Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 213767

Summary: sys-devel/gcc =4.3.0 Missing cld instruction can lead to memory corruption (CVE-2008-1367)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: trivial CC: hoffie, kernel, toolchain
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://thread.gmane.org/gmane.linux.kernel/650180
Whiteboard: ~2 [ebuild?]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 02:23:00 UTC
CVE-2008-1367 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1367):
  gcc 4.3.x does not generate a cld instruction while compiling functions used
  for string manipulation such as memcpy and memmove on x86 and i386, which can
  prevent the direction flag (DF) from being reset in violation of ABI
  conventions and cause data to be copied in the wrong direction during signal
  handling in the Linux kernel, which might allow context-dependent attackers
  to trigger memory corruption. NOTE: this issue was originally reported for
  CPU consumption in SBCL.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 02:25:20 UTC
Toolchain herd, gcc 4.3 is in Portage since today.
I did not check if it exposes this bug or not, can you help here?
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-03-18 10:44:58 UTC
According to a mailing list discussion [1] this is not a gcc bug, but a behavior change which perfectly matches the specifications. The problem is, that the Linux kernel (others too) did not match these specs...
A patch to the kernel was already proposed [2] and committed [3] ten days ago, so now the question is, whether patching gcc is wanted or whether gcc-4.3 should simply require fixed kernels.
CC'ing kernel herd for this reason.


[1] http://thread.gmane.org/gmane.linux.kernel/650180
[2] http://lwn.net/Articles/272203/
[3] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e40cd10ccff3d9fbffd57b93780bee4b7b9bff51
Comment 3 SpanKY gentoo-dev 2008-03-18 11:37:24 UTC
i have no plans to modify gcc-4.3.0 behavior in anyway ... the realistic impact here is small as the number of applications this breaks is small (then again, for those who it does impact, i imagine they'll be quite annoyed)

fix the kernel
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 12:00:42 UTC
I have branched off bug 213811 for the Kernel patch, thanks for the notice.

I would also think people using ~arch gcc and not keeping their kernel updated is not a setup we want to support and by the time gcc 4.3 hits stable, our kernels should be updated.
Comment 5 SpanKY gentoo-dev 2008-03-18 13:27:23 UTC
while true, gcc-4.3.0 isnt even ~arch yet ;)

so our kernel guys have time to get out a fixed gentoo-sources patchset