[Bug 2054343] Re: CVE-2023-4039: ARM64 GCC
Mauricio Faria de Oliveira
2054343 at bugs.launchpad.net
Thu Oct 10 21:16:11 UTC 2024
Patches for gcc-11:
$ git log --oneline --before 2023-09-12 --after 2023-09-11 --author 'Richard Sandiford' origin/releases/gcc-11 --
bea0985749c1 aarch64: Make stack smash canary protect saved registers
4bbf7b6cdd02 aarch64: Remove below_hard_fp_saved_regs_size
9ed9fd54b2b4 aarch64: Explicitly record probe registers in frame info
e932e11c353b aarch64: Simplify probe of final frame allocation
174a9747491e aarch64: Put LR save probe in first 16 bytes
f22329d5efba aarch64: Tweak stack clash boundary condition
bb4600071acc aarch64: Minor initial adjustment tweak
8b664cc8f05c aarch64: Simplify top of frame allocation
999c4a81cffd aarch64: Measure reg_offset from the bottom of the frame
b8cd5a0229da aarch64: Tweak frame_size comment
fa6600b55b49 aarch64: Rename hard_fp_offset to bytes_above_hard_fp
82fb69e75c21 aarch64: Rename locals_offset to bytes_above_locals
7356df0319ae aarch64: Only calculate chain_offset if there is a chain
e8a7ec87fcdb aarch64: Tweak aarch64_save/restore_callee_saves
d3f6ceecc8a7 aarch64: Add bytes_below_hard_fp to frame info
a8385d143186 aarch64: Add bytes_below_saved_regs to frame info
5efdcc8ed19d aarch64: Explicitly handle frames with no saved registers
a2a57f7ec791 aarch64: Avoid a use of callee_offset
52816ab48f97 aarch64: Use local frame vars in shrink-wrapping code
Gitweb:
https://gcc.gnu.org/git/?p=gcc.git;a=shortlog;h=bea0985749c12fcc264710586addb7838cc61e6d&hp=2eb8e5cba7408e2a4016a8f5c48e4980abdd1d08
Generated a single .patch file just like src:gcc-11's d/p/git-
updates.diff
$ LANG=C git diff --no-renames --src-prefix=a/src/ --dst-prefix=b/src/ \
52816ab48f97968f3fbfb5656250f3de7c00166d^ bea0985749c12fcc264710586addb7838cc61e6d \
| awk '/^diff .*\.texi/ {skip=1; next} /^diff / { skip=0 } skip==0' \
| grep -v -E '^(diff|index)' \
> cve-2023-4039.diff
For verification purposes, this patch can be cleanly reverted
from the gcc-11 package that introduced its changes in Mantic:
gcc-11 (11.4.0-4) unstable; urgency=medium
- Address stack protector and stack clash protection weaknesses
on AArch64. CVE-2023-4039.
$ pull-lp-source gcc-11 mantic 11.4.0-4ubuntu1
$ cd gcc-11-11.4.0/
$ debian/rules patch
$ patch -R -p1 -F0 --dry-run < /tmp/gcc-11/cve-2023-4039.diff
checking file src/gcc/config/aarch64/aarch64.c
checking file src/gcc/config/aarch64/aarch64.h
checking file src/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
checking file src/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
checking file src/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
checking file src/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
checking file src/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c
$ echo $?
0
Changelog entry:
'd/p/cve-2023-4039.diff: Address stack protector and stack clash
protection weaknesses on AArch64. CVE-2023-4039. (LP: #2054343) Taken
from the gcc-11 branch.'
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-10 in Ubuntu.
https://bugs.launchpad.net/bugs/2054343
Title:
CVE-2023-4039: ARM64 GCC
Status in gcc-10 package in Ubuntu:
Fix Released
Status in gcc-11 package in Ubuntu:
Fix Released
Status in gcc-12 package in Ubuntu:
Fix Released
Status in gcc-13 package in Ubuntu:
Fix Released
Status in gcc-9 package in Ubuntu:
Fix Released
Status in gcc-10 source package in Focal:
Triaged
Status in gcc-9 source package in Focal:
Won't Fix
Status in gcc-10 source package in Jammy:
Triaged
Status in gcc-11 source package in Jammy:
Triaged
Status in gcc-12 source package in Jammy:
Triaged
Status in gcc-9 source package in Jammy:
Triaged
Status in gcc-10 source package in Noble:
Fix Released
Status in gcc-11 source package in Noble:
Fix Released
Status in gcc-12 source package in Noble:
Fix Released
Status in gcc-13 source package in Noble:
Fix Released
Bug description:
[Impact]
Some gcc versions in Jammy and Focal are still
vulnerable to the arm64-specific CVE-2023-4039
(-fstack-protector guard failures with dynamic
stack allocations).
This impacts detecting, e.g., buffer overflows,
resulting in less secure Ubuntu arm64 packages
and user-built binaries.
[Test Plan]
Use the test-case in the vulnerability post [1],
as in comments #20 and #21.
Without patches, the test fails with Bus Error
and a register value modified by the program.
With the patches, the test fails with Aborted
(buffer overflow detected) and register value
unmodified.
[1] https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html
[Regression Potential]
The patchset modifies arm64-specific code gen,
therefore any arm64 program might be affected,
while other architectures should not.
That is, signs of regressions from this would
manifest as errors seen only in arm64 programs
but not in other architectures.
Potential fallout is expected to occur early
and/or with dynamic allocations in the stack,
and could manifest in different, subtle ways.
That is concerning, however, fortunately this
patchset has been introduced for a while now
in the _same gcc versions_ in _newer_ series.
That gives confidence to SRU the _same_ change
to the _same_ gcc versions (to _older_ series).
[Other Info]
- gcc-14: fixed in Noble/Oracular (comment #22)
- gcc-13: fixed in Noble/Oracular (comment #23)
- gcc-12: fixed in Noble/Oracular, NOT in Jammy (comment #13)
- gcc-11: fixed in Noble/Oracular, NOT in Jammy (comment #14)
- gcc-10: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #15)
- gcc-9: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #16)
The fix for gcc-9/Focal FTBFS due to an Ada-related check.
For the moment, it's not going to be pursued/analyzed more
as agreed with the original reporter (sufficient for them).
If others need it, please reopen and analyze/fix the error.
For more information about the issue and patches: [2]
[2] https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64#Technical-Specifications
[Original Bug Description]
See https://launchpad.net/ubuntu/+source/gcc-10/10.5.0-3ubuntu1/+build/27746786/+files/buildlog_ubuntu-noble-arm64.gcc-10_10.5.0-3ubuntu1_BUILDING.txt.gz
The above build is supposed to address
https://nvd.nist.gov/vuln/detail/CVE-2023-4039
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-10/+bug/2054343/+subscriptions
More information about the foundations-bugs
mailing list