "98b1b2782e3c6c4904938b84c0eb932721069dfdb9134313beff7c83c2df24bf" +SRC_URI += " file://CVE-2023-32681.patch" + inherit pypi setuptools3 RDEPENDS:${PN} += " \ diff --git a/poky/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch b/poky/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch index 96e5e81342..222a567dd5 100644 --- a/poky/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch +++ b/poky/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch @@ -1,4 +1,4 @@ -From 7d296dc635ad3ac2792955ce37e140a4104b098f Mon Sep 17 00:00:00 2001 +From aa8f1709c54557d2b51a9a37d15ccc3de62e90cb Mon Sep 17 00:00:00 2001 From: Jeremy Puhlman <jpuhlman@mvista.com> Date: Wed, 4 Mar 2020 00:06:42 +0000 Subject: [PATCH] Don't search system for headers/libraries diff --git a/poky/meta/recipes-devtools/python/python3/0001-Lib-pty.py-handle-stdin-I-O-errors-same-way-as-maste.patch b/poky/meta/recipes-devtools/python/python3/0001-Lib-pty.py-handle-stdin-I-O-errors-same-way-as-maste.patch index df5179e877..07c6aef9b9 100644 --- a/poky/meta/recipes-devtools/python/python3/0001-Lib-pty.py-handle-stdin-I-O-errors-same-way-as-maste.patch +++ b/poky/meta/recipes-devtools/python/python3/0001-Lib-pty.py-handle-stdin-I-O-errors-same-way-as-maste.patch @@ -1,4 +1,4 @@ -From 86061629f4a179e740a17e53dd2c98ab47af2fe2 Mon Sep 17 00:00:00 2001 +From 7b0a14e7320078ac891d415cab9b7568e3f52ad8 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex@linutronix.de> Date: Thu, 16 Sep 2021 16:35:37 +0200 Subject: [PATCH] Lib/pty.py: handle stdin I/O errors same way as master I/O @@ -30,18 +30,18 @@ Signed-off-by: Alexander Kanavin <alex@linutronix.de> 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Lib/pty.py b/Lib/pty.py -index 8d8ce40..35439c6 100644 +index fefb63a..4cef056 100644 --- a/Lib/pty.py +++ b/Lib/pty.py -@@ -154,7 +154,10 @@ def _copy(master_fd, master_read=_read, stdin_read=_read): - os.write(STDOUT_FILENO, data) +@@ -184,7 +184,10 @@ def _copy(master_fd, master_read=_read, stdin_read=_read): + i_buf = i_buf[n:] - if STDIN_FILENO in rfds: + if stdin_avail and STDIN_FILENO in rfds: - data = stdin_read(STDIN_FILENO) + try: + data = stdin_read(STDIN_FILENO) + except OSError: + data = b"" if not data: - fds.remove(STDIN_FILENO) + stdin_avail = False else: diff --git a/poky/meta/recipes-devtools/python/python3/0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch b/poky/meta/recipes-devtools/python/python3/0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch index 86971f4048..a0f3d72992 100644 --- a/poky/meta/recipes-devtools/python/python3/0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch +++ b/poky/meta/recipes-devtools/python/python3/0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch @@ -1,4 +1,4 @@ -From cab8b8b1390165a93dfb27c48c1cc4c3e4280dfd Mon Sep 17 00:00:00 2001 +From 512c617bd00b74b30a80dd56a12391de46e2b6cf Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex@linutronix.de> Date: Fri, 10 Sep 2021 12:28:31 +0200 Subject: [PATCH] Lib/sysconfig.py: use prefix value from build configuration diff --git a/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch b/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch index e080b5c562..bbdd8b586e 100644 --- a/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch +++ b/poky/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch @@ -1,4 +1,4 @@ -From 79e7ed59750612e57647847957ab85709307ea38 Mon Sep 17 00:00:00 2001 +From 843574d5a5b0818e83e20f8c0389d567bd4733fb Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Tue, 14 May 2013 15:00:26 -0700 Subject: [PATCH] python3: Add target and native recipes diff --git a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py index 0ca687d2eb..8e432b49af 100644 --- a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py +++ b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py @@ -32,7 +32,7 @@ def fix_path(dep_path): dep_path = dep_path[dep_path.find(pivot)+len(pivot):] if '/usr/bin' in dep_path: - dep_path = dep_path.replace('/usr/bin''${bindir}') + dep_path = dep_path.replace('/usr/bin','${bindir}') # Handle multilib, is there a better way? if '/usr/lib32' in dep_path: diff --git a/poky/meta/recipes-devtools/python/python3/makerace.patch b/poky/meta/recipes-devtools/python/python3/makerace.patch index 979fc9dc36..c71c1e15de 100644 --- a/poky/meta/recipes-devtools/python/python3/makerace.patch +++ b/poky/meta/recipes-devtools/python/python3/makerace.patch @@ -1,4 +1,4 @@ -From 4f52aaf2a548b3356c6f1369c62b11335dc27464 Mon Sep 17 00:00:00 2001 +From dde5cb74f55b6dd39d25cff639d16940d9dad505 Mon Sep 17 00:00:00 2001 From: Richard Purdie <richard.purdie@linuxfoundation.org> Date: Tue, 13 Jul 2021 23:19:29 +0100 Subject: [PATCH] python3: Fix make race @@ -18,11 +18,11 @@ Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.pre.in b/Makefile.pre.in -index 7558f0c..8cec819 100644 +index c6d7e85..205af6c 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -2005,7 +2005,7 @@ TESTSUBDIRS= ctypes/test \ - unittest/test unittest/test/testmock +@@ -2045,7 +2045,7 @@ TESTSUBDIRS= ctypes/test \ + unittest/test/testmock TEST_MODULES=@TEST_MODULES@ -libinstall: all $(srcdir)/Modules/xxmodule.c diff --git a/poky/meta/recipes-devtools/python/python3_3.11.2.bb b/poky/meta/recipes-devtools/python/python3_3.11.5.bb index 5bd8d32b14..b1ab307804 100644 --- a/poky/meta/recipes-devtools/python/python3_3.11.2.bb +++ b/poky/meta/recipes-devtools/python/python3_3.11.5.bb @@ -39,7 +39,7 @@ SRC_URI:append:class-native = " \ file://12-distutils-prefix-is-inside-staging-area.patch \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[sha256sum] = "29e4b8f5f1658542a8c13e2dd277358c9c48f2b2f7318652ef1675e402b9d2af" +SRC_URI[sha256sum] = "85cd12e9cf1d6d5a45f17f7afe1cebe7ee628d3282281c492e86adf636defa3f" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" @@ -56,6 +56,8 @@ CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488" # The mailcap module is insecure by design, so this can't be fixed in a meaningful way. # The module will be removed in the future and flaws documented. CVE_CHECK_IGNORE += "CVE-2015-20107" +# Not an issue, in fact expected behaviour +CVE_CHECK_IGNORE += "CVE-2023-36632" PYTHON_MAJMIN = "3.11" diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index 4c9be91cb0..c8e1d28654 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -36,6 +36,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://qemu-guest-agent.init \ file://qemu-guest-agent.udev \ file://ppc.patch \ + file://CVE-2023-0330.patch \ + file://CVE-2023-3301.patch \ + file://CVE-2023-3255.patch \ + file://CVE-2023-2861.patch \ + file://CVE-2023-3354.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch index 5ef1184e3c..36c537eee1 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-tracetool-use-relative-paths-for-line-preprocessor-d.patch @@ -8,7 +8,7 @@ The event filename is an absolute path. Convert it to a relative path when writing '#line' directives, to preserve reproducibility of the generated output when different base paths are used. -Upstream-Status: Pending +Upstream-Status: Accepted [https://gitlab.com/qemu-project/qemu/-/commit/9d672e290475001fcecdcc9dc79ad088ff89d17f] --- scripts/tracetool/backend/ftrace.py | 4 +++- diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch new file mode 100644 index 0000000000..f609ea29b4 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch @@ -0,0 +1,75 @@ +From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001 +From: Thomas Huth <thuth@redhat.com> +Date: Mon, 22 May 2023 11:10:11 +0200 +Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI + controller (CVE-2023-0330) + +We cannot use the generic reentrancy guard in the LSI code, so +we have to manually prevent endless reentrancy here. The problematic +lsi_execute_script() function has already a way to detect whether +too many instructions have been executed - we just have to slightly +change the logic here that it also takes into account if the function +has been called too often in a reentrant way. + +The code in fuzz-lsi53c895a-test.c has been taken from an earlier +patch by Mauro Matteo Cascella. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563 +Message-Id: <20230522091011.1082574-1-thuth@redhat.com> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Reviewed-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Thomas Huth <thuth@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75] +CVE: CVE-2023-0330 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + hw/scsi/lsi53c895a.c | 23 +++++++++++++++------ + tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++ + 2 files changed, 50 insertions(+), 6 deletions(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 048436352b7a..f7d45b0b20fb 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1134,15 +1134,24 @@ static void lsi_execute_script(LSIState *s) + uint32_t addr, addr_high; + int opcode; + int insn_processed = 0; ++ static int reentrancy_level; ++ ++ reentrancy_level++; + + s->istat1 |= LSI_ISTAT1_SRUN; + again: +- if (++insn_processed > LSI_MAX_INSN) { +- /* Some windows drivers make the device spin waiting for a memory +- location to change. If we have been executed a lot of code then +- assume this is the case and force an unexpected device disconnect. +- This is apparently sufficient to beat the drivers into submission. +- */ ++ /* ++ * Some windows drivers make the device spin waiting for a memory location ++ * to change. If we have executed more than LSI_MAX_INSN instructions then ++ * assume this is the case and force an unexpected device disconnect. This ++ * is apparently sufficient to beat the drivers into submission. ++ * ++ * Another issue (CVE-2023-0330) can occur if the script is programmed to ++ * trigger itself again and again. Avoid this problem by stopping after ++ * being called multiple times in a reentrant way (8 is an arbitrary value ++ * which should be enough for all valid use cases). ++ */ ++ if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { + if (!(s->sien0 & LSI_SIST0_UDC)) { + qemu_log_mask(LOG_GUEST_ERROR, + "lsi_scsi: inf. loop with UDC masked"); +@@ -1596,6 +1605,8 @@ static void lsi_execute_script(LSIState *s) + } + } + trace_lsi_execute_script_stop(); ++ ++ reentrancy_level--; + } + + static uint8_t lsi_reg_readb(LSIState *s, int offset) diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch new file mode 100644 index 0000000000..34be8afe16 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch @@ -0,0 +1,171 @@ +From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001 +From: Christian Schoenebeck <qemu_oss@crudebyte.com> +Date: Wed, 2 Aug 2023 13:02:55 +0000 +Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) + +The 9p protocol does not specifically define how server shall behave when +client tries to open a special file, however from security POV it does +make sense for 9p server to prohibit opening any special file on host side +in general. A sane Linux 9p client for instance would never attempt to +open a special file on host side, it would always handle those exclusively +on its guest side. A malicious client however could potentially escape +from the exported 9p tree by creating and opening a device file on host +side. + +With QEMU this could only be exploited in the following unsafe setups: + + - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' + security model. + +or + + - Using 9p 'proxy' fs driver (which is running its helper daemon as + root). + +These setups were already discouraged for safety reasons before, +however for obvious reasons we are now tightening behaviour on this. + +Fixes: CVE-2023-2861 +Reported-by: Yanwu Shen <ywsPlz@gmail.com> +Reported-by: Jietao Xiao <shawtao1125@gmail.com> +Reported-by: Jinku Li <jkli@xidian.edu.cn> +Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn> +Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> +Reviewed-by: Greg Kurz <groug@kaod.org> +Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> +Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com> + +CVE: CVE-2023-2861 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + fsdev/virtfs-proxy-helper.c | 27 ++++++++++++++++++++++++-- + hw/9pfs/9p-util.h | 38 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 63 insertions(+), 2 deletions(-) + +diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c +index 5cafcd770..d9511f429 100644 +--- a/fsdev/virtfs-proxy-helper.c ++++ b/fsdev/virtfs-proxy-helper.c +@@ -26,6 +26,7 @@ + #include "qemu/xattr.h" + #include "9p-iov-marshal.h" + #include "hw/9pfs/9p-proxy.h" ++#include "hw/9pfs/9p-util.h" + #include "fsdev/9p-iov-marshal.h" + + #define PROGNAME "virtfs-proxy-helper" +@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid) + } + } + ++/* ++ * Open regular file or directory. Attempts to open any special file are ++ * rejected. ++ * ++ * returns file descriptor or -1 on error ++ */ ++static int open_regular(const char *pathname, int flags, mode_t mode) ++{ ++ int fd; ++ ++ fd = open(pathname, flags, mode); ++ if (fd < 0) { ++ return fd; ++ } ++ ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ ++ return fd; ++} ++ + /* + * send response in two parts + * 1) ProxyHeader +@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec) + if (ret < 0) { + goto unmarshal_err_out; + } +- ret = open(path.data, flags, mode); ++ ret = open_regular(path.data, flags, mode); + if (ret < 0) { + ret = -errno; + } +@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec) + if (ret < 0) { + goto err_out; + } +- ret = open(path.data, flags); ++ ret = open_regular(path.data, flags, 0); + if (ret < 0) { + ret = -errno; + } +diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h +index c3526144c..6b44e5f7a 100644 +--- a/hw/9pfs/9p-util.h ++++ b/hw/9pfs/9p-util.h +@@ -13,6 +13,8 @@ + #ifndef QEMU_9P_UTIL_H + #define QEMU_9P_UTIL_H + ++#include "qemu/error-report.h" ++ + #ifdef O_PATH + #define O_PATH_9P_UTIL O_PATH + #else +@@ -112,6 +114,38 @@ static inline void close_preserve_errno(int fd) + errno = serrno; + } + ++/** ++ * close_if_special_file() - Close @fd if neither regular file nor directory. ++ * ++ * @fd: file descriptor of open file ++ * Return: 0 on regular file or directory, -1 otherwise ++ * ++ * CVE-2023-2861: Prohibit opening any special file directly on host ++ * (especially device files), as a compromised client could potentially gain ++ * access outside exported tree under certain, unsafe setups. We expect ++ * client to handle I/O on special files exclusively on guest side. ++ */ ++static inline int close_if_special_file(int fd) ++{ ++ struct stat stbuf; ++ ++ if (fstat(fd, &stbuf) < 0) { ++ close_preserve_errno(fd); ++ return -1; ++ } ++ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { ++ error_report_once( ++ "9p: broken or compromised client detected; attempt to open " ++ "special file (i.e. neither regular file, nor directory)" ++ ); ++ close(fd); ++ errno = ENXIO; ++ return -1; ++ } ++ ++ return 0; ++} ++ + static inline int openat_dir(int dirfd, const char *name) + { + return openat(dirfd, name, +@@ -146,6 +180,10 @@ again: + return -1; + } + ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ + serrno = errno; + /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't + * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch new file mode 100644 index 0000000000..661af629b0 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch @@ -0,0 +1,65 @@ +From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Wed, 2 Aug 2023 12:29:55 +0000 +Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer + (CVE-2023-3255) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 + Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain; + charset=UTF-8 Content-Transfer-Encoding: 8bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A wrong exit condition may lead to an infinite loop when inflating a +valid zlib buffer containing some extra bytes in the `inflate_buffer` +function. The bug only occurs post-authentication. Return the buffer +immediately if the end of the compressed data has been reached +(Z_STREAM_END). + +Fixes: CVE-2023-3255 +Fixes: 0bf41cab ("ui/vnc: clipboard support") +Reported-by: Kevin Denis <kevin.denis@synacktiv.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-ID: <20230704084210.101822-1-mcascell@redhat.com> + +CVE: CVE-2023-3255 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/d921fea338c1059a27ce7b75309d7a2e485f710b] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + ui/vnc-clipboard.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c +index 8aeadfaa2..c759be343 100644 +--- a/ui/vnc-clipboard.c ++++ b/ui/vnc-clipboard.c +@@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + ret = inflate(&stream, Z_FINISH); + switch (ret) { + case Z_OK: +- case Z_STREAM_END: + break; ++ case Z_STREAM_END: ++ *size = stream.total_out; ++ inflateEnd(&stream); ++ return out; + case Z_BUF_ERROR: + out_len <<= 1; + if (out_len > (1 << 20)) { +@@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + } + } + +- *size = stream.total_out; +- inflateEnd(&stream); +- +- return out; +- + err_end: + inflateEnd(&stream); + err: +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch new file mode 100644 index 0000000000..977f017ed2 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch @@ -0,0 +1,65 @@ +From a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 Sep 17 00:00:00 2001 +From: Ani Sinha <anisinha@redhat.com> +Date: Wed, 2 Aug 2023 09:25:27 +0000 +Subject: [PATCH] vhost-vdpa: do not cleanup the vdpa/vhost-net structures if + peer nic is present + +When a peer nic is still attached to the vdpa backend, it is too early to free +up the vhost-net and vdpa structures. If these structures are freed here, then +QEMU crashes when the guest is being shut down. The following call chain +would result in an assertion failure since the pointer returned from +vhost_vdpa_get_vhost_net() would be NULL: + +do_vm_stop() -> vm_state_notify() -> virtio_set_status() -> +virtio_net_vhost_status() -> get_vhost_net(). + +Therefore, we defer freeing up the structures until at guest shutdown +time when qemu_cleanup() calls net_cleanup() which then calls +qemu_del_net_client() which would eventually call vhost_vdpa_cleanup() +again to free up the structures. This time, the loop in net_cleanup() +ensures that vhost_vdpa_cleanup() will be called one last time when +all the peer nics are detached and freed. + +All unit tests pass with this change. + +CC: imammedo@redhat.com +CC: jusual@redhat.com +CC: mst@redhat.com +Fixes: CVE-2023-3301 +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929 +Signed-off-by: Ani Sinha <anisinha@redhat.com> +Message-Id: <20230619065209.442185-1-anisinha@redhat.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> + +CVE: CVE-2023-3301 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + net/vhost-vdpa.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c +index 2b4b85d8f..8dbe929c1 100644 +--- a/net/vhost-vdpa.c ++++ b/net/vhost-vdpa.c +@@ -158,6 +158,15 @@ err_init: + static void vhost_vdpa_cleanup(NetClientState *nc) + { + VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc); ++ ++ /* ++ * If a peer NIC is attached, do not cleanup anything. ++ * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup() ++ * when the guest is shutting down. ++ */ ++ if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) { ++ return; ++ } + struct vhost_dev *dev = &s->vhost_net->dev; + + qemu_vfree(s->cvq_cmd_out_buffer); +-- +2.40.0 diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch new file mode 100644 index 0000000000..b3958ecbf5 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch @@ -0,0 +1,88 @@ +From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001 +From: Daniel P. Berrangé <berrange@redhat.com> +Date: Tue, 12 Sep 2023 06:38:03 +0000 +Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The TLS handshake make take some time to complete, during which time an +I/O watch might be registered with the main loop. If the owner of the +I/O channel invokes qio_channel_close() while the handshake is waiting +to continue the I/O watch must be removed. Failing to remove it will +later trigger the completion callback which the owner is not expecting +to receive. In the case of the VNC server, this results in a SEGV as +vnc_disconnect_start() tries to shutdown a client connection that is +already gone / NULL. + +CVE-2023-3354 +Reported-by: jiangyegen <jiangyegen@huawei.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> + +CVE: CVE-2023-3354 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + include/io/channel-tls.h | 1 + + io/channel-tls.c | 18 ++++++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h +index 5672479e9..ccd510ade 100644 +--- a/include/io/channel-tls.h ++++ b/include/io/channel-tls.h +@@ -48,6 +48,7 @@ struct QIOChannelTLS { + QIOChannel *master; + QCryptoTLSSession *session; + QIOChannelShutdown shutdown; ++ guint hs_ioc_tag; + }; + + /** +diff --git a/io/channel-tls.c b/io/channel-tls.c +index 4ce890a53..17d73f02e 100644 +--- a/io/channel-tls.c ++++ b/io/channel-tls.c +@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc, + } + + trace_qio_channel_tls_handshake_pending(ioc, status); +- qio_channel_add_watch_full(ioc->master, +- condition, +- qio_channel_tls_handshake_io, +- data, +- NULL, +- context); ++ ioc->hs_ioc_tag = ++ qio_channel_add_watch_full(ioc->master, ++ condition, ++ qio_channel_tls_handshake_io, ++ data, ++ NULL, ++ context); + } + } + +@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc, + QIOChannelTLS *tioc = QIO_CHANNEL_TLS( + qio_task_get_source(task)); + ++ tioc->hs_ioc_tag = 0; + g_free(data); + qio_channel_tls_handshake_task(tioc, task, context); + +@@ -374,6 +376,10 @@ static int qio_channel_tls_close(QIOChannel *ioc, + { + QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); + ++ if (tioc->hs_ioc_tag) { ++ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); ++ } ++ + return qio_channel_close(tioc->master, errp); + } + +-- +2.35.5 diff --git a/poky/meta/recipes-devtools/qemu/qemu/qemu-7.0.0-glibc-2.36.patch b/poky/meta/recipes-devtools/qemu/qemu/qemu-7.0.0-glibc-2.36.patch deleted file mode 100644 index abad1cfeeb..0000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/qemu-7.0.0-glibc-2.36.patch +++ /dev/null @@ -1,46 +0,0 @@ -Avoid conflicts between sys/mount.h and linux/mount.h that are seen -with glibc 2.36 - -Source: https://github.com/archlinux/svntogit-packages/blob/packages/qemu/trunk/qemu-7.0.0-glibc-2.36.patch - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -95,7 +95,25 @@ - #include <linux/soundcard.h> - #include <linux/kd.h> - #include <linux/mtio.h> -+ -+#ifdef HAVE_SYS_MOUNT_FSCONFIG -+/* -+ * glibc >= 2.36 linux/mount.h conflicts with sys/mount.h, -+ * which in turn prevents use of linux/fs.h. So we have to -+ * define the constants ourselves for now. -+ */ -+#define FS_IOC_GETFLAGS _IOR('f', 1, long) -+#define FS_IOC_SETFLAGS _IOW('f', 2, long) -+#define FS_IOC_GETVERSION _IOR('v', 1, long) -+#define FS_IOC_SETVERSION _IOW('v', 2, long) -+#define FS_IOC_FIEMAP _IOWR('f', 11, struct fiemap) -+#define FS_IOC32_GETFLAGS _IOR('f', 1, int) -+#define FS_IOC32_SETFLAGS _IOW('f', 2, int) -+#define FS_IOC32_GETVERSION _IOR('v', 1, int) -+#define FS_IOC32_SETVERSION _IOW('v', 2, int) -+#else - #include <linux/fs.h> -+#endif - #include <linux/fd.h> - #if defined(CONFIG_FIEMAP) - #include <linux/fiemap.h> ---- a/meson.build -+++ b/meson.build -@@ -1686,6 +1686,8 @@ config_host_data.set('HAVE_OPTRESET', - cc.has_header_symbol('getopt.h', 'optreset')) - config_host_data.set('HAVE_IPPROTO_MPTCP', - cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP')) -+config_host_data.set('HAVE_SYS_MOUNT_FSCONFIG', -+ cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG')) - - # has_member - config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID', diff --git a/poky/meta/recipes-devtools/rpm/rpm_4.18.1.bb b/poky/meta/recipes-devtools/rpm/rpm_4.18.1.bb index 6da2edddf3..83537d4761 100644 --- a/poky/meta/recipes-devtools/rpm/rpm_4.18.1.bb +++ b/poky/meta/recipes-devtools/rpm/rpm_4.18.1.bb @@ -134,8 +134,8 @@ do_install:append:class-target() { do_install:append:class-nativesdk() { rm -rf ${D}${SDKPATHNATIVE}/var # Ensure find-debuginfo is located correctly inside SDK - mkdir -p ${D}${SDKPATHNATIVE}/etc/rpm - echo "%__find_debuginfo ${SDKPATHNATIVE}/usr/bin/find-debuginfo" >> ${D}${SDKPATHNATIVE}/etc/rpm/macros + mkdir -p ${D}${libdir}/rpm + echo "%__find_debuginfo ${SDKPATHNATIVE}/usr/bin/find-debuginfo" >> ${D}${libdir}/rpm/macros } do_install:append () { @@ -173,7 +173,6 @@ FILES:${PN}-build = "\ ${libdir}/rpm/macros.p* \ ${libdir}/rpm/fileattrs/* \ " -FILES:${PN}-build:append:class-nativesdk = " ${SDKPATHNATIVE}/etc/rpm/macros" FILES:${PN}-sign = "\ ${bindir}/rpmsign \ diff --git a/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch new file mode 100644 index 0000000000..17c7e30176 --- /dev/null +++ b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch @@ -0,0 +1,56 @@ +From 2ebb50d2dc302917a6f57c1239dc9e700dfe0e34 Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada <nobu@ruby-lang.org> +Date: Thu, 27 Jul 2023 15:53:01 +0800 +Subject: [PATCH] Fix quadratic backtracking on invalid relative URI + +https://hackerone.com/reports/1958260 + +CVE: CVE-2023-36617 + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/uri/rfc2396_parser.rb | 4 ++-- + test/uri/test_parser.rb | 12 ++++++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb +index 76a8f99..00c66cf 100644 +--- a/lib/uri/rfc2396_parser.rb ++++ b/lib/uri/rfc2396_parser.rb +@@ -497,8 +497,8 @@ module URI + ret = {} + + # for URI::split +- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) +- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) + + # for URI::extract + ret[:URI_REF] = Regexp.new(pattern[:URI_REF]) +diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb +index 72fb590..721e05e 100644 +--- a/test/uri/test_parser.rb ++++ b/test/uri/test_parser.rb +@@ -79,4 +79,16 @@ class URI::TestParser < Test::Unit::TestCase + assert_equal([nil, nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("//example.com")) + assert_equal([nil, nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("//[0::0]")) + end ++ ++ def test_rfc2822_parse_relative_uri ++ pre = ->(length) { ++ " " * length + "\0" ++ } ++ parser = URI::RFC2396_Parser.new ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri| ++ assert_raise(URI::InvalidURIError) do ++ parser.split(uri) ++ end ++ end ++ end + end +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch new file mode 100644 index 0000000000..7c51deaa42 --- /dev/null +++ b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch @@ -0,0 +1,52 @@ +From eea5868120509c245216c4b5c2d4b5db1c593d0e Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada <nobu@ruby-lang.org> +Date: Thu, 27 Jul 2023 16:16:30 +0800 +Subject: [PATCH] Fix quadratic backtracking on invalid port number + +https://hackerone.com/reports/1958260 + +CVE: CVE-2023-36617 + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/9d7bcef1e6ad23c9c6e4932f297fb737888144c8] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/uri/rfc3986_parser.rb | 2 +- + test/uri/test_parser.rb | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index dd24a40..9b1663d 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -100,7 +100,7 @@ module URI + QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + OPAQUE: /\A(?:[^\/].*)?\z/, +- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/, ++ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/, + } + end + +diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb +index 721e05e..cee0acb 100644 +--- a/test/uri/test_parser.rb ++++ b/test/uri/test_parser.rb +@@ -91,4 +91,14 @@ class URI::TestParser < Test::Unit::TestCase + end + end + end ++ ++ def test_rfc3986_port_check ++ pre = ->(length) {"\t" * length + "a"} ++ uri = URI.parse("http://my.example.com") ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |port| ++ assert_raise(URI::InvalidComponentError) do ++ uri.port = port ++ end ++ end ++ end + end +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/ruby/ruby_3.2.2.bb b/poky/meta/recipes-devtools/ruby/ruby_3.2.2.bb index 481fe7c23d..d1359e388c 100644 --- a/poky/meta/recipes-devtools/ruby/ruby_3.2.2.bb +++ b/poky/meta/recipes-devtools/ruby/ruby_3.2.2.bb @@ -31,6 +31,8 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ file://0006-Make-gemspecs-reproducible.patch \ file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ file://0001-fiddle-Use-C11-_Alignof-to-define-ALIGN_OF-when-poss.patch \ + file://CVE-2023-36617_1.patch \ + file://CVE-2023-36617_2.patch \ " UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" diff --git a/poky/meta/recipes-devtools/rust/rust-source.inc b/poky/meta/recipes-devtools/rust/rust-source.inc index b25b5c17e8..0534e59c35 100644 --- a/poky/meta/recipes-devtools/rust/rust-source.inc +++ b/poky/meta/recipes-devtools/rust/rust-source.inc @@ -17,8 +17,3 @@ export TARGET_VENDOR UPSTREAM_CHECK_URI = "https://forge.rust-lang.org/infra/other-installation-methods.html" UPSTREAM_CHECK_REGEX = "rustc-(?P<pver>\d+(\.\d+)+)-src" - -# see recipes-devtools/gcc/gcc/0018-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch -# we need to link with ssp_nonshared on musl to avoid "undefined reference to `__stack_chk_fail_local'" -# when building MACHINE=qemux86 for musl -WRAPPER_TARGET_EXTRALD:libc-musl = "-lssp_nonshared" diff --git a/poky/meta/recipes-devtools/strace/strace/0001-caps-abbrev.awk-fix-gawk-s-path.patch b/poky/meta/recipes-devtools/strace/strace/0001-caps-abbrev.awk-fix-gawk-s-path.patch deleted file mode 100644 index 235e803641..0000000000 --- a/poky/meta/recipes-devtools/strace/strace/0001-caps-abbrev.awk-fix-gawk-s-path.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 597cc206d982e7237eb93fdc33e8c4bb6bb2d796 Mon Sep 17 00:00:00 2001 -From: Robert Yang <liezhi.yang@windriver.com> -Date: Thu, 9 Feb 2017 01:27:49 -0800 -Subject: [PATCH] caps-abbrev.awk: fix gawk's path - -It should be /usr/bin/gawk as other scripts use in this package. - -Upstream-Status: Pending - -Signed-off-by: Robert Yang <liezhi.yang@windriver.com> - ---- - tests-m32/caps-abbrev.awk | 2 +- - tests-mx32/caps-abbrev.awk | 2 +- - tests/caps-abbrev.awk | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests-m32/caps-abbrev.awk b/tests-m32/caps-abbrev.awk -index c00023b..a56cd56 100644 ---- a/tests-m32/caps-abbrev.awk -+++ b/tests-m32/caps-abbrev.awk -@@ -1,4 +1,4 @@ --#!/bin/gawk -+#!/usr/bin/gawk - # - # This file is part of caps strace test. - # -diff --git a/tests-mx32/caps-abbrev.awk b/tests-mx32/caps-abbrev.awk -index c00023b..a56cd56 100644 ---- a/tests-mx32/caps-abbrev.awk -+++ b/tests-mx32/caps-abbrev.awk -@@ -1,4 +1,4 @@ --#!/bin/gawk -+#!/usr/bin/gawk - # - # This file is part of caps strace test. - # -diff --git a/tests/caps-abbrev.awk b/tests/caps-abbrev.awk -index c00023b..a56cd56 100644 ---- a/tests/caps-abbrev.awk -+++ b/tests/caps-abbrev.awk -@@ -1,4 +1,4 @@ --#!/bin/gawk -+#!/usr/bin/gawk - # - # This file is part of caps strace test. - # diff --git a/poky/meta/recipes-devtools/strace/strace/3bbfb541b258baec9eba674b5d8dc30007a61542.patch b/poky/meta/recipes-devtools/strace/strace/3bbfb541b258baec9eba674b5d8dc30007a61542.patch new file mode 100644 index 0000000000..b4c6ff99de --- /dev/null +++ b/poky/meta/recipes-devtools/strace/strace/3bbfb541b258baec9eba674b5d8dc30007a61542.patch @@ -0,0 +1,50 @@ +From 3bbfb541b258baec9eba674b5d8dc30007a61542 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" <ldv@strace.io> +Date: Wed, 21 Jun 2023 08:00:00 +0000 +Subject: [PATCH] net: enhance getsockopt decoding + +When getsockopt syscall fails the kernel sometimes updates the optlen +argument, for example, NETLINK_LIST_MEMBERSHIPS updates it even if +optval is not writable. + +* src/net.c (SYS_FUNC(getsockopt)): Try to fetch and print optlen +argument on exiting syscall regardless of getsockopt exit status. + +Upstream-Status: Backport +--- + src/net.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/net.c b/src/net.c +index f68ccb947..7244b5e57 100644 +--- a/src/net.c ++++ b/src/net.c +@@ -1038,7 +1038,7 @@ SYS_FUNC(getsockopt) + } else { + ulen = get_tcb_priv_ulong(tcp); + +- if (syserror(tcp) || umove(tcp, tcp->u_arg[4], &rlen) < 0) { ++ if (umove(tcp, tcp->u_arg[4], &rlen) < 0) { + /* optval */ + printaddr(tcp->u_arg[3]); + tprint_arg_next(); +@@ -1047,6 +1047,19 @@ SYS_FUNC(getsockopt) + tprint_indirect_begin(); + PRINT_VAL_D(ulen); + tprint_indirect_end(); ++ } else if (syserror(tcp)) { ++ /* optval */ ++ printaddr(tcp->u_arg[3]); ++ tprint_arg_next(); ++ ++ /* optlen */ ++ tprint_indirect_begin(); ++ if (ulen != rlen) { ++ PRINT_VAL_D(ulen); ++ tprint_value_changed(); ++ } ++ PRINT_VAL_D(rlen); ++ tprint_indirect_end(); + } else { + /* optval */ + print_getsockopt(tcp, tcp->u_arg[1], tcp->u_arg[2], diff --git a/poky/meta/recipes-devtools/strace/strace/f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch b/poky/meta/recipes-devtools/strace/strace/f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch new file mode 100644 index 0000000000..a0843836c2 --- /dev/null +++ b/poky/meta/recipes-devtools/strace/strace/f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch @@ -0,0 +1,50 @@ +From f31c2f4494779e5c5f170ad10539bfc2dfafe967 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" <ldv@strace.io> +Date: Sat, 24 Jun 2023 08:00:00 +0000 +Subject: [PATCH] tests: update sockopt-sol_netlink test + +Update sockopt-sol_netlink test that started to fail, likely +due to recent linux kernel commit f4e4534850a9 ("net/netlink: fix +NETLINK_LIST_MEMBERSHIPS length report"). + +* tests/sockopt-sol_netlink.c (main): Always print changing optlen value +on exiting syscall. + +Reported-by: Alexander Gordeev <agordeev@linux.ibm.com> +--- + tests/sockopt-sol_netlink.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +Upstream-Status: Backport + +diff --git a/tests/sockopt-sol_netlink.c b/tests/sockopt-sol_netlink.c +index 82b98adc23..1c33219ac5 100644 +--- a/tests/sockopt-sol_netlink.c ++++ b/tests/sockopt-sol_netlink.c +@@ -94,7 +94,10 @@ main(void) + printf("%p", val); + else + printf("[%d]", *val); +- printf(", [%d]) = %s\n", *len, errstr); ++ printf(", [%d", (int) sizeof(*val)); ++ if ((int) sizeof(*val) != *len) ++ printf(" => %d", *len); ++ printf("]) = %s\n", errstr); + + /* optlen larger than necessary - shortened */ + *len = sizeof(*val) + 1; +@@ -150,8 +153,12 @@ main(void) + /* optval EFAULT - print address */ + *len = sizeof(*val); + get_sockopt(fd, names[i].val, efault, len); +- printf("getsockopt(%d, SOL_NETLINK, %s, %p, [%d]) = %s\n", +- fd, names[i].str, efault, *len, errstr); ++ printf("getsockopt(%d, SOL_NETLINK, %s, %p", ++ fd, names[i].str, efault); ++ printf(", [%d", (int) sizeof(*val)); ++ if ((int) sizeof(*val) != *len) ++ printf(" => %d", *len); ++ printf("]) = %s\n", errstr); + + /* optlen EFAULT - print address */ + get_sockopt(fd, names[i].val, val, len + 1); diff --git a/poky/meta/recipes-devtools/strace/strace/update-gawk-paths.patch b/poky/meta/recipes-devtools/strace/strace/update-gawk-paths.patch index 0c683496ae..a16ede95c2 100644 --- a/poky/meta/recipes-devtools/strace/strace/update-gawk-paths.patch +++ b/poky/meta/recipes-devtools/strace/strace/update-gawk-paths.patch @@ -125,3 +125,33 @@ index dce78f5..573d9ea 100644 # # Copyright (c) 2014-2015 Dmitry V. Levin <ldv@strace.io> # Copyright (c) 2016 Elvira Khabirova <lineprinter0@gmail.com> +diff --git a/tests-m32/caps-abbrev.awk b/tests-m32/caps-abbrev.awk +index c00023b..a56cd56 100644 +--- a/tests-m32/caps-abbrev.awk ++++ b/tests-m32/caps-abbrev.awk +@@ -1,4 +1,4 @@ +-#!/bin/gawk ++#!/usr/bin/gawk + # + # This file is part of caps strace test. + # +diff --git a/tests-mx32/caps-abbrev.awk b/tests-mx32/caps-abbrev.awk +index c00023b..a56cd56 100644 +--- a/tests-mx32/caps-abbrev.awk ++++ b/tests-mx32/caps-abbrev.awk +@@ -1,4 +1,4 @@ +-#!/bin/gawk ++#!/usr/bin/gawk + # + # This file is part of caps strace test. + # +diff --git a/tests/caps-abbrev.awk b/tests/caps-abbrev.awk +index c00023b..a56cd56 100644 +--- a/tests/caps-abbrev.awk ++++ b/tests/caps-abbrev.awk +@@ -1,4 +1,4 @@ +-#!/bin/gawk ++#!/usr/bin/gawk + # + # This file is part of caps strace test. + # diff --git a/poky/meta/recipes-devtools/strace/strace_6.2.bb b/poky/meta/recipes-devtools/strace/strace_6.2.bb index dc01b57d80..e7a34bbf66 100644 --- a/poky/meta/recipes-devtools/strace/strace_6.2.bb +++ b/poky/meta/recipes-devtools/strace/strace_6.2.bb @@ -9,12 +9,13 @@ SRC_URI = "https://strace.io/files/${PV}/strace-${PV}.tar.xz \ file://update-gawk-paths.patch \ file://Makefile-ptest.patch \ file://run-ptest \ - file://0001-caps-abbrev.awk-fix-gawk-s-path.patch \ file://ptest-spacesave.patch \ file://0001-strace-fix-reproducibilty-issues.patch \ file://skip-load.patch \ file://0001-configure-Use-autoconf-macro-to-detect-largefile-sup.patch \ file://0002-tests-Replace-off64_t-with-off_t.patch \ + file://f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch \ + file://3bbfb541b258baec9eba674b5d8dc30007a61542.patch \ " SRC_URI[sha256sum] = "0c7d38a449416268d3004029a220a15a77c2206a03cc88120f37f46e949177e8" diff --git a/poky/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb b/poky/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb index 9e77f12b53..7d151d4642 100644 --- a/poky/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb +++ b/poky/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb @@ -6,8 +6,8 @@ BUGTRACKER = "https://bugs.eclipse.org/bugs/" LICENSE = "EPL-1.0 | EDL-1.0" LIC_FILES_CHKSUM = "file://edl-v10.html;md5=522a390a83dc186513f0500543ad3679" -SRCREV = "4a2c4baaccbc8c29ce0297705de9a4e096d57ce5" -PV = "1.7.0+git${SRCPV}" +SRCREV = "1f11747e83ebf4f53e8d17f430136f92ec378709" +PV = "1.8.0+git${SRCPV}" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))" SRC_URI = "git://git.eclipse.org/r/tcf/org.eclipse.tcf.agent.git;protocol=https;branch=master \ diff --git a/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb index 982f370edb..921ea7a01d 100644 --- a/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb +++ b/poky/meta/recipes-devtools/tcltk/tcl_8.6.13.bb @@ -45,6 +45,12 @@ inherit autotools ptest binconfig AUTOTOOLS_SCRIPT_PATH = "${S}/unix" EXTRA_OECONF = "--enable-threads --disable-rpath --enable-man-suffix" +# Prevent installing copy of tzdata based on tzdata installation on the build host +# It doesn't install tzdata if one of the following files exist on the host: +# /usr/share/zoneinfo/UTC /usr/share/zoneinfo/GMT /usr/share/lib/zoneinfo/UTC /usr/share/lib/zoneinfo/GMT /usr/lib/zoneinfo/UTC /usr/lib/zoneinfo/GMT +# otherwise "/usr/lib/tcl8.6/tzdata" is included in tcl package +EXTRA_OECONF += "--with-tzdata=no" + do_install() { autotools_do_install oe_runmake 'DESTDIR=${D}' install-private-headers |