Vulnerability in GCC affecting POWER9 backends
CVE-2019-15847

7.5HIGH

Key Information:

Vendor
Gnu
Status
Gcc
Vendor
CVE Published:
2 September 2019

Summary

The POWER9 backend in the GNU Compiler Collection (GCC) before version 10 has a vulnerability that enables the compiler to improperly optimize multiple calls of the __builtin_darn intrinsic. This optimization can lead to identical outputs from different calls within a single program execution, compromising the expected randomness of the random number generator. The issue arises from a lack of specification for volatile operations, resulting in predictability and reduced entropy in the generated values.

References

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481
x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2019...
vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-announce/2019...
vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.