[Bug 1059075] New: -fstack-clash-protection writes beyond array bounds
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Bug ID: 1059075 Summary: -fstack-clash-protection writes beyond array bounds Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: rguenther@suse.com Reporter: schwab@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- When allocating a zero-length array with alloca or as a VLA the code produced by -fstack-clash-protection accesses the array beyond bounds. The failure can best be seen on armv7 (or targets without their own probe_stack insn) where a stack probe is destructive, and where it breaks glibc. https://build.opensuse.org/package/live_build_log/Base:System/glibc/openSUSE... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Andreas Schwab <schwab@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rguenther@suse.com Assignee|rguenther@suse.com |matz@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c1 --- Comment #1 from Andreas Schwab <schwab@suse.com> --- The C standard says that VLA shall not have zero size, but a size of 1 is valid, and the default probe_stack expansion writes to a MEM of word_mode. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c2 --- Comment #2 from Richard Biener <rguenther@suse.com> --- So we have to surround the code generated by the final + if (flag_stack_clash_protection) + emit_stack_probe (target); with a compare against zero and jump. SLE is affected as well. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c3 --- Comment #3 from Richard Biener <rguenther@suse.com> --- (In reply to Andreas Schwab from comment #1)
The C standard says that VLA shall not have zero size, but a size of 1 is valid, and the default probe_stack expansion writes to a MEM of word_mode.
So the question is whether we at least align the allocation to word_mode which I doubt. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c4 --- Comment #4 from Andreas Schwab <schwab@suse.com> --- GCC supports zero length arrays, but it is unclear if it also supports zero length VLA. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Andreas Schwab <schwab@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://sourceware.org/bugz | |illa/show_bug.cgi?id=22149 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c5 --- Comment #5 from Andreas Schwab <schwab@suse.com> --- ldconfig on aarch64 is also affected. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c6 --- Comment #6 from Michael Matz <matz@suse.com> --- Hmpf. Indeed, some hardening is in order, aligning the size to wordmode and checking for zeroness. I'm going to work on that, but the labs conf interferes a small bit. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c7 --- Comment #7 from Andreas Schwab <schwab@suse.com> --- The generated code for probing "char zero[pad]": mov r6, sp add r3, r3, #7 bic r3, r3, #7 cmp r3, #4096 bcc .L128 .L186: sub r3, r3, #4096 sub sp, sp, #4096 cmp r3, #4096 str r0, [sp, #8] bcs .L186 .L128: ldr r7, [fp, #-56] sub sp, sp, r3 mov r1, #0 add r3, sp, #8 mov r0, r3 str r0, [sp, #8] The offset of #8 means that it overwrites a nearby variable. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c8 --- Comment #8 from Andreas Schwab <schwab@suse.com> --- For "char *dir = strdupa (aux_cache_name);" it generates an insn with unpredictable behavior: mov r0, r5 bl strlen(PLT) add r3, r0, #15 add r2, r0, #1 bic r3, r3, #7 cmp r3, #4096 bcc .L281 .L320: sub r3, r3, #4096 sub sp, sp, #4096 cmp r3, #4096 str r0, [sp] bcs .L320 .L281: sub sp, sp, r3 ldr r1, [fp, #-172] mov r0, sp str r0, [r0], #7 <====== bic r0, r0, #7 bl memcpy(PLT) cache.s:2116: Warning: source register same as write-back base -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c9 --- Comment #9 from Andreas Schwab <schwab@suse.com> --- The latter is filed as PR82248. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c10 --- Comment #10 from Andreas Schwab <schwab@suse.com> --- On aarch64 this overwrites the saved frame pointer (register x29). 0x0000000000403ad8 <+1008>: ldr x0, [x29, #144] 0x0000000000403adc <+1012>: mov x22, sp 0x0000000000403ae0 <+1016>: add x0, x0, #0xf 0x0000000000403ae4 <+1020>: and x0, x0, #0xfffffffffffffff0 0x0000000000403ae8 <+1024>: cmp x0, #0x1, lsl #12 0x0000000000403aec <+1028>: b.cc 0x403b04 <save_cache+1052> // b.lo, b.ul, b.last 0x0000000000403af0 <+1032>: sub sp, sp, #0x1, lsl #12 0x0000000000403af4 <+1036>: sub x0, x0, #0x1, lsl #12 0x0000000000403af8 <+1040>: cmp x0, #0x1, lsl #12 0x0000000000403afc <+1044>: str xzr, [sp] 0x0000000000403b00 <+1048>: b.cs 0x403af0 <save_cache+1032> // b.hs, b.nlast 0x0000000000403b04 <+1052>: sub sp, sp, x0 0x0000000000403b08 <+1056>: ldr x23, [x29, #144] 0x0000000000403b0c <+1060>: mov w1, #0x0 // #0 0x0000000000403b10 <+1064>: mov x0, sp 0x0000000000403b14 <+1068>: mov x2, x23 => 0x0000000000403b18 <+1072>: str xzr, [sp] -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c11 --- Comment #11 from Marcus Meissner <meissner@suse.com> --- so both arm 32 and 64bit are currently broken regardng that option? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c12 --- Comment #12 from Andreas Schwab <schwab@suse.com> --- It is unknown whether other architectures are affected. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c13 --- Comment #13 from Michael Matz <matz@suse.com> --- As one data point: I was comparing the testresults (GCC testsuite) of all SLE11 architectures on gcc43 with this patch, they were clean. So either the testsuite doesn't contain a problematic alloca, or only aarch64 is affected. Are we caring for arm 32 bit? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c14 --- Comment #14 from Andreas Schwab <schwab@suse.com> --- Most likely none of them is testing zero-size VLA. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c17 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(schwab@suse.com) --- Comment #17 from Marcus Meissner <meissner@suse.com> --- Is this now better? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c18 Andreas Schwab <schwab@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(schwab@suse.com) | --- Comment #18 from Andreas Schwab <schwab@suse.com> --- Looks so. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:5998:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:5998:moderate |ibs:running:5998:moderate | |ibs:running:6053:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c19 --- Comment #19 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2018:0014-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1059075 CVE References: Sources used: SUSE OpenStack Cloud 6 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Workstation Extension 12-SP2 (src): libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): gcc48-4.8.5-31.6.1, libffi48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): gcc48-4.8.5-31.6.1, libffi48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-SP3 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-SP2 (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Server 12-LTSS (src): gcc48-4.8.5-31.6.1 SUSE Linux Enterprise Desktop 12-SP3 (src): gcc48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1 SUSE Linux Enterprise Desktop 12-SP2 (src): gcc48-4.8.5-31.6.1, libgcj48-4.8.5-31.6.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:5998:moderate |ibs:running:6053:moderate |ibs:running:6053:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6053:moderate |ibs:running:6053:moderate | |obs:running:7638:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6053:moderate |obs:running:7638:moderate |obs:running:7638:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c20 --- Comment #20 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2018:0053-1: An update that solves 29 vulnerabilities and has 57 fixes is now available. Category: security (moderate) Bug References: 1003846,1004995,1009966,1022404,1025282,1025891,1026567,1029907,1029908,1029909,1029995,1030623,1035386,1036619,1039099,1039276,1039513,1040800,1040968,1041090,1043059,1043590,1043883,1043966,1044016,1045472,1045522,1045732,1047178,1047233,1048605,1048861,1050152,1050258,1050487,1052503,1052507,1052509,1052511,1052514,1052518,1053137,1053347,1053595,1053671,1055446,1055641,1055825,1056058,1056312,1056381,1057007,1057139,1057144,1057149,1057188,1057634,1057721,1057724,1058480,1058695,1058783,1059050,1059065,1059075,1059292,1059723,1060599,1060621,1061241,1061384,1062561,1063249,1063269,1064571,1064999,1065363,1066242,1066371,1066500,1066611,1067891,1070878,1070958,1071905,1071906 CVE References: CVE-2014-3710,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653,CVE-2017-12448,CVE-2017-12450,CVE-2017-12452,CVE-2017-12453,CVE-2017-12454,CVE-2017-12456,CVE-2017-12799,CVE-2017-12837,CVE-2017-12883,CVE-2017-13757,CVE-2017-14128,CVE-2017-14129,CVE-2017-14130,CVE-2017-14333,CVE-2017-14529,CVE-2017-14729,CVE-2017-14745,CVE-2017-14974,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2017-6512 Sources used: SUSE CaaS Platform ALL (src): sles12-caasp-dex-image-2.0.0-3.3.11, sles12-dnsmasq-nanny-image-2.0.1-2.3.15, sles12-haproxy-image-2.0.1-2.3.16, sles12-kubedns-image-2.0.1-2.3.11, sles12-mariadb-image-2.0.1-2.3.15, sles12-openldap-image-2.0.0-2.3.11, sles12-pause-image-2.0.1-2.3.9, sles12-pv-recycler-node-image-2.0.1-2.3.10, sles12-salt-api-image-2.0.1-2.3.10, sles12-salt-master-image-2.0.1-2.3.10, sles12-salt-minion-image-2.0.1-2.3.14, sles12-sidecar-image-2.0.1-2.3.11, sles12-tiller-image-2.0.0-2.3.11, sles12-velum-image-2.0.1-2.3.13 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c21 --- Comment #21 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2018:0070-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1059075 CVE References: Sources used: openSUSE Leap 42.3 (src): cross-aarch64-gcc48-icecream-backend-4.8.5-29.2, cross-armv6hl-gcc48-icecream-backend-4.8.5-29.2, cross-armv7hl-gcc48-icecream-backend-4.8.5-29.2, cross-i386-gcc48-icecream-backend-4.8.5-29.2, cross-ia64-gcc48-icecream-backend-4.8.5-29.2, cross-ppc-gcc48-icecream-backend-4.8.5-29.2, cross-ppc64-gcc48-icecream-backend-4.8.5-29.2, cross-ppc64le-gcc48-icecream-backend-4.8.5-29.2, cross-s390-gcc48-icecream-backend-4.8.5-29.2, cross-s390x-gcc48-icecream-backend-4.8.5-29.2, gcc48-4.8.5-29.1, gcc48-testresults-4.8.5-29.2, libffi48-4.8.5-29.1, libgcj48-4.8.5-29.1 openSUSE Leap 42.2 (src): cross-aarch64-gcc48-icecream-backend-4.8.5-23.6.2, cross-armv6hl-gcc48-icecream-backend-4.8.5-23.6.2, cross-armv7hl-gcc48-icecream-backend-4.8.5-23.6.2, cross-i386-gcc48-icecream-backend-4.8.5-23.6.2, cross-ia64-gcc48-icecream-backend-4.8.5-23.6.2, cross-ppc-gcc48-icecream-backend-4.8.5-23.6.2, cross-ppc64-gcc48-icecream-backend-4.8.5-23.6.2, cross-ppc64le-gcc48-icecream-backend-4.8.5-23.6.2, cross-s390-gcc48-icecream-backend-4.8.5-23.6.2, cross-s390x-gcc48-icecream-backend-4.8.5-23.6.2, gcc48-4.8.5-23.6.1, gcc48-testresults-4.8.5-23.6.2, libffi48-4.8.5-23.6.1, libgcj48-4.8.5-23.6.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:7638:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:6554:moderate | |ibs:running:6555:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6554:moderate |ibs:running:6554:moderate |ibs:running:6555:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6554:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c22 --- Comment #22 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2018:0300-1: An update that solves one vulnerability and has 7 fixes is now available. Category: security (moderate) Bug References: 1039513,1044016,1045091,1059075,1074621,938159,977654,999596 CVE References: CVE-2017-1000376 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Server 11-SP4 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gcc43-4.3.4_20091019-37.3.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): gcc43-4.3.4_20091019-37.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:6780:moderate | |ibs:running:6779:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6780:moderate |ibs:running:6779:moderate |ibs:running:6779:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:6779:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c23 --- Comment #23 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2018:0820-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1059075,1074621 CVE References: Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gcc48-4.8.5-5.6.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gcc48-4.8.5-5.6.2 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:7186:low -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 http://bugzilla.suse.com/show_bug.cgi?id=1059075#c26 --- Comment #26 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2018:1117-1: An update that has three recommended fixes can now be installed. Category: recommended (low) Bug References: 1039513,1059075,1074621 CVE References: Sources used: SUSE Studio Onsite Runner 1.3 (src): libffi43-4.3.4_20091019-24.5.1 SUSE Studio Onsite 1.3 (src): gcc43-4.3.4_20091019-24.5.1, libffi43-4.3.4_20091019-24.5.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1059075 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:7186:low | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com