[Bug 2054343] Re: CVE-2023-4039: ARM64 GCC
gerald.yang
2054343 at bugs.launchpad.net
Wed Jun 11 04:12:19 UTC 2025
I ran the same tests (build apparmor, bash, kernel, openssl, systemd) on
jammy and got the following results:
- on amd64
all builds completed without any issue on gcc-10, gcc-11 and gcc-12
- on arm64
build systemd by gcc-12 failed with the following error:
[1982/2068] cc -o systemd-nspawn systemd-nspawn.p/src_nspawn_nspawn.c.o -flto -Wl,--as-needed -Wl,--no-undefined -pie -Wl,-z,relro -Wl,-z,now -fstack-protector -Wl,--gc-sections -Wl,-
Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -g -O2 -ffile-prefix-map=/home/ubuntu/systemd/systemd-249.11=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lt
o-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 '-Wl,-rpath,$ORIGIN/src/shared' -Wl,-rpath-link,/home/ubuntu/systemd/systemd-249.11/
build-deb/src/shared -Wl,--start-group src/nspawn/libnspawn-core.a src/shared/libsystemd-shared-249.so /usr/lib/aarch64-linux-gnu/libblkid.so /usr/lib/aarch64-linux-gnu/libseccomp.so -
lacl /usr/lib/gcc/aarch64-linux-gnu/12/../../../aarch64-linux-gnu/libselinux.so -Wl,--end-group
FAILED: systemd-nspawn 17:07:20 [22175/91156]
cc -o systemd-nspawn systemd-nspawn.p/src_nspawn_nspawn.c.o -flto -Wl,--as-needed -Wl,--no-undefined -pie -Wl,-z,relro -Wl,-z,now -fstack-protector -Wl,--gc-sections -Wl,-Bsymbolic-fu
nctions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -g -O2 -ffile-prefix-map=/home/ubuntu/systemd/systemd-249.11=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -f
stack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 '-Wl,-rpath,$ORIGIN/src/shared' -Wl,-rpath-link,/home/ubuntu/systemd/systemd-249.11/build-deb/sr
c/shared -Wl,--start-group src/nspawn/libnspawn-core.a src/shared/libsystemd-shared-249.so /usr/lib/aarch64-linux-gnu/libblkid.so /usr/lib/aarch64-linux-gnu/libseccomp.so -lacl /usr/li
b/gcc/aarch64-linux-gnu/12/../../../aarch64-linux-gnu/libselinux.so -Wl,--end-group
../src/nspawn/nspawn.c: In function ‘outer_child.constprop’:
../src/nspawn/nspawn.c:3998:1: error: unrecognizable insn:
3998 | }
| ^
(insn 10726 3007 9615 213 (parallel [
(set (reg:DI 26 x26)
(zero_extend:DI (mem/c:SI (plus:DI (reg/f:DI 29 x29)
(const_int -260 [0xfffffffffffffefc])) [41 %sfp+-260 S4 A32])))
(set (reg:DI 20 x20)
(zero_extend:DI (mem/c:SI (plus:DI (reg/f:DI 29 x29)
(const_int -256 [0xffffffffffffff00])) [41 %sfp+-256 S4 A32])))
]) "../src/nspawn/nspawn-bind-user.c":239:32 -1
(nil))
during RTL pass: cprop_hardreg
../src/nspawn/nspawn.c:3998:1: internal compiler error: in extract_insn, at recog.cc:2791
0x1694447 internal_error(char const*, ...)
???:0
0x65fda7 fancy_abort(char const*, int, char const*)
???:0
0x65e13f _fatal_insn(char const*, rtx_def const*, char const*, int, char const*)
???:0
0x65e173 _fatal_insn_not_found(rtx_def const*, char const*, int, char const*)
???:0
0xa79aff extract_insn(rtx_insn*)
???:0
0xa7ab87 extract_constrain_insn(rtx_insn*)
???:0
Please submit a full bug report, with preprocessed source (by using -freport-bug).
Please include the complete backtrace with any bug report.
See <file:///usr/share/doc/gcc-12/README.Bugs> for instructions.
make[2]: *** [/tmp/cch3hO5z.mk:11: /tmp/ccRpz06l.ltrans3.ltrans.o] Error 1
make[2]: *** Waiting for unfinished jobs....
lto-wrapper: fatal error: make returned 2 exit status
compilation terminated.
/usr/bin/ld: error: lto-wrapper failed
collect2: error: ld returned 1 exit status
All the other builds on gcc-10, gcc-11 and gcc-12 succeed without any
issue.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-10 in Ubuntu.
https://bugs.launchpad.net/bugs/2054343
Title:
CVE-2023-4039: ARM64 GCC
Status in gcc-10 package in Ubuntu:
Fix Released
Status in gcc-11 package in Ubuntu:
Fix Released
Status in gcc-12 package in Ubuntu:
Fix Released
Status in gcc-13 package in Ubuntu:
Fix Released
Status in gcc-9 package in Ubuntu:
Fix Released
Status in gcc-10 source package in Focal:
Won't Fix
Status in gcc-9 source package in Focal:
Won't Fix
Status in gcc-10 source package in Jammy:
In Progress
Status in gcc-11 source package in Jammy:
In Progress
Status in gcc-12 source package in Jammy:
In Progress
Status in gcc-9 source package in Jammy:
Won't Fix
Status in gcc-10 source package in Noble:
Fix Released
Status in gcc-11 source package in Noble:
Fix Released
Status in gcc-12 source package in Noble:
Fix Released
Status in gcc-13 source package in Noble:
Fix Released
Bug description:
[Impact]
Some gcc versions in Jammy and Focal are still
vulnerable to the arm64-specific CVE-2023-4039
(-fstack-protector guard failures with dynamic
stack allocations).
This impacts detecting, e.g., buffer overflows,
resulting in less secure Ubuntu arm64 packages
and user-built binaries.
[Test Plan]
Use the test-case in the vulnerability post [1],
as in comments #20 and #21.
Without patches, the test fails with Bus Error
and a register value modified by the program.
With the patches, the test fails with Aborted
(buffer overflow detected) and register value
unmodified.
[1] https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html
[Regression Potential]
The patchset modifies arm64-specific code gen,
therefore any arm64 program might be affected,
while other architectures should not.
That is, signs of regressions from this would
manifest as errors seen only in arm64 programs
but not in other architectures.
Potential fallout is expected to occur early
and/or with dynamic allocations in the stack,
and could manifest in different, subtle ways.
That is concerning, however, fortunately this
patchset has been introduced for a while now
in the _same gcc versions_ in _newer_ series.
That gives confidence to SRU the _same_ change
to the _same_ gcc versions (to _older_ series).
[Other Info]
- gcc-14: fixed in Noble/Oracular (comment #22)
- gcc-13: fixed in Noble/Oracular (comment #23)
- gcc-12: fixed in Noble/Oracular, NOT in Jammy (comment #13)
- gcc-11: fixed in Noble/Oracular, NOT in Jammy (comment #14)
- gcc-10: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #15)
- gcc-9: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #16)
Information about the patchset origin (commits) and details:
- gcc-12: comment #24
- gcc-11: comment #25
- gcc-10: comment #26
- gcc-9: comment #27
The fix for gcc-9/Focal FTBFS due to an Ada-related check.
For the moment, it's not going to be pursued/analyzed more
as agreed with the original reporter (sufficient for them).
If others need it, please reopen and analyze/fix the error.
For more information about the issue and patches: [2]
[2] https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64#Technical-Specifications
[Original Bug Description]
See https://launchpad.net/ubuntu/+source/gcc-10/10.5.0-3ubuntu1/+build/27746786/+files/buildlog_ubuntu-noble-arm64.gcc-10_10.5.0-3ubuntu1_BUILDING.txt.gz
The above build is supposed to address
https://nvd.nist.gov/vuln/detail/CVE-2023-4039
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-10/+bug/2054343/+subscriptions
More information about the foundations-bugs
mailing list