[OE-core] [PATCH] gcc: Security Advisory - gcc - CVE-2015-5276
Yuanjie Huang
Yuanjie.Huang at windriver.com
Fri Dec 4 02:01:40 UTC 2015
From: Yuanjie Huang <yuanjie.huang at windriver.com>
The std::random_device class in libstdc++ in the GNU Compiler Collection
(aka GCC) before 4.9.4 does not properly handle short reads from
blocking sources, which makes it easier for context-dependent attackers
to predict the random values via unspecified vectors.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5276
Patches backported from upstream as:
git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227687
138bc75d-0d04-0410-961f-82ee72b054a4
git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227872
138bc75d-0d04-0410-961f-82ee72b054a4
Upstream-status: backport[4.9.4]
Signed-off-by: Yuanjie Huang <yuanjie.huang at windriver.com>
---
meta/recipes-devtools/gcc/gcc-4.9.inc | 2 +
...67-Check-read-result-in-std-random_device.patch | 57 +++++++++++++++++
...std-random_device-retry-after-short-reads.patch | 71 ++++++++++++++++++++++
3 files changed, 130 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch
create mode 100644 meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch
diff --git a/meta/recipes-devtools/gcc/gcc-4.9.inc b/meta/recipes-devtools/gcc/gcc-4.9.inc
index 6ac3685..f3af41f 100644
--- a/meta/recipes-devtools/gcc/gcc-4.9.inc
+++ b/meta/recipes-devtools/gcc/gcc-4.9.inc
@@ -82,6 +82,8 @@ SRC_URI = "\
file://0064-handle-target-sysroot-multilib.patch \
file://0065-gcc-483-universal-initializer-no-warning.patch \
file://0066-cxxflags-for-build.patch \
+ file://0067-Check-read-result-in-std-random_device.patch \
+ file://0068-Make-std-random_device-retry-after-short-reads.patch \
"
SRC_URI[md5sum] = "6f831b4d251872736e8e9cc09746f327"
SRC_URI[sha256sum] = "2332b2a5a321b57508b9031354a8503af6fdfb868b8c1748d33028d100a8b67e"
diff --git a/meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch b/meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch
new file mode 100644
index 0000000..352567f
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch
@@ -0,0 +1,57 @@
+From 2ef472318fe63bc092d3f1cc455116c50f853adf Mon Sep 17 00:00:00 2001
+From: redi <redi at 138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 11 Sep 2015 13:44:26 +0000
+Subject: [PATCH 1/2] Check read() result in std::random_device.
+
+ PR libstdc++/65142
+ * src/c++11/random.cc (random_device::_M_getval()): Check read result.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227687 138bc75d-0d04-0410-961f-82ee72b054a4
+Signed-off-by: Yuanjie Huang <Yuanjie.Huang at windriver.com>
+---
+ libstdc++-v3/ChangeLog | 5 +++++
+ libstdc++-v3/src/c++11/random.cc | 12 ++++++++----
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/libstdc++-v3/ChangeLog b/libstdc++-v3/ChangeLog
+index a742a72..51a5a9f 100644
+--- a/libstdc++-v3/ChangeLog
++++ b/libstdc++-v3/ChangeLog
+@@ -1,3 +1,8 @@
++2015-09-11 Jonathan Wakely <jwakely at redhat.com>
++
++ PR libstdc++/65142
++ * src/c++11/random.cc (random_device::_M_getval()): Check read result.
++
+ 2015-06-26 Release Manager
+
+ * GCC 4.9.3 released.
+diff --git a/libstdc++-v3/src/c++11/random.cc b/libstdc++-v3/src/c++11/random.cc
+index f61daea..ab3e55d 100644
+--- a/libstdc++-v3/src/c++11/random.cc
++++ b/libstdc++-v3/src/c++11/random.cc
+@@ -129,13 +129,17 @@ namespace std _GLIBCXX_VISIBILITY(default)
+ #endif
+
+ result_type __ret;
++
+ #ifdef _GLIBCXX_HAVE_UNISTD_H
+- read(fileno(static_cast<FILE*>(_M_file)),
+- static_cast<void*>(&__ret), sizeof(result_type));
++ auto e = read(fileno(static_cast<FILE*>(_M_file)),
++ static_cast<void*>(&__ret), sizeof(result_type));
+ #else
+- std::fread(static_cast<void*>(&__ret), sizeof(result_type),
+- 1, static_cast<FILE*>(_M_file));
++ auto e = std::fread(static_cast<void*>(&__ret), sizeof(result_type),
++ 1, static_cast<FILE*>(_M_file));
+ #endif
++ if (e != sizeof(result_type))
++ __throw_runtime_error(__N("random_device could not read enough bytes"));
++
+ return __ret;
+ }
+
+--
+2.0.1
+
diff --git a/meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch b/meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch
new file mode 100644
index 0000000..e0c475e
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch
@@ -0,0 +1,71 @@
+From a1f5c28240646583a99c6cc2986d490f71f2157d Mon Sep 17 00:00:00 2001
+From: redi <redi at 138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 17 Sep 2015 15:06:42 +0000
+Subject: [PATCH 2/2] Make std::random_device retry after short reads
+
+ PR libstdc++/65142
+ * src/c++11/random.cc (random_device::_M_getval()): Retry after short
+ reads.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227872 138bc75d-0d04-0410-961f-82ee72b054a4
+Signed-off-by: Yuanjie Huang <Yuanjie.Huang at windriver.com>
+---
+ libstdc++-v3/ChangeLog | 6 ++++++
+ libstdc++-v3/src/c++11/random.cc | 24 +++++++++++++++++-------
+ 2 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/libstdc++-v3/ChangeLog b/libstdc++-v3/ChangeLog
+index 51a5a9f..5df4d8c 100644
+--- a/libstdc++-v3/ChangeLog
++++ b/libstdc++-v3/ChangeLog
+@@ -1,3 +1,9 @@
++2015-09-17 Jonathan Wakely <jwakely at redhat.com>
++
++ PR libstdc++/65142
++ * src/c++11/random.cc (random_device::_M_getval()): Retry after short
++ reads.
++
+ 2015-09-11 Jonathan Wakely <jwakely at redhat.com>
+
+ PR libstdc++/65142
+diff --git a/libstdc++-v3/src/c++11/random.cc b/libstdc++-v3/src/c++11/random.cc
+index ab3e55d..db2f841 100644
+--- a/libstdc++-v3/src/c++11/random.cc
++++ b/libstdc++-v3/src/c++11/random.cc
+@@ -129,16 +129,26 @@ namespace std _GLIBCXX_VISIBILITY(default)
+ #endif
+
+ result_type __ret;
+-
++ void* p = &__ret;
++ size_t n = sizeof(result_type);
+ #ifdef _GLIBCXX_HAVE_UNISTD_H
+- auto e = read(fileno(static_cast<FILE*>(_M_file)),
+- static_cast<void*>(&__ret), sizeof(result_type));
++ do
++ {
++ const int e = read(fileno(static_cast<FILE*>(_M_file)), p, n);
++ if (e > 0)
++ {
++ n -= e;
++ p = static_cast<char*>(p) + e;
++ }
++ else if (e != -1 || errno != EINTR)
++ __throw_runtime_error(__N("random_device could not be read"));
++ }
++ while (n > 0);
+ #else
+- auto e = std::fread(static_cast<void*>(&__ret), sizeof(result_type),
+- 1, static_cast<FILE*>(_M_file));
++ const size_t e = std::fread(p, n, 1, static_cast<FILE*>(_M_file));
++ if (e != 1)
++ __throw_runtime_error(__N("random_device could not be read"));
+ #endif
+- if (e != sizeof(result_type))
+- __throw_runtime_error(__N("random_device could not read enough bytes"));
+
+ return __ret;
+ }
+--
+2.0.1
+
--
1.9.1
More information about the Openembedded-core
mailing list