| Message ID | 20230912152529.3322336-1-richard.sandiford@arm.com |
|---|---|
| Headers |
Return-Path: <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id E56E2385C6FE for <patchwork@sourceware.org>; Tue, 12 Sep 2023 15:26:12 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E56E2385C6FE DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1694532372; bh=+72xj2BDWng1l6UX3SPRFlSiLrM1IlC85Zp05I6E1W4=; h=To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=mymoqCT7iOI4fVeH6p0YIOBGDu476NRF77xVF3VkFymYoDHnG6IyV27Cl8w2B2XgV 0kbzPcI3FihatXPjRuKa7BZbZ4BRLYgNZ1dVcCDMnHheXafGf8qE/gB+mxb0Gdu8iP x8fqOEMCNtwSgUF8rJgFU9Rh0o7P3IK8JJrOGkns= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by sourceware.org (Postfix) with ESMTP id CFD2E3853D03 for <gcc-patches@gcc.gnu.org>; Tue, 12 Sep 2023 15:25:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CFD2E3853D03 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A8B60C15; Tue, 12 Sep 2023 08:26:15 -0700 (PDT) Received: from e121540-lin.manchester.arm.com (e121540-lin.manchester.arm.com [10.32.110.72]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0A1B33F738; Tue, 12 Sep 2023 08:25:37 -0700 (PDT) To: gcc-patches@gcc.gnu.org Cc: Richard Sandiford <richard.sandiford@arm.com> Subject: [PATCH 00/19] aarch64: Fix -fstack-protector issue Date: Tue, 12 Sep 2023 16:25:10 +0100 Message-Id: <20230912152529.3322336-1-richard.sandiford@arm.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-19.3 required=5.0 tests=BAYES_00, KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, KAM_SHORT, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org> List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe> List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/> List-Post: <mailto:gcc-patches@gcc.gnu.org> List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help> List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe> From: Richard Sandiford via Gcc-patches <gcc-patches@gcc.gnu.org> Reply-To: Richard Sandiford <richard.sandiford@arm.com> Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> |
| Series |
aarch64: Fix -fstack-protector issue
|
|
Message
Richard Sandiford
Sept. 12, 2023, 3:25 p.m. UTC
This series of patches fixes deficiencies in GCC's -fstack-protector implementation for AArch64 when using dynamically allocated stack space. This is CVE-2023-4039. See: https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64 https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf for more details. The fix is to put the saved registers above the locals area when -fstack-protector is used. The series also fixes a stack-clash problem that I found while working on the CVE. In unpatched sources, the stack-clash problem would only trigger for unrealistic numbers of arguments (8K 64-bit arguments, or an equivalent). But it would be a more significant issue with the new -fstack-protector frame layout. It's therefore important that both problems are fixed together. Some reorganisation of the code seemed necessary to fix the problems in a cleanish way. The series is therefore quite long, but only a handful of patches should have any effect on code generation. See the individual patches for a detailed description. Tested on aarch64-linux-gnu. Pushed to trunk and to all active branches. I've also pushed backports to GCC 7+ to vendors/ARM/heads/CVE-2023-4039. Richard Sandiford (19): aarch64: Use local frame vars in shrink-wrapping code aarch64: Avoid a use of callee_offset aarch64: Explicitly handle frames with no saved registers aarch64: Add bytes_below_saved_regs to frame info aarch64: Add bytes_below_hard_fp to frame info aarch64: Tweak aarch64_save/restore_callee_saves aarch64: Only calculate chain_offset if there is a chain aarch64: Rename locals_offset to bytes_above_locals aarch64: Rename hard_fp_offset to bytes_above_hard_fp aarch64: Tweak frame_size comment aarch64: Measure reg_offset from the bottom of the frame aarch64: Simplify top of frame allocation aarch64: Minor initial adjustment tweak aarch64: Tweak stack clash boundary condition aarch64: Put LR save probe in first 16 bytes aarch64: Simplify probe of final frame allocation aarch64: Explicitly record probe registers in frame info aarch64: Remove below_hard_fp_saved_regs_size aarch64: Make stack smash canary protect saved registers gcc/config/aarch64/aarch64.cc | 518 ++++++++++-------- gcc/config/aarch64/aarch64.h | 44 +- .../aarch64/stack-check-prologue-17.c | 55 ++ .../aarch64/stack-check-prologue-18.c | 100 ++++ .../aarch64/stack-check-prologue-19.c | 100 ++++ .../aarch64/stack-check-prologue-20.c | 3 + .../gcc.target/aarch64/stack-protector-8.c | 95 ++++ .../gcc.target/aarch64/stack-protector-9.c | 33 ++ .../aarch64/sve/pcs/stack_clash_3.c | 6 +- 9 files changed, 699 insertions(+), 255 deletions(-) create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-8.c create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
Comments
On 2023-09-12 11:25, Richard Sandiford via Gcc-patches wrote: > This series of patches fixes deficiencies in GCC's -fstack-protector > implementation for AArch64 when using dynamically allocated stack space. > This is CVE-2023-4039. See: > While this is a legitimate missed hardening, I'm not sure if this qualifies as a CVE-worthy vulnerability since correct programs won't actually be exploitable due to this. This is essentially the kind of thing that the "Security features implemented in GCC" section in the proposed security policy[1] describes. Thanks, Sid [1] https://inbox.sourceware.org/gcc-patches/ba133293-a7e8-8fe4-e1ba-7129b9e103f7@gotplt.org/