[PATCH] gcc: Security Advisory - gcc - CVE-2015-5276

[PATCH] gcc: Security Advisory - gcc - CVE-2015-5276

[Yuanjie Huang]

From: Yuanjie Huang <yuanjie.huang@windriver.com>

The std::random_device class in libstdc++ in the GNU Compiler Collection
(aka GCC) before 4.9.4 does not properly handle short reads from
blocking sources, which makes it easier for context-dependent attackers
to predict the random values via unspecified vectors.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5276

Patches backported from upstream as:
git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227687
138bc75d-0d04-0410-961f-82ee72b054a4
git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227872
138bc75d-0d04-0410-961f-82ee72b054a4

Upstream-status: backport[4.9.4]

Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
---
 meta/recipes-devtools/gcc/gcc-4.9.inc              |  2 +
 ...67-Check-read-result-in-std-random_device.patch | 57 +++++++++++++++++
 ...std-random_device-retry-after-short-reads.patch | 71 ++++++++++++++++++++++
 3 files changed, 130 insertions(+)
 create mode 100644 meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch

diff --git a/meta/recipes-devtools/gcc/gcc-4.9.inc b/meta/recipes-devtools/gcc/gcc-4.9.inc
index 6ac3685..f3af41f 100644
--- a/meta/recipes-devtools/gcc/gcc-4.9.inc
+++ b/meta/recipes-devtools/gcc/gcc-4.9.inc
@@ -82,6 +82,8 @@ SRC_URI = "\
     file://0064-handle-target-sysroot-multilib.patch \
     file://0065-gcc-483-universal-initializer-no-warning.patch \
     file://0066-cxxflags-for-build.patch \
+    file://0067-Check-read-result-in-std-random_device.patch \
+    file://0068-Make-std-random_device-retry-after-short-reads.patch \
 "
 SRC_URI[md5sum] = "6f831b4d251872736e8e9cc09746f327"
 SRC_URI[sha256sum] = "2332b2a5a321b57508b9031354a8503af6fdfb868b8c1748d33028d100a8b67e"
diff --git a/meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch b/meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch
new file mode 100644
index 0000000..352567f
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch
@@ -0,0 +1,57 @@
+From 2ef472318fe63bc092d3f1cc455116c50f853adf Mon Sep 17 00:00:00 2001
+From: redi <redi@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 11 Sep 2015 13:44:26 +0000
+Subject: [PATCH 1/2] Check read() result in std::random_device.
+
+	PR libstdc++/65142
+	* src/c++11/random.cc (random_device::_M_getval()): Check read result.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227687 138bc75d-0d04-0410-961f-82ee72b054a4
+Signed-off-by: Yuanjie Huang <Yuanjie.Huang@windriver.com>
+---
+ libstdc++-v3/ChangeLog           |  5 +++++
+ libstdc++-v3/src/c++11/random.cc | 12 ++++++++----
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/libstdc++-v3/ChangeLog b/libstdc++-v3/ChangeLog
+index a742a72..51a5a9f 100644
+--- a/libstdc++-v3/ChangeLog
++++ b/libstdc++-v3/ChangeLog
+@@ -1,3 +1,8 @@
++2015-09-11  Jonathan Wakely  <jwakely@redhat.com>
++
++	PR libstdc++/65142
++	* src/c++11/random.cc (random_device::_M_getval()): Check read result.
++
+ 2015-06-26  Release Manager
+ 
+ 	* GCC 4.9.3 released.
+diff --git a/libstdc++-v3/src/c++11/random.cc b/libstdc++-v3/src/c++11/random.cc
+index f61daea..ab3e55d 100644
+--- a/libstdc++-v3/src/c++11/random.cc
++++ b/libstdc++-v3/src/c++11/random.cc
+@@ -129,13 +129,17 @@ namespace std _GLIBCXX_VISIBILITY(default)
+ #endif
+ 
+     result_type __ret;
++
+ #ifdef _GLIBCXX_HAVE_UNISTD_H
+-    read(fileno(static_cast<FILE*>(_M_file)),
+-	 static_cast<void*>(&__ret), sizeof(result_type));
++    auto e = read(fileno(static_cast<FILE*>(_M_file)),
++		  static_cast<void*>(&__ret), sizeof(result_type));
+ #else
+-    std::fread(static_cast<void*>(&__ret), sizeof(result_type),
+-	       1, static_cast<FILE*>(_M_file));
++    auto e = std::fread(static_cast<void*>(&__ret), sizeof(result_type),
++		        1, static_cast<FILE*>(_M_file));
+ #endif
++    if (e != sizeof(result_type))
++      __throw_runtime_error(__N("random_device could not read enough bytes"));
++
+     return __ret;
+   }
+ 
+-- 
+2.0.1
+
diff --git a/meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch b/meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch
new file mode 100644
index 0000000..e0c475e
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch
@@ -0,0 +1,71 @@
+From a1f5c28240646583a99c6cc2986d490f71f2157d Mon Sep 17 00:00:00 2001
+From: redi <redi@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 17 Sep 2015 15:06:42 +0000
+Subject: [PATCH 2/2] Make std::random_device retry after short reads
+
+	PR libstdc++/65142
+	* src/c++11/random.cc (random_device::_M_getval()): Retry after short
+	reads.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227872 138bc75d-0d04-0410-961f-82ee72b054a4
+Signed-off-by: Yuanjie Huang <Yuanjie.Huang@windriver.com>
+---
+ libstdc++-v3/ChangeLog           |  6 ++++++
+ libstdc++-v3/src/c++11/random.cc | 24 +++++++++++++++++-------
+ 2 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/libstdc++-v3/ChangeLog b/libstdc++-v3/ChangeLog
+index 51a5a9f..5df4d8c 100644
+--- a/libstdc++-v3/ChangeLog
++++ b/libstdc++-v3/ChangeLog
+@@ -1,3 +1,9 @@
++2015-09-17  Jonathan Wakely  <jwakely@redhat.com>
++
++	PR libstdc++/65142
++	* src/c++11/random.cc (random_device::_M_getval()): Retry after short
++	reads.
++
+ 2015-09-11  Jonathan Wakely  <jwakely@redhat.com>
+ 
+ 	PR libstdc++/65142
+diff --git a/libstdc++-v3/src/c++11/random.cc b/libstdc++-v3/src/c++11/random.cc
+index ab3e55d..db2f841 100644
+--- a/libstdc++-v3/src/c++11/random.cc
++++ b/libstdc++-v3/src/c++11/random.cc
+@@ -129,16 +129,26 @@ namespace std _GLIBCXX_VISIBILITY(default)
+ #endif
+ 
+     result_type __ret;
+-
++    void* p = &__ret;
++    size_t n = sizeof(result_type);
+ #ifdef _GLIBCXX_HAVE_UNISTD_H
+-    auto e = read(fileno(static_cast<FILE*>(_M_file)),
+-		  static_cast<void*>(&__ret), sizeof(result_type));
++    do
++      {
++	const int e = read(fileno(static_cast<FILE*>(_M_file)), p, n);
++	if (e > 0)
++	  {
++	    n -= e;
++	    p = static_cast<char*>(p) + e;
++	  }
++	else if (e != -1 || errno != EINTR)
++	  __throw_runtime_error(__N("random_device could not be read"));
++      }
++    while (n > 0);
+ #else
+-    auto e = std::fread(static_cast<void*>(&__ret), sizeof(result_type),
+-		        1, static_cast<FILE*>(_M_file));
++    const size_t e = std::fread(p, n, 1, static_cast<FILE*>(_M_file));
++    if (e != 1)
++      __throw_runtime_error(__N("random_device could not be read"));
+ #endif
+-    if (e != sizeof(result_type))
+-      __throw_runtime_error(__N("random_device could not read enough bytes"));
+ 
+     return __ret;
+   }
+-- 
+2.0.1
+
-- 
1.9.1

Re: [PATCH] gcc: Security Advisory - gcc - CVE-2015-5276

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 376 bytes --]

On 4 December 2015 at 02:01, Yuanjie Huang <Yuanjie.Huang@windriver.com>
wrote:

> Upstream-status: backport[4.9.4]
>

Correct capitalisation please as this is machine-readable metadata:
Upstream-Status: Backport [4.9.4].  Also it should be in the patch itself,
not the commit log.  As M1 is closing shortly and this is a security issue,
I'll fix the patch.

Ross

[-- Attachment #2: Type: text/html, Size: 792 bytes --]

Re: [PATCH] gcc: Security Advisory - gcc - CVE-2015-5276

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 467 bytes --]

On 4 December 2015 at 02:01, Yuanjie Huang <Yuanjie.Huang@windriver.com>
wrote:

> The std::random_device class in libstdc++ in the GNU Compiler Collection
> (aka GCC) before 4.9.4 does not properly handle short reads from
> blocking sources, which makes it easier for context-dependent attackers
> to predict the random values via unspecified vectors.
>

I see from the CVE that 5.2 is also affected - will you be submitting
patches for that too?

Ross

[-- Attachment #2: Type: text/html, Size: 940 bytes --]

Re: [PATCH] gcc: Security Advisory - gcc - CVE-2015-5276

[Khem Raj]

you also need to backport

https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=fd16f36d1986fbbb9f802b3649e543f3f41227ea

along with the others

On Thu, Dec 3, 2015 at 6:01 PM, Yuanjie Huang
<Yuanjie.Huang@windriver.com> wrote:
> From: Yuanjie Huang <yuanjie.huang@windriver.com>
>
> The std::random_device class in libstdc++ in the GNU Compiler Collection
> (aka GCC) before 4.9.4 does not properly handle short reads from
> blocking sources, which makes it easier for context-dependent attackers
> to predict the random values via unspecified vectors.
>
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5276
>
> Patches backported from upstream as:
> git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227687
> 138bc75d-0d04-0410-961f-82ee72b054a4
> git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227872
> 138bc75d-0d04-0410-961f-82ee72b054a4
>
> Upstream-status: backport[4.9.4]
>
> Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
> ---
>  meta/recipes-devtools/gcc/gcc-4.9.inc              |  2 +
>  ...67-Check-read-result-in-std-random_device.patch | 57 +++++++++++++++++
>  ...std-random_device-retry-after-short-reads.patch | 71 ++++++++++++++++++++++
>  3 files changed, 130 insertions(+)
>  create mode 100644 meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch
>  create mode 100644 meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch
>
> diff --git a/meta/recipes-devtools/gcc/gcc-4.9.inc b/meta/recipes-devtools/gcc/gcc-4.9.inc
> index 6ac3685..f3af41f 100644
> --- a/meta/recipes-devtools/gcc/gcc-4.9.inc
> +++ b/meta/recipes-devtools/gcc/gcc-4.9.inc
> @@ -82,6 +82,8 @@ SRC_URI = "\
>      file://0064-handle-target-sysroot-multilib.patch \
>      file://0065-gcc-483-universal-initializer-no-warning.patch \
>      file://0066-cxxflags-for-build.patch \
> +    file://0067-Check-read-result-in-std-random_device.patch \
> +    file://0068-Make-std-random_device-retry-after-short-reads.patch \
>  "
>  SRC_URI[md5sum] = "6f831b4d251872736e8e9cc09746f327"
>  SRC_URI[sha256sum] = "2332b2a5a321b57508b9031354a8503af6fdfb868b8c1748d33028d100a8b67e"
> diff --git a/meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch b/meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch
> new file mode 100644
> index 0000000..352567f
> --- /dev/null
> +++ b/meta/recipes-devtools/gcc/gcc-4.9/0067-Check-read-result-in-std-random_device.patch
> @@ -0,0 +1,57 @@
> +From 2ef472318fe63bc092d3f1cc455116c50f853adf Mon Sep 17 00:00:00 2001
> +From: redi <redi@138bc75d-0d04-0410-961f-82ee72b054a4>
> +Date: Fri, 11 Sep 2015 13:44:26 +0000
> +Subject: [PATCH 1/2] Check read() result in std::random_device.
> +
> +       PR libstdc++/65142
> +       * src/c++11/random.cc (random_device::_M_getval()): Check read result.
> +
> +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227687 138bc75d-0d04-0410-961f-82ee72b054a4
> +Signed-off-by: Yuanjie Huang <Yuanjie.Huang@windriver.com>
> +---
> + libstdc++-v3/ChangeLog           |  5 +++++
> + libstdc++-v3/src/c++11/random.cc | 12 ++++++++----
> + 2 files changed, 13 insertions(+), 4 deletions(-)
> +
> +diff --git a/libstdc++-v3/ChangeLog b/libstdc++-v3/ChangeLog
> +index a742a72..51a5a9f 100644
> +--- a/libstdc++-v3/ChangeLog
> ++++ b/libstdc++-v3/ChangeLog
> +@@ -1,3 +1,8 @@
> ++2015-09-11  Jonathan Wakely  <jwakely@redhat.com>
> ++
> ++      PR libstdc++/65142
> ++      * src/c++11/random.cc (random_device::_M_getval()): Check read result.
> ++
> + 2015-06-26  Release Manager
> +
> +       * GCC 4.9.3 released.
> +diff --git a/libstdc++-v3/src/c++11/random.cc b/libstdc++-v3/src/c++11/random.cc
> +index f61daea..ab3e55d 100644
> +--- a/libstdc++-v3/src/c++11/random.cc
> ++++ b/libstdc++-v3/src/c++11/random.cc
> +@@ -129,13 +129,17 @@ namespace std _GLIBCXX_VISIBILITY(default)
> + #endif
> +
> +     result_type __ret;
> ++
> + #ifdef _GLIBCXX_HAVE_UNISTD_H
> +-    read(fileno(static_cast<FILE*>(_M_file)),
> +-       static_cast<void*>(&__ret), sizeof(result_type));
> ++    auto e = read(fileno(static_cast<FILE*>(_M_file)),
> ++                static_cast<void*>(&__ret), sizeof(result_type));
> + #else
> +-    std::fread(static_cast<void*>(&__ret), sizeof(result_type),
> +-             1, static_cast<FILE*>(_M_file));
> ++    auto e = std::fread(static_cast<void*>(&__ret), sizeof(result_type),
> ++                      1, static_cast<FILE*>(_M_file));
> + #endif
> ++    if (e != sizeof(result_type))
> ++      __throw_runtime_error(__N("random_device could not read enough bytes"));
> ++
> +     return __ret;
> +   }
> +
> +--
> +2.0.1
> +
> diff --git a/meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch b/meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch
> new file mode 100644
> index 0000000..e0c475e
> --- /dev/null
> +++ b/meta/recipes-devtools/gcc/gcc-4.9/0068-Make-std-random_device-retry-after-short-reads.patch
> @@ -0,0 +1,71 @@
> +From a1f5c28240646583a99c6cc2986d490f71f2157d Mon Sep 17 00:00:00 2001
> +From: redi <redi@138bc75d-0d04-0410-961f-82ee72b054a4>
> +Date: Thu, 17 Sep 2015 15:06:42 +0000
> +Subject: [PATCH 2/2] Make std::random_device retry after short reads
> +
> +       PR libstdc++/65142
> +       * src/c++11/random.cc (random_device::_M_getval()): Retry after short
> +       reads.
> +
> +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227872 138bc75d-0d04-0410-961f-82ee72b054a4
> +Signed-off-by: Yuanjie Huang <Yuanjie.Huang@windriver.com>
> +---
> + libstdc++-v3/ChangeLog           |  6 ++++++
> + libstdc++-v3/src/c++11/random.cc | 24 +++++++++++++++++-------
> + 2 files changed, 23 insertions(+), 7 deletions(-)
> +
> +diff --git a/libstdc++-v3/ChangeLog b/libstdc++-v3/ChangeLog
> +index 51a5a9f..5df4d8c 100644
> +--- a/libstdc++-v3/ChangeLog
> ++++ b/libstdc++-v3/ChangeLog
> +@@ -1,3 +1,9 @@
> ++2015-09-17  Jonathan Wakely  <jwakely@redhat.com>
> ++
> ++      PR libstdc++/65142
> ++      * src/c++11/random.cc (random_device::_M_getval()): Retry after short
> ++      reads.
> ++
> + 2015-09-11  Jonathan Wakely  <jwakely@redhat.com>
> +
> +       PR libstdc++/65142
> +diff --git a/libstdc++-v3/src/c++11/random.cc b/libstdc++-v3/src/c++11/random.cc
> +index ab3e55d..db2f841 100644
> +--- a/libstdc++-v3/src/c++11/random.cc
> ++++ b/libstdc++-v3/src/c++11/random.cc
> +@@ -129,16 +129,26 @@ namespace std _GLIBCXX_VISIBILITY(default)
> + #endif
> +
> +     result_type __ret;
> +-
> ++    void* p = &__ret;
> ++    size_t n = sizeof(result_type);
> + #ifdef _GLIBCXX_HAVE_UNISTD_H
> +-    auto e = read(fileno(static_cast<FILE*>(_M_file)),
> +-                static_cast<void*>(&__ret), sizeof(result_type));
> ++    do
> ++      {
> ++      const int e = read(fileno(static_cast<FILE*>(_M_file)), p, n);
> ++      if (e > 0)
> ++        {
> ++          n -= e;
> ++          p = static_cast<char*>(p) + e;
> ++        }
> ++      else if (e != -1 || errno != EINTR)
> ++        __throw_runtime_error(__N("random_device could not be read"));
> ++      }
> ++    while (n > 0);
> + #else
> +-    auto e = std::fread(static_cast<void*>(&__ret), sizeof(result_type),
> +-                      1, static_cast<FILE*>(_M_file));
> ++    const size_t e = std::fread(p, n, 1, static_cast<FILE*>(_M_file));
> ++    if (e != 1)
> ++      __throw_runtime_error(__N("random_device could not be read"));
> + #endif
> +-    if (e != sizeof(result_type))
> +-      __throw_runtime_error(__N("random_device could not read enough bytes"));
> +
> +     return __ret;
> +   }
> +--
> +2.0.1
> +
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core