[Bug 2054343] Re: CVE-2023-4039: ARM64 GCC

gerald.yang 2054343 at bugs.launchpad.net
Mon Apr 14 06:49:47 UTC 2025 

Thanks Mauricio!

Turn out we can patch gcc based on this llvm commit:
https://github.com/llvm/llvm-project/commit/fb77ca05ffb4f8e666878f2f6718a9fb4d686839

I did a mistake to apply the above commit to llvm because I thought gcc build depends on it,
but this should be done on gcc itself instead of llvm.

Our gcc-13 doesn't have this build issue because it has applied this
patch:

cat gcc-13/debian/patches/asan-allocator-base.diff 
# DP: ASan: move allocator base to avoid conflict with high-entropy ASLR for x86-64 Linux
# DP: https://github.com/llvm/llvm-project/commit/fb77ca05ffb4f8e666878f2f6718a9fb4d686839

--- a/src/libsanitizer/asan/asan_allocator.h
+++ b/src/libsanitizer/asan/asan_allocator.h
@@ -143,11 +143,15 @@ typedef DefaultSizeClassMap SizeClassMap;
 const uptr kAllocatorSpace = ~(uptr)0;
 const uptr kAllocatorSize  =  0x8000000000ULL;  // 500G
 typedef DefaultSizeClassMap SizeClassMap;
-# else
+#  elif SANITIZER_APPLE
 const uptr kAllocatorSpace = 0x600000000000ULL;
 const uptr kAllocatorSize  =  0x40000000000ULL;  // 4T.
 typedef DefaultSizeClassMap SizeClassMap;
-# endif
+#  else
+const uptr kAllocatorSpace = 0x500000000000ULL;
+const uptr kAllocatorSize = 0x40000000000ULL;  // 4T.
+typedef DefaultSizeClassMap SizeClassMap;
+#  endif
 template <typename AddressSpaceViewTy>
 struct AP64 {  // Allocator64 parameters. Deliberately using a short name.
   static const uptr kSpaceBeg = kAllocatorSpace;

SRU: https://bugs.launchpad.net/ubuntu/+source/llvm-
toolchain-14/+bug/2048768

So I will send out an SRU for gcc-10 on focal and gcc-10/11/12 on jammy to fix the build issue,
and then this SRU should be unblocked.

Thanks for all the help as always!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-10 in Ubuntu.
https://bugs.launchpad.net/bugs/2054343

Title:
  CVE-2023-4039: ARM64 GCC

Status in gcc-10 package in Ubuntu:
  Fix Released
Status in gcc-11 package in Ubuntu:
  Fix Released
Status in gcc-12 package in Ubuntu:
  Fix Released
Status in gcc-13 package in Ubuntu:
  Fix Released
Status in gcc-9 package in Ubuntu:
  Fix Released
Status in gcc-10 source package in Focal:
  Triaged
Status in gcc-9 source package in Focal:
  Won't Fix
Status in gcc-10 source package in Jammy:
  Triaged
Status in gcc-11 source package in Jammy:
  Triaged
Status in gcc-12 source package in Jammy:
  Triaged
Status in gcc-9 source package in Jammy:
  Won't Fix
Status in gcc-10 source package in Noble:
  Fix Released
Status in gcc-11 source package in Noble:
  Fix Released
Status in gcc-12 source package in Noble:
  Fix Released
Status in gcc-13 source package in Noble:
  Fix Released

Bug description:
  [Impact]

  Some gcc versions in Jammy and Focal are still
  vulnerable to the arm64-specific CVE-2023-4039
  (-fstack-protector guard failures with dynamic
  stack allocations).

  This impacts detecting, e.g., buffer overflows,
  resulting in less secure Ubuntu arm64 packages
  and user-built binaries.

  [Test Plan]

  Use the test-case in the vulnerability post [1],
  as in comments #20 and #21.

  Without patches, the test fails with Bus Error
  and a register value modified by the program.

  With the patches, the test fails with Aborted
  (buffer overflow detected) and register value
  unmodified.

  [1] https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html

  [Regression Potential]

  The patchset modifies arm64-specific code gen,
  therefore any arm64 program might be affected,
  while other architectures should not.

  That is, signs of regressions from this would
  manifest as errors seen only in arm64 programs
  but not in other architectures.

  Potential fallout is expected to occur early
  and/or with dynamic allocations in the stack,
  and could manifest in different, subtle ways.

  That is concerning, however, fortunately this
  patchset has been introduced for a while now
  in the _same gcc versions_ in _newer_ series.

  That gives confidence to SRU the _same_ change
  to the _same_ gcc versions (to _older_ series).

  [Other Info]

  - gcc-14: fixed in Noble/Oracular (comment #22)
  - gcc-13: fixed in Noble/Oracular (comment #23)
  - gcc-12: fixed in Noble/Oracular, NOT in Jammy (comment #13)
  - gcc-11: fixed in Noble/Oracular, NOT in Jammy (comment #14)
  - gcc-10: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #15)
  - gcc-9: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #16)

  Information about the patchset origin (commits) and details:
  - gcc-12: comment #24
  - gcc-11: comment #25
  - gcc-10: comment #26
  - gcc-9: comment #27

  The fix for gcc-9/Focal FTBFS due to an Ada-related check.
  For the moment, it's not going to be pursued/analyzed more
  as agreed with the original reporter (sufficient for them).
  If others need it, please reopen and analyze/fix the error.

  For more information about the issue and patches: [2]
  [2] https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64#Technical-Specifications

  [Original Bug Description]
  See https://launchpad.net/ubuntu/+source/gcc-10/10.5.0-3ubuntu1/+build/27746786/+files/buildlog_ubuntu-noble-arm64.gcc-10_10.5.0-3ubuntu1_BUILDING.txt.gz

  The above build is supposed to address
  https://nvd.nist.gov/vuln/detail/CVE-2023-4039

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-10/+bug/2054343/+subscriptions

More information about the foundations-bugs mailing list