http://bugzilla.suse.com/show_bug.cgi?id=1059075
Bug ID: 1059075 Summary: -fstack-clash-protection writes beyond array bounds Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: rguenther@suse.com Reporter: schwab@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: ---
When allocating a zero-length array with alloca or as a VLA the code produced by -fstack-clash-protection accesses the array beyond bounds. The failure can best be seen on armv7 (or targets without their own probe_stack insn) where a stack probe is destructive, and where it breaks glibc.
https://build.opensuse.org/package/live_build_log/Base:System/glibc/openSUSE...
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Andreas Schwab schwab@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rguenther@suse.com Assignee|rguenther@suse.com |matz@suse.com
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c1
--- Comment #1 from Andreas Schwab schwab@suse.com --- The C standard says that VLA shall not have zero size, but a size of 1 is valid, and the default probe_stack expansion writes to a MEM of word_mode.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c2
--- Comment #2 from Richard Biener rguenther@suse.com --- So we have to surround the code generated by the final
+ if (flag_stack_clash_protection) + emit_stack_probe (target);
with a compare against zero and jump.
SLE is affected as well.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c3
--- Comment #3 from Richard Biener rguenther@suse.com --- (In reply to Andreas Schwab from comment #1)
The C standard says that VLA shall not have zero size, but a size of 1 is valid, and the default probe_stack expansion writes to a MEM of word_mode.
So the question is whether we at least align the allocation to word_mode which I doubt.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c4
--- Comment #4 from Andreas Schwab schwab@suse.com --- GCC supports zero length arrays, but it is unclear if it also supports zero length VLA.
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Andreas Schwab schwab@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://sourceware.org/bugz | |illa/show_bug.cgi?id=22149
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c5
--- Comment #5 from Andreas Schwab schwab@suse.com --- ldconfig on aarch64 is also affected.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c6
--- Comment #6 from Michael Matz matz@suse.com --- Hmpf. Indeed, some hardening is in order, aligning the size to wordmode and checking for zeroness. I'm going to work on that, but the labs conf interferes a small bit.
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Marcus Meissner meissner@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c7
--- Comment #7 from Andreas Schwab schwab@suse.com --- The generated code for probing "char zero[pad]":
mov r6, sp add r3, r3, #7 bic r3, r3, #7 cmp r3, #4096 bcc .L128 .L186: sub r3, r3, #4096 sub sp, sp, #4096 cmp r3, #4096 str r0, [sp, #8] bcs .L186 .L128: ldr r7, [fp, #-56] sub sp, sp, r3 mov r1, #0 add r3, sp, #8 mov r0, r3 str r0, [sp, #8]
The offset of #8 means that it overwrites a nearby variable.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c8
--- Comment #8 from Andreas Schwab schwab@suse.com --- For "char *dir = strdupa (aux_cache_name);" it generates an insn with unpredictable behavior:
mov r0, r5 bl strlen(PLT) add r3, r0, #15 add r2, r0, #1 bic r3, r3, #7 cmp r3, #4096 bcc .L281 .L320: sub r3, r3, #4096 sub sp, sp, #4096 cmp r3, #4096 str r0, [sp] bcs .L320 .L281: sub sp, sp, r3 ldr r1, [fp, #-172] mov r0, sp str r0, [r0], #7 <====== bic r0, r0, #7 bl memcpy(PLT)
cache.s:2116: Warning: source register same as write-back base
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c9
--- Comment #9 from Andreas Schwab schwab@suse.com --- The latter is filed as PR82248.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c10
--- Comment #10 from Andreas Schwab schwab@suse.com --- On aarch64 this overwrites the saved frame pointer (register x29).
0x0000000000403ad8 <+1008>: ldr x0, [x29, #144] 0x0000000000403adc <+1012>: mov x22, sp 0x0000000000403ae0 <+1016>: add x0, x0, #0xf 0x0000000000403ae4 <+1020>: and x0, x0, #0xfffffffffffffff0 0x0000000000403ae8 <+1024>: cmp x0, #0x1, lsl #12 0x0000000000403aec <+1028>: b.cc 0x403b04 <save_cache+1052> // b.lo, b.ul, b.last 0x0000000000403af0 <+1032>: sub sp, sp, #0x1, lsl #12 0x0000000000403af4 <+1036>: sub x0, x0, #0x1, lsl #12 0x0000000000403af8 <+1040>: cmp x0, #0x1, lsl #12 0x0000000000403afc <+1044>: str xzr, [sp] 0x0000000000403b00 <+1048>: b.cs 0x403af0 <save_cache+1032> // b.hs, b.nlast 0x0000000000403b04 <+1052>: sub sp, sp, x0 0x0000000000403b08 <+1056>: ldr x23, [x29, #144] 0x0000000000403b0c <+1060>: mov w1, #0x0 // #0 0x0000000000403b10 <+1064>: mov x0, sp 0x0000000000403b14 <+1068>: mov x2, x23 => 0x0000000000403b18 <+1072>: str xzr, [sp]
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c11
--- Comment #11 from Marcus Meissner meissner@suse.com --- so both arm 32 and 64bit are currently broken regardng that option?
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c12
--- Comment #12 from Andreas Schwab schwab@suse.com --- It is unknown whether other architectures are affected.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c13
--- Comment #13 from Michael Matz matz@suse.com --- As one data point: I was comparing the testresults (GCC testsuite) of all SLE11 architectures on gcc43 with this patch, they were clean. So either the testsuite doesn't contain a problematic alloca, or only aarch64 is affected. Are we caring for arm 32 bit?
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c14
--- Comment #14 from Andreas Schwab schwab@suse.com --- Most likely none of them is testing zero-size VLA.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c17
Marcus Meissner meissner@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(schwab@suse.com)
--- Comment #17 from Marcus Meissner meissner@suse.com --- Is this now better?
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c18
Andreas Schwab schwab@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(schwab@suse.com) |
--- Comment #18 from Andreas Schwab schwab@suse.com --- Looks so.
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:5998:moderate
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:5998:moderate |ibs:running:5998:moderate | |ibs:running:6053:moderate
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c19
--- Comment #19 from Swamp Workflow Management swamp@suse.de --- SUSE-RU-2018:0014-1: An update that has one recommended fix can now be installed.
Category: recommended (moderate) Bug References: 1059075 CVE References: Sources used: SUSE OpenStack Cloud 6 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Workstation Extension 12-SP2 (src): libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): gcc48-4.8.5-31.6.1, libffi48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): gcc48-4.8.5-31.6.1, libffi48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-SP3 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-SP2 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-LTSS (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Desktop 12-SP3 (src): gcc48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Desktop 12-SP2 (src): gcc48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:5998:moderate |ibs:running:6053:moderate |ibs:running:6053:moderate |
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6053:moderate |ibs:running:6053:moderate | |obs:running:7638:moderate
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6053:moderate |obs:running:7638:moderate |obs:running:7638:moderate |
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c20
--- Comment #20 from Swamp Workflow Management swamp@suse.de --- SUSE-SU-2018:0053-1: An update that solves 29 vulnerabilities and has 57 fixes is now available.
Category: security (moderate) Bug References: 1003846,1004995,1009966,1022404,1025282,1025891,1026567,1029907,1029908,1029909,1029995,1030623,1035386,1036619,1039099,1039276,1039513,1040800,1040968,1041090,1043059,1043590,1043883,1043966,1044016,1045472,1045522,1045732,1047178,1047233,1048605,1048861,1050152,1050258,1050487,1052503,1052507,1052509,1052511,1052514,1052518,1053137,1053347,1053595,1053671,1055446,1055641,1055825,1056058,1056312,1056381,1057007,1057139,1057144,1057149,1057188,1057634,1057721,1057724,1058480,1058695,1058783,1059050,1059065,1059075,1059292,1059723,1060599,1060621,1061241,1061384,1062561,1063249,1063269,1064571,1064999,1065363,1066242,1066371,1066500,1066611,1067891,1070878,1070958,1071905,1071906 CVE References: CVE-2014-3710,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-12837,CVE-2017-12883,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2017-6512 Sources used: SUSE CaaS Platform ALL (src): sles12-caasp-dex-image-2.0.0-3.3.11, sles12-dnsmasq-nanny-image-2.0.1-2.3.15, sles12-haproxy-image-2.0.1-2.3.16, sles12-kubedns-image-2.0.1-2.3.11, sles12-mariadb-image-2.0.1-2.3.15, sles12-openldap-image-2.0.0-2.3.11, sles12-pause-image-2.0.1-2.3.9, sles12-pv-recycler-node-image-2.0.1-2.3.10, sles12-salt-api-image-2.0.1-2.3.10, sles12-salt-master-image-2.0.1-2.3.10, sles12-salt-minion-image-2.0.1-2.3.14, sles12-sidecar-image-2.0.1-2.3.11, sles12-tiller-image-2.0.0-2.3.11, sles12-velum-image-2.0.1-2.3.13
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c21
--- Comment #21 from Swamp Workflow Management swamp@suse.de --- openSUSE-RU-2018:0070-1: An update that has one recommended fix can now be installed.
Category: recommended (moderate) Bug References: 1059075 CVE References: Sources used: openSUSE Leap 42.3 (src): cross-aarch64-gcc48-icecream-backend-4.8.5-29.2, cross-armv6hl-gcc48-icecream-backend-4.8.5-29.2, cross-armv7hl-gcc48-icecream-backend-4.8.5-29.2, cross-i386-gcc48-icecream-backend-4.8.5-29.2, cross-ia64-gcc48-icecream-backend-4.8.5-29.2, cross-ppc-gcc48-icecream-backend-4.8.5-29.2, cross-ppc64-gcc48-icecream-backend-4.8.5-29.2, cross-ppc64le-gcc48-icecream-backend-4.8.5-29.2, cross-s390-gcc48-icecream-backend-4.8.5-29.2, cross-s390x-gcc48-icecream-backend-4.8.5-29.2, gcc48-4.8.5-29.1, gcc48-testresults-4.8.5-29.2, libffi48-4.8.5-29.1, libgcj48-4.8.5-29.1 openSUSE Leap 42.2 (src): cross-aarch64-gcc48-icecream-backend-4.8.5-23.6.2, cross-armv6hl-gcc48-icecream-backend-4.8.5-23.6.2, cross-armv7hl-gcc48-icecream-backend-4.8.5-23.6.2, cross-i386-gcc48-icecream-backend-4.8.5-23.6.2, cross-ia64-gcc48-icecream-backend-4.8.5-23.6.2, cross-ppc-gcc48-icecream-backend-4.8.5-23.6.2, cross-ppc64-gcc48-icecream-backend-4.8.5-23.6.2, cross-ppc64le-gcc48-icecream-backend-4.8.5-23.6.2, cross-s390-gcc48-icecream-backend-4.8.5-23.6.2, cross-s390x-gcc48-icecream-backend-4.8.5-23.6.2, gcc48-4.8.5-23.6.1, gcc48-testresults-4.8.5-23.6.2, libffi48-4.8.5-23.6.1, libgcj48-4.8.5-23.6.1
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:7638:moderate |
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:6554:moderate | |ibs:running:6555:moderate
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6554:moderate |ibs:running:6554:moderate |ibs:running:6555:moderate |
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6554:moderate |
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c22
--- Comment #22 from Swamp Workflow Management swamp@suse.de --- SUSE-SU-2018:0300-1: An update that solves one vulnerability and has 7 fixes is now available.
Category: security (moderate) Bug References: 1039513,1044016,1045091,1059075,1074621,938159,977654,999596 CVE References: CVE-2017-1000376 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Server 11-SP4 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): gcc43-4.3.4_20091019-37.3.1
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:6780:moderate | |ibs:running:6779:moderate
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6780:moderate |ibs:running:6779:moderate |ibs:running:6779:moderate |
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6779:moderate |
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c23
--- Comment #23 from Swamp Workflow Management swamp@suse.de --- SUSE-RU-2018:0820-1: An update that has two recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 1059075,1074621 CVE References: Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gcc48-4.8.5-5.6.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gcc48-4.8.5-5.6.2
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:7186:low
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c26
--- Comment #26 from Swamp Workflow Management swamp@suse.de --- SUSE-RU-2018:1117-1: An update that has three recommended fixes can now be installed.
Category: recommended (low) Bug References: 1039513,1059075,1074621 CVE References: Sources used: SUSE Studio Onsite Runner 1.3 (src): libffi43-4.3.4_20091019-24.5.1 SUSE Studio Onsite 1.3 (src): gcc43-4.3.4_20091019-24.5.1, libffi43-4.3.4_20091019-24.5.1
http://bugzilla.suse.com/show_bug.cgi?id=1059075
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:7186:low |
-
bugzilla_noreply@novell.com