I already asked this on AIX group, however it seems that most of the questions regarding CVEs are discussed here. So I'm re-posting my question in this group.

According to NVD, this vulnerability affects gcc in version 8.3.0.
The gcc installed on the AIX machine is taken from ( https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.1/gcc8/gcc8-cplusplus-8.3.0-6.aix7.1.ppc.rpm ).
I tried to test if this version is affected using code provided in https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481, but it seems that this gcc version does not contain POWER9 function __builtin_darn().

>bash-5.1# gcc-8 -maix64 darn.c -o darn
darn.c: In function 'main':
darn.c:8:21: warning: implicit declaration of function '__builtin_darn'; did you mean '__builtin_nan'? [-Wimplicit-function-declaration]
darn[i] = __builtin_darn(); // or __builtin_darn_raw()
^~~~~~~~~~~~~~
__builtin_nan
ld: 0711-317 ERROR: Undefined symbol: .__builtin_darn

I have the same result when compiling 32bit version.

Can anyone confirm/deny that gcc 8.3.0-6 build for AIX is not vulnerable to this CVE?

------------------------------
Lukasz Kowalczyk
------------------------------

#AIXOpenSource

Hi Lukasz,

I don't see this builtin is being part of gcc-8.3.0.
So, this is not affecting the gcc 8.3.0-6 build for AIX.

$ /opt/freeware/bin/gcc-8 -maix64 darn.c -o darn -mcpu=power9
cc1: warning: will not generate 'power9' instructions because assembler lacks 'power9' support
darn.c: In function 'main':
darn.c:8:15: warning: implicit declaration of function '__builtin_darn'; did you mean '__builtin_nan'? [-Wimplicit-function-declaration]
darn[i] = __builtin_darn(); // or __builtin_darn_raw()
^~~~~~~~~~~~~~
__builtin_nan
ld: 0711-317 ERROR: Undefined symbol: .__builtin_darn
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
collect2: error: ld returned 8 exit status

$ /opt/freeware/bin/gcc-10 -maix64 darn.c -o darn -mcpu=power9
$

------------------------------
SANGAMESH
------------------------------

Original Message:
Sent: Mon December 19, 2022 12:14 PM
From: Lukasz Kowalczyk
Subject: vulnerability CVE-2019-15847 and gcc 8.3 AIX7.1

I already asked this on AIX group, however it seems that most of the questions regarding CVEs are discussed here. So I'm re-posting my question in this group.

According to NVD, this vulnerability affects gcc in version 8.3.0.
The gcc installed on the AIX machine is taken from ( https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.1/gcc8/gcc8-cplusplus-8.3.0-6.aix7.1.ppc.rpm ).
I tried to test if this version is affected using code provided in https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481, but it seems that this gcc version does not contain POWER9 function __builtin_darn().

>bash-5.1# gcc-8 -maix64 darn.c -o darn
darn.c: In function 'main':
darn.c:8:21: warning: implicit declaration of function '__builtin_darn'; did you mean '__builtin_nan'? [-Wimplicit-function-declaration]
darn[i] = __builtin_darn(); // or __builtin_darn_raw()
^~~~~~~~~~~~~~
__builtin_nan
ld: 0711-317 ERROR: Undefined symbol: .__builtin_darn

I have the same result when compiling 32bit version.

Can anyone confirm/deny that gcc 8.3.0-6 build for AIX is not vulnerable to this CVE?

------------------------------
Lukasz Kowalczyk
------------------------------

#AIXOpenSource