Message ID | 20230912152529.3322336-1-richard.sandiford@arm.com |
---|---|
Headers |
Return-Path: <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9ecd:0:b0:3f2:4152:657d with SMTP id t13csp486109vqx; Tue, 12 Sep 2023 08:27:25 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFsdmCxigd9vPEXJ8VB369axMvBv7Z/7oYgC/WcDcwoRXcNZB6kW9nXHjK0ox/L7RjoNtuX X-Received: by 2002:a5d:42c1:0:b0:314:3b02:a8a8 with SMTP id t1-20020a5d42c1000000b003143b02a8a8mr8921205wrr.55.1694532444815; Tue, 12 Sep 2023 08:27:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694532444; cv=none; d=google.com; s=arc-20160816; b=mF0TMLmW+jfwqEAd2A+3ODYDFHdDNcWh8RY/cxPtVxwPoGvTFUr69sx3y9D6C8iU4M 5+Ybo7hLLFS1dVfdDf2kxPuhlix+mFUq6EOE6mHRsfNTjm5FwL7+kK9iOp2QEwMvrH4w 7qiQPTrsrTs22CccDSjYSuZGfE5J/5o7mikMcH8rsXBtebzg3I87ll5ORFRhoaJFQ/3D 8t8OJgb8ok3H1o06x9Z6cdMSpHuzOnrJhbrwd09VFLG5Q5yK3WyM5FARygAFGS+9ARZI L57KhiYrdTYzhfsWTHef8f434YSpf4xIhGAWXlgVWdK+9Q0JizG4B1RGELrnJLQTOrBS 2yuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence :content-transfer-encoding:mime-version:message-id:date:subject:cc :to:dmarc-filter:delivered-to:dkim-signature:dkim-filter; bh=+72xj2BDWng1l6UX3SPRFlSiLrM1IlC85Zp05I6E1W4=; fh=C4nEn4uRKApr1WsFtLyJD8L5BeRuRc+JFyqoopFjd9M=; b=F+t/KN+DzKZ4JTlr/GkZF1+s6tsZp+KZjW79R+9zLlem+fbNF3IsVztS35pGqj9oJT fdm0YANcNR8YLG49Ee/4yvLh+6YSzYZNnMI8jjBZ3Hir1ByWmsPyH7qJ8PLtYm5DHr3A INRobbPIGDbuExKXp6Jt7rlyrstnyVrbKyVTuTvJWDSa6c4E3/Lmsx6Hp2ygnRCtPRr5 DSsxcD2hBOjBuj5KfQl4mMqfuBsDnJ4dodzc+Z7QzKKCm3MoS0sN0TtQJpjmonY5YOhd kD1zJG0aaU20dXbJr1MNQ3bR9n9R+eZFsaShoQLhOP/HF5ApAHdhfq2oZKTvA/+3JPNH yBcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=ZJmFK5eN; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from server2.sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id h30-20020a0564020e9e00b00522307bf422si786601eda.467.2023.09.12.08.27.24 for <ouuuleilei@gmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 08:27:24 -0700 (PDT) Received-SPF: pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=ZJmFK5eN; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 7BB69385E02D for <ouuuleilei@gmail.com>; Tue, 12 Sep 2023 15:26:28 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7BB69385E02D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1694532388; bh=+72xj2BDWng1l6UX3SPRFlSiLrM1IlC85Zp05I6E1W4=; h=To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=ZJmFK5eNPhmRjiiP1X25a0fiewaX2IBrYnfUAOCHA+6fmgXYuKms2gBnnKdq9QQHw GS5qOARxSyuZMlznw8APX9yq2jqx7swtjEpuhGZOL34RJeWV4X/bOMkHk4rvgtlcjz 59KK6oLeGUiUiOEGLMwsDwoloGFMJL0sum709ewE= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by sourceware.org (Postfix) with ESMTP id CFD2E3853D03 for <gcc-patches@gcc.gnu.org>; Tue, 12 Sep 2023 15:25:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CFD2E3853D03 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A8B60C15; Tue, 12 Sep 2023 08:26:15 -0700 (PDT) Received: from e121540-lin.manchester.arm.com (e121540-lin.manchester.arm.com [10.32.110.72]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0A1B33F738; Tue, 12 Sep 2023 08:25:37 -0700 (PDT) To: gcc-patches@gcc.gnu.org Cc: Richard Sandiford <richard.sandiford@arm.com> Subject: [PATCH 00/19] aarch64: Fix -fstack-protector issue Date: Tue, 12 Sep 2023 16:25:10 +0100 Message-Id: <20230912152529.3322336-1-richard.sandiford@arm.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-19.3 required=5.0 tests=BAYES_00, KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, KAM_SHORT, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org> List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe> List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/> List-Post: <mailto:gcc-patches@gcc.gnu.org> List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help> List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe> From: Richard Sandiford via Gcc-patches <gcc-patches@gcc.gnu.org> Reply-To: Richard Sandiford <richard.sandiford@arm.com> Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org> X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1776846052767026818 X-GMAIL-MSGID: 1776846052767026818 |
Series |
aarch64: Fix -fstack-protector issue
|
|
Message
Richard Sandiford
Sept. 12, 2023, 3:25 p.m. UTC
This series of patches fixes deficiencies in GCC's -fstack-protector implementation for AArch64 when using dynamically allocated stack space. This is CVE-2023-4039. See: https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64 https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf for more details. The fix is to put the saved registers above the locals area when -fstack-protector is used. The series also fixes a stack-clash problem that I found while working on the CVE. In unpatched sources, the stack-clash problem would only trigger for unrealistic numbers of arguments (8K 64-bit arguments, or an equivalent). But it would be a more significant issue with the new -fstack-protector frame layout. It's therefore important that both problems are fixed together. Some reorganisation of the code seemed necessary to fix the problems in a cleanish way. The series is therefore quite long, but only a handful of patches should have any effect on code generation. See the individual patches for a detailed description. Tested on aarch64-linux-gnu. Pushed to trunk and to all active branches. I've also pushed backports to GCC 7+ to vendors/ARM/heads/CVE-2023-4039. Richard Sandiford (19): aarch64: Use local frame vars in shrink-wrapping code aarch64: Avoid a use of callee_offset aarch64: Explicitly handle frames with no saved registers aarch64: Add bytes_below_saved_regs to frame info aarch64: Add bytes_below_hard_fp to frame info aarch64: Tweak aarch64_save/restore_callee_saves aarch64: Only calculate chain_offset if there is a chain aarch64: Rename locals_offset to bytes_above_locals aarch64: Rename hard_fp_offset to bytes_above_hard_fp aarch64: Tweak frame_size comment aarch64: Measure reg_offset from the bottom of the frame aarch64: Simplify top of frame allocation aarch64: Minor initial adjustment tweak aarch64: Tweak stack clash boundary condition aarch64: Put LR save probe in first 16 bytes aarch64: Simplify probe of final frame allocation aarch64: Explicitly record probe registers in frame info aarch64: Remove below_hard_fp_saved_regs_size aarch64: Make stack smash canary protect saved registers gcc/config/aarch64/aarch64.cc | 518 ++++++++++-------- gcc/config/aarch64/aarch64.h | 44 +- .../aarch64/stack-check-prologue-17.c | 55 ++ .../aarch64/stack-check-prologue-18.c | 100 ++++ .../aarch64/stack-check-prologue-19.c | 100 ++++ .../aarch64/stack-check-prologue-20.c | 3 + .../gcc.target/aarch64/stack-protector-8.c | 95 ++++ .../gcc.target/aarch64/stack-protector-9.c | 33 ++ .../aarch64/sve/pcs/stack_clash_3.c | 6 +- 9 files changed, 699 insertions(+), 255 deletions(-) create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-8.c create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
Comments
On 2023-09-12 11:25, Richard Sandiford via Gcc-patches wrote: > This series of patches fixes deficiencies in GCC's -fstack-protector > implementation for AArch64 when using dynamically allocated stack space. > This is CVE-2023-4039. See: > While this is a legitimate missed hardening, I'm not sure if this qualifies as a CVE-worthy vulnerability since correct programs won't actually be exploitable due to this. This is essentially the kind of thing that the "Security features implemented in GCC" section in the proposed security policy[1] describes. Thanks, Sid [1] https://inbox.sourceware.org/gcc-patches/ba133293-a7e8-8fe4-e1ba-7129b9e103f7@gotplt.org/