[Bug libstdc++/90222] New: Speculative execution data leak

Wed, 24 Apr 2019 02:47:08 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90222

            Bug ID: 90222
           Summary: Speculative execution data leak
           Product: gcc
           Version: 6.4.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: venkateshprabu at gmail dot com
  Target Milestone: ---

File:
aarch64-gnu-linux/usr/include/c++/6.4.1/aarch64-gnu-linux/bits/ctype_inline.h 

Speculative execution data leak
An attacker might be able to read the process' memory.

In std::​ctype<char>::​scan_is(unsigned short, char const *, char const *):
Accessing memory based on a speculative out-of-bounds access. (CWE-200)


Coverity report:

37namespace std _GLIBCXX_VISIBILITY(default)
38{
39_GLIBCXX_BEGIN_NAMESPACE_VERSION
40
41  bool
42  ctype<char>::
43  is(mask __m, char __c) const
44  { return _M_table[static_cast<unsigned char>(__c)] & __m; }
45
46  const char*
47  ctype<char>::
48  is(const char* __low, const char* __high, mask* __vec) const
49  {
50    while (__low < __high)
        CID 8654704: Nested memory access
(AUDIT.SPECULATIVE_EXECUTION_DATA_LEAK) [select issue]
51      *__vec++ = _M_table[static_cast<unsigned char>(*__low++)];
52    return __high;
53  }
54
55  const char*
56  ctype<char>::
57  scan_is(mask __m, const char* __low, const char* __high) const
58  {
        1. compare_value: Comparing __low in __low < __high.
        2. Condition __low < __high, taking true branch.
        3. compared_memory_access: Using compared value __low to access memory
in *__low, yielding a potentially sensitive 1-byte value.

CID 8655024 (#1 of 1): Speculative execution data leak
(AUDIT.SPECULATIVE_EXECUTION_DATA_LEAK)
4. sensitive_memory_access: Using sensitive value static_cast<unsigned
char>(*__low) to access memory in this->_M_table[static_cast<unsigned
char>(*__low)].
        Insert a barrier, such as the lfence instruction, between the
comparison and the memory accesses to prevent speculative execution.
59    while (__low < __high
60           && !(_M_table[static_cast<unsigned char>(*__low)] & __m))
61      ++__low;
62    return __low;
63  }
64
65  const char*
66  ctype<char>::
67  scan_not(mask __m, const char* __low, const char* __high) const
68  {
        CID 8654818: Speculative execution data leak
(AUDIT.SPECULATIVE_EXECUTION_DATA_LEAK) [select issue]
69    while (__low < __high
70           && (_M_table[static_cast<unsigned char>(*__low)] & __m) != 0)
71      ++__low;
72    return __low;
73  }
74
75_GLIBCXX_END_NAMESPACE_VERSION
76} // namespace

Reply via email to