{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-4039", "assignerOrgId": "56a131ea-b967-4a0d-a41e-5f3549952846", "state": "PUBLISHED", "assignerShortName": "Arm", "dateReserved": "2023-08-01T10:38:03.032Z", "datePublished": "2023-09-13T08:05:10.274Z", "dateUpdated": "2025-02-13T17:07:49.159Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Arm GNU Toolchain", "vendor": "Arm Ltd", "versions": [{"status": "affected", "version": "All versions where option -fstack-protector is used"}]}, {"defaultStatus": "unaffected", "product": "GCC", "vendor": "GNU", "versions": [{"status": "affected", "version": "All versions of GCC that target AArch64 when option -fstack-protector is used"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The specific conditions where the stack-protector fails to give the desired level of protection are when:\n\n\n<ul>\n <li>using GCC (all unpatched versions) targeting AArch64</li>\n <li>and when the -fstack-protector option is used</li>\n <li>and when the program uses C99-style dynamically-sized local variables or alloca()</li>\n</ul>\n<p>And to be exploitable there must also be a prior vulnerability in the\n program such that an attacker can cause a buffer overflow in these \nlocal variables that overwrites saved register values in the stack.</p>\n\n<br>"}], "value": "The specific conditions where the stack-protector fails to give the desired level of protection are when:\n\n\n\n * using GCC (all unpatched versions) targeting AArch64\n\n * and when the -fstack-protector option is used\n\n * and when the program uses C99-style dynamically-sized local variables or alloca()\n\n\n\n\nAnd to be exploitable there must also be a prior vulnerability in the\n program such that an attacker can cause a buffer overflow in these \nlocal variables that overwrites saved register values in the stack."}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tom Hebb from Meta Red Team X and Maria Markstedter from Azeria Labs"}], "datePublic": "2023-09-12T09:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\n</p><p>**DISPUTED** A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.</p><p>The default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.</p>\n\n<p></p>"}], "value": "**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself."}], "tags": ["disputed"], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "56a131ea-b967-4a0d-a41e-5f3549952846", "shortName": "Arm", "dateUpdated": "2024-06-13T22:20:07.881Z"}, "references": [{"url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64"}, {"url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Recompile vulnerable code using an updated toolchain.\n\n<br>"}], "value": "Recompile vulnerable code using an updated toolchain."}], "source": {"discovery": "EXTERNAL"}, "title": "GCC's-fstack-protector fails to guard dynamically-sized local variables on AArch64", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "arm-security@arm.com", "ID": "CVE-2023-4039", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Arm GNU Toolchain", "version": {"version_data": [{"version_value": "All versions of GCC that target AArch64 when option -fstack-protector is used"}]}}]}, "vendor_name": "Arm Ltd"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "5.0", "description": {"description_data": [{"lang": "eng", "value": "**DISPUTED** A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "GCC's-fstack-protector fails to guard dynamically-sized local variables on AArch64"}]}]}, "references": {"reference_data": [{"name": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", "refsource": "MISC", "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:11.837Z"}, "title": "CVE Program Container", "references": [{"url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", "tags": ["x_transferred"]}, {"url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:gcc:*:*:*:*:*:*:arm64:*", "matchCriteriaId": "C8373A25-594D-4F3F-981B-0D02056992FC", "versionEndExcluding": "2023-09-12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "arm-security@arm.com", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself."}, {"lang": "es", "value": "Una falla en la funci\u00f3n -fstack-protector en cadenas de herramientas basadas en GCC que apuntan a AArch64 permite a un atacante explotar un Desbordamiento de B\u00fafer existente en variables locales de tama\u00f1o din\u00e1mico en su aplicaci\u00f3n sin que esto sea detectado. Esta falla del protector de pila solo se aplica a variables locales de tama\u00f1o din\u00e1mico estilo C99 o aquellas creadas usando alloca(). El protector de pila funciona seg\u00fan lo previsto para variables locales de tama\u00f1o est\u00e1tico. El comportamiento predeterminado cuando el protector de pila detecta un desbordamiento es finalizar su aplicaci\u00f3n, lo que resulta en una p\u00e9rdida controlada de disponibilidad. Un atacante que pueda aprovechar un Desbordamiento del B\u00fafer sin activar el protector de pila podr\u00eda cambiar el control de flujo del programa para provocar una p\u00e9rdida incontrolada de disponibilidad o ir m\u00e1s all\u00e1 y afectar la confidencialidad o la integridad."}], "id": "CVE-2023-4039", "lastModified": "2025-02-13T17:17:14.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "arm-security@arm.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-13T09:15:15.690", "references": [{"source": "arm-security@arm.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64"}, {"source": "arm-security@arm.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf"}], "sourceIdentifier": "arm-security@arm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "arm-security@arm.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "gcc: -fstack-protector fails to guard dynamic stack allocations on ARM64", "id": "2233236", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233236"}, "csaw": false, "cvss3": {"cvss3_base_score": "0.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N", "status": "draft"}, "cwe": "(CWE-119|CWE-358)", "details": ["**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\ngo further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.", "A vulnerability was found in GCC. The GCC's stack protection feature, enabled with the flag -fstack-protector, aims to detect buffer overflows in C/C++ function local variables that might allow an attacker to overwrite saved registers on the stack. If an attacker can modify saved register values, it may be possible for them to subvert program flow control. The feature operates by placing a canary value between local variables and saved registers on the stack on function entry and triggers an error handler on function exit if the canary value has been unexpectedly modified. \nWhen targeting AArch64, this feature did not protect the saved registers from overflows in C99-style dynamically-sized local variables and alloca() objects. Other local variables, including statically-sized local arrays, are not affected because of their different placement on the stack relative to saved registers."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-4039", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:rhmt", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "impact": "low", "package_name": "gcc", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "compat-gcc-295", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "compat-gcc-296", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "compat-gcc-32", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "compat-gcc-34", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "compat-gcc-32", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "compat-gcc-34", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "compat-gcc-44", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gcc-toolset-11-gcc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gcc-toolset-12-gcc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gcc-toolset-13-gcc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gcc-toolset-12-gcc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gcc-toolset-13-gcc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "gcc", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Will not fix", "package_name": "gcc", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "gcc", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "package_name": "gcc", "product_name": "Red Hat Virtualization 4"}], "public_date": "2023-09-12T15:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4039\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4039\nhttps://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64\nhttps://gcc.gnu.org/git/?p=gcc.git;a=blob_plain;f=SECURITY.txt\nhttps://gcc.gnu.org/pipermail/gcc-patches/2023-October/634066.html\nhttps://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf\nhttps://inbox.sourceware.org/gcc-patches/46cfa37b-56eb-344d-0745-e0d35393392d@gotplt.org"], "statement": "According to the GCC security policy, both upstream and Red Hat Product Security do not consider this to be a vulnerability. Please refer to the following URLs for more information:\n* https://gcc.gnu.org/git/?p=gcc.git;a=blob_plain;f=SECURITY.txt\n* https://gcc.gnu.org/pipermail/gcc-patches/2023-October/634066.html\n* https://inbox.sourceware.org/gcc-patches/46cfa37b-56eb-344d-0745-e0d35393392d@gotplt.org/"}

{}