Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 213767 - sys-devel/gcc =4.3.0 Missing cld instruction can lead to memory corruption (CVE-2008-1367)
Summary: sys-devel/gcc =4.3.0 Missing cld instruction can lead to memory corruption (C...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [ebuild?]
Depends on:
Reported: 2008-03-18 02:23 UTC by Robert Buchholz (RETIRED)
Modified: 2008-03-18 13:27 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 02:23:00 UTC
CVE-2008-1367 (
  gcc 4.3.x does not generate a cld instruction while compiling functions used
  for string manipulation such as memcpy and memmove on x86 and i386, which can
  prevent the direction flag (DF) from being reset in violation of ABI
  conventions and cause data to be copied in the wrong direction during signal
  handling in the Linux kernel, which might allow context-dependent attackers
  to trigger memory corruption. NOTE: this issue was originally reported for
  CPU consumption in SBCL.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 02:25:20 UTC
Toolchain herd, gcc 4.3 is in Portage since today.
I did not check if it exposes this bug or not, can you help here?
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-03-18 10:44:58 UTC
According to a mailing list discussion [1] this is not a gcc bug, but a behavior change which perfectly matches the specifications. The problem is, that the Linux kernel (others too) did not match these specs...
A patch to the kernel was already proposed [2] and committed [3] ten days ago, so now the question is, whether patching gcc is wanted or whether gcc-4.3 should simply require fixed kernels.
CC'ing kernel herd for this reason.

Comment 3 SpanKY gentoo-dev 2008-03-18 11:37:24 UTC
i have no plans to modify gcc-4.3.0 behavior in anyway ... the realistic impact here is small as the number of applications this breaks is small (then again, for those who it does impact, i imagine they'll be quite annoyed)

fix the kernel
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 12:00:42 UTC
I have branched off bug 213811 for the Kernel patch, thanks for the notice.

I would also think people using ~arch gcc and not keeping their kernel updated is not a setup we want to support and by the time gcc 4.3 hits stable, our kernels should be updated.
Comment 5 SpanKY gentoo-dev 2008-03-18 13:27:23 UTC
while true, gcc-4.3.0 isnt even ~arch yet ;)

so our kernel guys have time to get out a fixed gentoo-sources patchset