CVE-2008-1367
First published: Thu Mar 13 2008(Updated: )
Description of problem: Jake Edge has reported the following gcc kernel related potential security issue on LWN: <cite> A change to GCC for a recent release coupled with a kernel bug has created a messy situation, with possible security implications. GCC changed some assumptions about x86 processor flags, in accordance with the ABI standard, that can lead to memory corruption for programs built with GCC 4.3.0. No one has come up with a way to exploit the flaw, at least yet, but it clearly is a problem that needs to be addressed. The problem revolves around the x86 direction flag (DF), which governs whether block memory operations operate forward through memory or backwards. The main use for the flag is to support overlapping memory copies, where working backwards through memory may be required so that the data being copied does not get overwritten as the copy progresses. Debian hacker Aurélien Jarno reported the problem to linux-kernel on March 5th, which was found when building Steel Bank Common Lisp (SBCL) using the new compiler. GCC's most recent release, 4.3.0, assumes that the direction flag has been cleared (i.e. memory operations go in a forward direction) at the entry of each function, as is specified by the ABI (which is, somewhat amusingly, found at sco.com [PDF]). Unfortunately, this clashes with Linux signal handlers, which get called, incorrectly, with the flag in whatever state it was in when the signal occurred. This has the effect of leaking one bit of state from the user space process that was running when the signal occurred to the signal handler, which could be in another process. That, in itself, is a bug, seemingly with fairly minimal impact. Prior to 4.3, GCC would emit a cld (clear direction flag) opcode before doing inline string or memory operations, so those operations would start from a known state. In 4.3, GCC relies on the ABI mandate that the direction flag is cleared before entry to a function, which means that the kernel needs to arrange that before calling a signal handler. It currently doesn't, but a small patch fixes that. The window of vulnerability is small, but was observed in SBCL. The sequence of events that would lead to memory corruption are as follows: * a user space program does an operation (memmove() for example) that sets DF * a signal occurs for some process * the kernel calls the signal handler * the signal handler does a memmove() in what it thinks is a forward direction * the memory is copied in the reverse direction, leading to corruption </cite> Link to the post: <a href="http://lwn.net/Articles/272048/#Comments">http://lwn.net/Articles/272048/#Comments</a> Link to upstream fix: <a href="http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-x86.git;a=commitdiff;h=52c841e1012b8e73cc04b53f92fb933db580fb42">http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-x86.git;a=commitdiff;h=52c841e1012b8e73cc04b53f92fb933db580fb42</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNU GCC | =4.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lwn.net/Articles/272048/#Comments
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469058
- http://lkml.org/lkml/2008/3/5/207
- http://gcc.gnu.org/ml/gcc-patches/2008-03/msg00417.html
- http://gcc.gnu.org/ml/gcc-patches/2008-03/msg00432.html
- http://gcc.gnu.org/ml/gcc-patches/2008-03/msg00428.html
- http://gcc.gnu.org/ml/gcc-patches/2008-03/msg00499.html
- http://www.redhat.com/support/errata/RHSA-2008-0211.html
- http://www.redhat.com/support/errata/RHSA-2008-0233.html
- http://secunia.com/advisories/31246
- https://bugzilla.redhat.com/show_bug.cgi?id=437312
- http://marc.info/?l=git-commits-head&m=120492000901739&w=2
- http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00002.html
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e40cd10ccff3d9fbffd57b93780bee4b7b9bff51
- http://secunia.com/advisories/30818
- http://secunia.com/advisories/30890
- http://lists.opensuse.org/opensuse-security-announce/2008-06/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00000.html
- http://rhn.redhat.com/errata/RHSA-2008-0508.html
- http://lists.vmware.com/pipermail/security-announce/2008/000023.html
- http://secunia.com/advisories/30962
- http://secunia.com/advisories/30850
- http://secunia.com/advisories/30116
- http://secunia.com/advisories/30110
- http://www.securityfocus.com/bid/29084
- http://www.vupen.com/english/advisories/2008/2222/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41340
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11108
- http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-x86.git;a=commitdiff;h=52c841e1012b8e73cc04b53f92fb933db580fb42
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=436131
- http://gcc.gnu.org/ml/gcc-patches/2006-12/msg00276.html
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=297943
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=297943&action=edit
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e40cd10ccff3d9fbffd57b93780bee4b7b9bff51
- collector/nvd-historical
- collector/nvd-index
- collector/nvd-api
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-1367
- agent/tags
- agent/trending
- vendor/gnu
- canonical/gnu gcc
- version/gnu gcc/4.3