[Bug 2054343] Re: CVE-2023-4039: ARM64 GCC
Mauricio Faria de Oliveira
2054343 at bugs.launchpad.net
Thu Oct 10 21:16:35 UTC 2024
Patches for gcc-9:
$ git config --add remote.origin.fetch '+refs/vendors/ARM/heads/CVE-2023-4039/gcc-9:refs/remotes/origin/ARM_CVE-2023-4039_gcc-9'
$ git fetch
$ git log --oneline origin/ARM_CVE-2023-4039_gcc-9 | head -n11
bf3eeaa0182a aarch64: Make stack smash canary protect saved registers
f2684e63652b aarch64: Simplify probe of final frame allocation
12517baf6c88 aarch64: Put LR save probe in first 16 bytes
4dd8925d95d3 aarch64: Tweak stack clash boundary condition
cfed3b87e935 Backport check-function-bodies support
eb2271eb6bb6 aarch64: Tweak frame_size comment
16016465ff28 aarch64: Rename hard_fp_offset to bytes_above_hard_fp
4604c4cd0a6c aarch64: Rename locals_offset to bytes_above_locals
347487fffa02 aarch64: Add bytes_below_hard_fp to frame info
78ebdb7b12d5 aarch64: Explicitly handle frames with no saved registers
7a15b5060a83 Update ChangeLog and version files for release
Gitweb:
https://gcc.gnu.org/git/?p=gcc.git;a=shortlog;h=bf3eeaa0182a92987570d9c787bd45079eebf528&hp=7a15b5060a83ea8282323d92043c6152e6a3e22d
Generated a single .patch file just like src:gcc-9's d/p/git-
updates.diff
LANG=C git diff --no-renames --src-prefix=a/src/ --dst-prefix=b/src/ \
78ebdb7b12d5e258b9811bab715734454268fd0c^ bf3eeaa0182a92987570d9c787bd45079eebf528 \
| awk '/^diff .*\.texi/ {skip=1; next} /^diff / { skip=0 } skip==0' \
| grep -v -E '^(diff|index)' \
> cve-2023-4039.diff
For verification purposes, this patch can be cleanly reverted
from the gcc-9 package that introduced its changes in Noble:
gcc-9 (9.5.0-6) unstable; urgency=medium
* Address stack protector and stack clash protection weaknesses
on AArch64. CVE-2023-4039.
$ pull-lp-source gcc-9 noble 9.5.0-6ubuntu1
$ cd gcc-9-9.5.0/
$ debian/rules patch
$ patch -R -p1 -F0 --dry-run < /tmp/gcc-9/cve-2023-4039.diff
checking file src/gcc/config/aarch64/aarch64.c
checking file src/gcc/config/aarch64/aarch64.h
checking file src/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
checking file src/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
checking file src/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
checking file src/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
checking file src/gcc/testsuite/lib/scanasm.exp
$ echo $?
0
Changelog entry:
'd/p/cve-2023-4039.diff: Address stack protector and stack clash
protection weaknesses on AArch64. CVE-2023-4039. (LP: #2054343) Taken
from the vendors/ARM/heads/CVE-2023-4039/gcc-9 branch.'
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-10 in Ubuntu.
https://bugs.launchpad.net/bugs/2054343
Title:
CVE-2023-4039: ARM64 GCC
Status in gcc-10 package in Ubuntu:
Fix Released
Status in gcc-11 package in Ubuntu:
Fix Released
Status in gcc-12 package in Ubuntu:
Fix Released
Status in gcc-13 package in Ubuntu:
Fix Released
Status in gcc-9 package in Ubuntu:
Fix Released
Status in gcc-10 source package in Focal:
Triaged
Status in gcc-9 source package in Focal:
Won't Fix
Status in gcc-10 source package in Jammy:
Triaged
Status in gcc-11 source package in Jammy:
Triaged
Status in gcc-12 source package in Jammy:
Triaged
Status in gcc-9 source package in Jammy:
Triaged
Status in gcc-10 source package in Noble:
Fix Released
Status in gcc-11 source package in Noble:
Fix Released
Status in gcc-12 source package in Noble:
Fix Released
Status in gcc-13 source package in Noble:
Fix Released
Bug description:
[Impact]
Some gcc versions in Jammy and Focal are still
vulnerable to the arm64-specific CVE-2023-4039
(-fstack-protector guard failures with dynamic
stack allocations).
This impacts detecting, e.g., buffer overflows,
resulting in less secure Ubuntu arm64 packages
and user-built binaries.
[Test Plan]
Use the test-case in the vulnerability post [1],
as in comments #20 and #21.
Without patches, the test fails with Bus Error
and a register value modified by the program.
With the patches, the test fails with Aborted
(buffer overflow detected) and register value
unmodified.
[1] https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html
[Regression Potential]
The patchset modifies arm64-specific code gen,
therefore any arm64 program might be affected,
while other architectures should not.
That is, signs of regressions from this would
manifest as errors seen only in arm64 programs
but not in other architectures.
Potential fallout is expected to occur early
and/or with dynamic allocations in the stack,
and could manifest in different, subtle ways.
That is concerning, however, fortunately this
patchset has been introduced for a while now
in the _same gcc versions_ in _newer_ series.
That gives confidence to SRU the _same_ change
to the _same_ gcc versions (to _older_ series).
[Other Info]
- gcc-14: fixed in Noble/Oracular (comment #22)
- gcc-13: fixed in Noble/Oracular (comment #23)
- gcc-12: fixed in Noble/Oracular, NOT in Jammy (comment #13)
- gcc-11: fixed in Noble/Oracular, NOT in Jammy (comment #14)
- gcc-10: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #15)
- gcc-9: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #16)
The fix for gcc-9/Focal FTBFS due to an Ada-related check.
For the moment, it's not going to be pursued/analyzed more
as agreed with the original reporter (sufficient for them).
If others need it, please reopen and analyze/fix the error.
For more information about the issue and patches: [2]
[2] https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64#Technical-Specifications
[Original Bug Description]
See https://launchpad.net/ubuntu/+source/gcc-10/10.5.0-3ubuntu1/+build/27746786/+files/buildlog_ubuntu-noble-arm64.gcc-10_10.5.0-3ubuntu1_BUILDING.txt.gz
The above build is supposed to address
https://nvd.nist.gov/vuln/detail/CVE-2023-4039
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-10/+bug/2054343/+subscriptions
More information about the foundations-bugs
mailing list