Hi, On Thu, Nov 02, 2023 at 11:11:56AM +0100, Emanuele Rocca wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: debian-...@lists.debian.org, j...@debian.org, d...@debian.org > Control: affects -1 + src:gcc-12 > > [ Reason ] > A failure in the -fstack-protector feature in GCC-based toolchains that target > AArch64 allows an attacker to exploit an existing buffer overflow in > dynamically-sized local variables without this being detected. > > The Security Team explicitly stated that they will not release a DSA for the > bug, see https://security-tracker.debian.org/tracker/CVE-2023-4039 > > This issue has been fixed in version 12.3.0-9 for sid and trixie. It would now > be good to address the problem in bookworm too. > > [ Impact ] > Without this change, arm64 users of gcc-12 in bookworm are not fully protected > by -fstack-protector as described in CVE-2023-4039. > > [ Tests ] > In terms of manual testing, I have verified that the stack smashing attack > published at > https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf > is detected and stopped when the PoC is compiled with gcc 12.2.0-14+deb12u1, > while it results in a Bus error with 12.2.0-14: > > $ gcc-12 --version | head -1 > gcc-12 (Debian 12.2.0-14+deb12u1) 12.2.0 > $ gcc-12 -fstack-protector-all -O3 -static -Wall -Wextra -pedantic -o poc > poc.c > $ echo -n 'DDDDDDDDPPPPPPPPFFFFFFFFAAAAAAAA' | ./poc 8 > *** stack smashing detected ***: terminated > Aborted > > $ gcc-12 --version | head -1 > gcc-12 (Debian 12.2.0-14) 12.2.0 > $ gcc-12 -fstack-protector-all -O3 -static -Wall -Wextra -pedantic -o poc > poc.c > $ echo -n 'DDDDDDDDPPPPPPPPFFFFFFFFAAAAAAAA' | ./poc 8 > Bus error > > As an additional smoke test I have also successfully built a few packages, as > well as a kernel. > > In terms of automated testing, the upstream test suite is extensive. > Additionally, upstream added the following tests specifically for > CVE-2023-4039: > > testsuite/gcc.target/aarch64/stack-check-prologue-17.c > testsuite/gcc.target/aarch64/stack-check-prologue-18.c > testsuite/gcc.target/aarch64/stack-check-prologue-19.c > testsuite/gcc.target/aarch64/stack-check-prologue-20.c > testsuite/gcc.target/aarch64/stack-protector-8.c > testsuite/gcc.target/aarch64/stack-protector-9.c > > [ Risks ] > There are obviously potential risks of regressions associated with compiler > changes. However the specific changes proposed here have been part of gcc-12 > upstream since September, and by now have been tested quite a bit. One > regression has been found early on and fixed: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111411 > > All changes are arm64-specific and don't affect any other architecture. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > All changes merged upstream back in September 2023, see > https://gcc.gnu.org/git/?p=gcc.git;a=shortlog;h=refs/heads/releases/gcc-12 > > - aarch64: Avoid a use of callee_offset > 12a8889de169f892d2e927584c00d20b8b7e456f > > - aarch64: Explicitly handle frames with no saved registers > 03d5e89e7f3be53fd7142556e8e0a2774c653dca > > - aarch64: Add bytes_below_saved_regs to frame info > 49c2eb7616756c323b7f6b18d8616ec945eb1263 > > - aarch64: Add bytes_below_hard_fp to frame info > 34081079ea4de0c98331843f574b5f6f94d7b234 > > - aarch64: Tweak aarch64_save/restore_callee_saves > 187861af7c51db9eddc6f954b589c121b210fc74 > > - aarch64: Only calculate chain_offset if there is a chain > 2b983f9064d808daf909bde1d4a13980934a7e6e > > - aarch64: Rename locals_offset to bytes_above_locals > 0a0a824808d1dec51004fb5805c1a0ae2a35433f > > - aarch64: Rename hard_fp_offset to bytes_above_hard_fp > 3fbf0789202b30a67b12e1fb785c7130f098d665 > > - aarch64: Tweak frame_size comment > aac8b31379ac3bbd14fc6427dce23f56e54e8485 > > - aarch64: Measure reg_offset from the bottom of the frame > 8d5506a8aeb8dd7e8b209a3663b07688478f76b9 > > - aarch64: Simplify top of frame allocation > b47766614df3b9df878262efb2ad73aaac108363 > > - aarch64: Minor initial adjustment tweak > 08f71b4bb28fb74d20e8d2927a557e8119ce9f4d > > - aarch64: Tweak stack clash boundary condition > f22315d5c19e8310e4dc880fd509678fd291fca8 > > - aarch64: Put LR save probe in first 16 bytes > 15e18831bf98fd25af098b970ebf0c9a6200a34b > > - aarch64: Simplify probe of final frame allocation > c4f0e121faa36342f1d21919e54a05ad841c4f86 > > - aarch64: Explicitly record probe registers in frame info > 6f0ab0a9f46a17b68349ff6035aa776bf65f0575 > > - aarch64: Remove below_hard_fp_saved_regs_size > 8254e1b9cd500e0c278465a3657543477e9d1250 > > - aarch64: Make stack smash canary protect saved registers > 75c37e031408262263442f5b4cdb83d3777b6422 > > - aarch64: Fix return register handling in untyped_call > 38d0605ac8bc90324170041676fc05e7e595769e > > - aarch64: Fix loose ldpstp check [PR111411] > 74f99f1adc696f446115f36974a3f94f66294a53
This one will be to late for 12.6 bookworm point release, but maybe we can try to have it for the august bookworm point release? Or are there concerns about regressions? Regards, Salvatore
