[Bug 2116909] Re: aarch64: Fix loose ldpstp check

Launchpad Bug Tracker 2116909 at bugs.launchpad.net
Tue Aug 19 12:15:20 UTC 2025 

This bug was fixed in the package gcc-12 - 12.3.0-1ubuntu1~22.04.2

---------------
gcc-12 (12.3.0-1ubuntu1~22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: A missed hardening option in -fstack-protector for AArch64
    can lead to buffer overflows for dynamically allocated local variables
    not being detected. (LP: #2054343)
    - d/p/CVE-2023-4039.diff: Address stack protector and stack clash
      protection weaknesses on AArch64. Taken from the gcc-12 branch.
    - CVE-2023-4039
  * Move allocator base to avoid conflict with high-entropy ASLR for x86-64
    Linux. Patch taken from LLVM. Fixes ftbfs. (LP: #2107313)
    - d/p/lp2107313-asan-allocator-base.diff
  * aarch64: Fix loose ldpstp check. (LP: #2116909)
    - d/p/lp2116909-aarch64-fix-loose-ldpstp-check.diff

 -- Gerald Yang <gerald.yang at canonical.com>  Tue, 15 Jul 2025 03:45:40
+0000

** Changed in: gcc-12 (Ubuntu Jammy)
       Status: In Progress => Fix Released

** CVE added: https://cve.org/CVERecord?id=CVE-2023-4039

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-12 in Ubuntu.
https://bugs.launchpad.net/bugs/2116909

Title:
  aarch64: Fix loose ldpstp check

Status in gcc-12 package in Ubuntu:
  In Progress
Status in gcc-12 source package in Jammy:
  Fix Released

Bug description:
  [ Impact ]

  With the SRU
  https://bugs.launchpad.net/ubuntu/jammy/+source/gcc-12/+bug/2054343

  on ARM64, build systemd by gcc-12 failed with the following error:

  [1982/2068] cc -o systemd-nspawn systemd-nspawn.p/src_nspawn_nspawn.c.o -flto -Wl,--as-needed -Wl,--no-undefined -pie -Wl,-z,relro -Wl,-z,now -fstack-protector -Wl,--gc-sections -Wl,-
  Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -g -O2 -ffile-prefix-map=/home/ubuntu/systemd/systemd-249.11=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lt
  o-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 '-Wl,-rpath,$ORIGIN/src/shared' -Wl,-rpath-link,/home/ubuntu/systemd/systemd-249.11/
  build-deb/src/shared -Wl,--start-group src/nspawn/libnspawn-core.a src/shared/libsystemd-shared-249.so /usr/lib/aarch64-linux-gnu/libblkid.so /usr/lib/aarch64-linux-gnu/libseccomp.so -
  lacl /usr/lib/gcc/aarch64-linux-gnu/12/../../../aarch64-linux-gnu/libselinux.so -Wl,--end-group
  FAILED: systemd-nspawn 17:07:20 [22175/91156]
  cc -o systemd-nspawn systemd-nspawn.p/src_nspawn_nspawn.c.o -flto -Wl,--as-needed -Wl,--no-undefined -pie -Wl,-z,relro -Wl,-z,now -fstack-protector -Wl,--gc-sections -Wl,-Bsymbolic-fu
  nctions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -g -O2 -ffile-prefix-map=/home/ubuntu/systemd/systemd-249.11=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -f
  stack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 '-Wl,-rpath,$ORIGIN/src/shared' -Wl,-rpath-link,/home/ubuntu/systemd/systemd-249.11/build-deb/sr
  c/shared -Wl,--start-group src/nspawn/libnspawn-core.a src/shared/libsystemd-shared-249.so /usr/lib/aarch64-linux-gnu/libblkid.so /usr/lib/aarch64-linux-gnu/libseccomp.so -lacl /usr/li
  b/gcc/aarch64-linux-gnu/12/../../../aarch64-linux-gnu/libselinux.so -Wl,--end-group
  ../src/nspawn/nspawn.c: In function ‘outer_child.constprop’:
  ../src/nspawn/nspawn.c:3998:1: error: unrecognizable insn:
   3998 | }
        | ^
  (insn 10726 3007 9615 213 (parallel [
              (set (reg:DI 26 x26)
                  (zero_extend:DI (mem/c:SI (plus:DI (reg/f:DI 29 x29)
                              (const_int -260 [0xfffffffffffffefc])) [41 %sfp+-260 S4 A32])))
              (set (reg:DI 20 x20)
                  (zero_extend:DI (mem/c:SI (plus:DI (reg/f:DI 29 x29)
                              (const_int -256 [0xffffffffffffff00])) [41 %sfp+-256 S4 A32])))
          ]) "../src/nspawn/nspawn-bind-user.c":239:32 -1
       (nil))
  during RTL pass: cprop_hardreg
  ../src/nspawn/nspawn.c:3998:1: internal compiler error: in extract_insn, at recog.cc:2791
  0x1694447 internal_error(char const*, ...)
          ???:0
  0x65fda7 fancy_abort(char const*, int, char const*)
          ???:0
  0x65e13f _fatal_insn(char const*, rtx_def const*, char const*, int, char const*)
          ???:0
  0x65e173 _fatal_insn_not_found(rtx_def const*, char const*, int, char const*)
          ???:0
  0xa79aff extract_insn(rtx_insn*)
          ???:0
  0xa7ab87 extract_constrain_insn(rtx_insn*)
          ???:0
  Please submit a full bug report, with preprocessed source (by using -freport-bug).
  Please include the complete backtrace with any bug report.
  See <file:///usr/share/doc/gcc-12/README.Bugs> for instructions.
  make[2]: *** [/tmp/cch3hO5z.mk:11: /tmp/ccRpz06l.ltrans3.ltrans.o] Error 1
  make[2]: *** Waiting for unfinished jobs....
  lto-wrapper: fatal error: make returned 2 exit status
  compilation terminated.
  /usr/bin/ld: error: lto-wrapper failed
  collect2: error: ld returned 1 exit status

  
  This issue has been fixed by this upstream commit:

  commit 2d38f45bcca62ca0c7afef4b579f82c5c2a01610
  Author: Richard Sandiford <richard.sandiford at arm.com>
  Date:   Fri Sep 15 09:19:14 2023 +0100

      aarch64: Fix loose ldpstp check [PR111411]
      
      aarch64_operands_ok_for_ldpstp contained the code:
      
        /* One of the memory accesses must be a mempair operand.
           If it is not the first one, they need to be swapped by the
           peephole.  */
        if (!aarch64_mem_pair_operand (mem_1, GET_MODE (mem_1))
             && !aarch64_mem_pair_operand (mem_2, GET_MODE (mem_2)))
          return false;
      
      But the requirement isn't just that one of the accesses must be a
      valid mempair operand.  It's that the lower access must be, since
      that's the access that will be used for the instruction operand.
      
      gcc/
              PR target/111411
              * config/aarch64/aarch64.cc (aarch64_operands_ok_for_ldpstp): Require
              the lower memory access to a mem-pair operand.
      
      gcc/testsuite/
              PR target/111411
              * gcc.dg/rtl/aarch64/pr111411.c: New test.

  
  And also backported to upstream gcc-12.4.0.

  
  [ Test Plan ]

  Build systemd with this patch, build must succeed

  [ Where problems could occur ]

  I've rebuild the whole jammy AMD64 and ARM64 main archives with this patch, the possibility of regression is very low.
  If there is something goes wrong, it could affects few ARM64 packages in -updates.

  [ Other Info ]
  Upstream PR and also backport to gcc-12 and gcc-13
  https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111411

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-12/+bug/2116909/+subscriptions

More information about the foundations-bugs mailing list