[Bug 2054343] Re: CVE-2023-4039: ARM64 GCC

Mauricio Faria de Oliveira 2054343 at bugs.launchpad.net
Thu Oct 10 21:16:27 UTC 2024 

Patches for gcc-10:

	$ git config --add remote.origin.fetch '+refs/vendors/ARM/heads/CVE-2023-4039/gcc-10:refs/remotes/origin/ARM_CVE-2023-4039_gcc-10'
	$ git fetch
	
	$ git log --oneline origin/ARM_CVE-2023-4039_gcc-10 | head -n20
	dad1c82acf67 aarch64: Make stack smash canary protect saved registers
	1c659316abe9 aarch64: Remove below_hard_fp_saved_regs_size
	3c73e7bc86a9 aarch64: Explicitly record probe registers in frame info
	c940aadecb4f aarch64: Simplify probe of final frame allocation
	128abc59aedc aarch64: Put LR save probe in first 16 bytes
	af6bac9775e7 aarch64: Tweak stack clash boundary condition
	5854b895a92e aarch64: Minor initial adjustment tweak
	ff7193c5313d aarch64: Simplify top of frame allocation
	ae7192e24b8f aarch64: Measure reg_offset from the bottom of the frame
	b5e2fcfa7a1c aarch64: Tweak frame_size comment
	ba6a8c0b2cb2 aarch64: Rename hard_fp_offset to bytes_above_hard_fp
	45365e7aeb03 aarch64: Rename locals_offset to bytes_above_locals
	176001612860 aarch64: Only calculate chain_offset if there is a chain
	6ef2e97b16be aarch64: Tweak aarch64_save/restore_callee_saves
	a519149de34f aarch64: Add bytes_below_hard_fp to frame info
	781490f3e1bd aarch64: Add bytes_below_saved_regs to frame info
	c8ffe35ca907 aarch64: Explicitly handle frames with no saved registers
	901269e14884 aarch64: Avoid a use of callee_offset
	153060b97c66 aarch64: Use local frame vars in shrink-wrapping code
	d04fe5541c53 Update ChangeLog and version files for release

Gitweb:
	https://gcc.gnu.org/git/?p=gcc.git;a=shortlog;h=dad1c82acf67a8a1cc68e2acf3ec89a503e361fc&hp=d04fe5541c53cb16d1ca5c80da044b4c7633dbc6

Generated a single .patch file just like src:gcc-10's d/p/git-
updates.diff

	$ LANG=C git diff --no-renames --src-prefix=a/src/ --dst-prefix=b/src/ \
		153060b97c667bbd06caad9c3fc1f9f6fe7266df^ dad1c82acf67a8a1cc68e2acf3ec89a503e361fc \
		| awk '/^diff .*\.texi/ {skip=1; next} /^diff / { skip=0 } skip==0' \
		| grep -v -E '^(diff|index)' \
		> cve-2023-4039.diff

For verification purposes, this patch can be cleanly reverted
from the gcc-10 package that introduced its changes in Noble:

        gcc-10 (10.5.0-4) unstable; urgency=medium

          * Fix ftbfs on AArch64 in previous upload.

        gcc-10 (10.5.0-3) unstable; urgency=medium

	  * Address stack protector and stack clash protection weaknesses
	    on AArch64. CVE-2023-4039. Taken from the gcc-11 branch.

	$ pull-lp-source gcc-10 noble 10.5.0-4ubuntu1
	$ cd gcc-10-10.5.0/
	$ debian/rules patch
	$ patch -R -p1 -F0 --dry-run < /tmp/gcc-10/cve-2023-4039.diff
	checking file src/gcc/config/aarch64/aarch64.c
	checking file src/gcc/config/aarch64/aarch64.h
	checking file src/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
	checking file src/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
	checking file src/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
	checking file src/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
	checking file src/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c
	$ echo $?
	0
	
Changelog entry:

        'd/p/cve-2023-4039.diff: Address stack protector and stack clash
protection weaknesses on AArch64. CVE-2023-4039. (LP: #2054343) Taken
from the vendors/ARM/heads/CVE-2023-4039/gcc-10 branch.'

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-10 in Ubuntu.
https://bugs.launchpad.net/bugs/2054343

Title:
  CVE-2023-4039: ARM64 GCC

Status in gcc-10 package in Ubuntu:
  Fix Released
Status in gcc-11 package in Ubuntu:
  Fix Released
Status in gcc-12 package in Ubuntu:
  Fix Released
Status in gcc-13 package in Ubuntu:
  Fix Released
Status in gcc-9 package in Ubuntu:
  Fix Released
Status in gcc-10 source package in Focal:
  Triaged
Status in gcc-9 source package in Focal:
  Won't Fix
Status in gcc-10 source package in Jammy:
  Triaged
Status in gcc-11 source package in Jammy:
  Triaged
Status in gcc-12 source package in Jammy:
  Triaged
Status in gcc-9 source package in Jammy:
  Triaged
Status in gcc-10 source package in Noble:
  Fix Released
Status in gcc-11 source package in Noble:
  Fix Released
Status in gcc-12 source package in Noble:
  Fix Released
Status in gcc-13 source package in Noble:
  Fix Released

Bug description:
  [Impact]

  Some gcc versions in Jammy and Focal are still
  vulnerable to the arm64-specific CVE-2023-4039
  (-fstack-protector guard failures with dynamic
  stack allocations).

  This impacts detecting, e.g., buffer overflows,
  resulting in less secure Ubuntu arm64 packages
  and user-built binaries.

  [Test Plan]

  Use the test-case in the vulnerability post [1],
  as in comments #20 and #21.

  Without patches, the test fails with Bus Error
  and a register value modified by the program.

  With the patches, the test fails with Aborted
  (buffer overflow detected) and register value
  unmodified.

  [1] https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html

  [Regression Potential]

  The patchset modifies arm64-specific code gen,
  therefore any arm64 program might be affected,
  while other architectures should not.

  That is, signs of regressions from this would
  manifest as errors seen only in arm64 programs
  but not in other architectures.

  Potential fallout is expected to occur early
  and/or with dynamic allocations in the stack,
  and could manifest in different, subtle ways.

  That is concerning, however, fortunately this
  patchset has been introduced for a while now
  in the _same gcc versions_ in _newer_ series.

  That gives confidence to SRU the _same_ change
  to the _same_ gcc versions (to _older_ series).

  [Other Info]

  - gcc-14: fixed in Noble/Oracular (comment #22)
  - gcc-13: fixed in Noble/Oracular (comment #23)
  - gcc-12: fixed in Noble/Oracular, NOT in Jammy (comment #13)
  - gcc-11: fixed in Noble/Oracular, NOT in Jammy (comment #14)
  - gcc-10: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #15)
  - gcc-9: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #16)

  The fix for gcc-9/Focal FTBFS due to an Ada-related check.
  For the moment, it's not going to be pursued/analyzed more
  as agreed with the original reporter (sufficient for them).
  If others need it, please reopen and analyze/fix the error.

  For more information about the issue and patches: [2]
  [2] https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64#Technical-Specifications

  [Original Bug Description]
  See https://launchpad.net/ubuntu/+source/gcc-10/10.5.0-3ubuntu1/+build/27746786/+files/buildlog_ubuntu-noble-arm64.gcc-10_10.5.0-3ubuntu1_BUILDING.txt.gz

  The above build is supposed to address
  https://nvd.nist.gov/vuln/detail/CVE-2023-4039

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-10/+bug/2054343/+subscriptions

More information about the foundations-bugs mailing list