The stack protection feature in LLVM's Arm backend can be rendered ineffective when the stack protector slot is re-allocated so that is appears after the local variables that it is meant to protect, leaving the function potentially vulnerable to a stack-based buffer overflow.
\r\n\r\n### Description ###\r\nThe stack protection feature provided in the LLVM Arm backend is an optional mitigating feature used to protect against buffer overflows. It works by adding a cookie value between local variables and the stack frame return address. The compiler stores this value in memory and checks the cookie with the LocalStackSlotAllocation function to ensure that it has not changed or been overwritten. If the value has changed, then the function will terminate. Since it currently pre-allocates the stack protector before the local variables in the stack, it's possible that a new stack protector can be allocated later in the process. If that happens, it leaves the stack protection ineffective as the new stack protector slot appears after the local variables that it is meant to protect. Additionally, it is also possible for the stack cookie pointer to spill to the stack and potentially be overwritten. This could happen in an area on the stack before the stack protector slot, rendering it ineffective.\r\n### Impact ###\r\nWhen the stack protection feature is rendered ineffective, it leaves the function vulnerable to stack-based buffer overflows. It is possible that the return address could be overwritten due to a local buffer overflow and is not caught when the cookie is checked at the end. It is also possible that the cookie itself could be overwritten since it resides on the stack, causing an unintended value to pass the check. \r\n\r\n### Solution ###\r\nApply an UpdateApply the latest updates from LLVM and Arm. Both of LLVM's commits can be found here and here.\r\n\r\n### Acknowledgements ###\r\n
Thanks to Jeffrey Crowell and Will Estes of Apple for reporting this vulnerability.
This document was written by Madison Oliver.
","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The following Arm Compilers are affected: Arm Compiler for Linux versions 19.0 to 19.2 inclusive and Arm Compiler 6 version 6.12. The following Arm Compilers are not affected: Arm Compiler for Linux versions 19.3 and later and Arm Compiler 6 versions 6.6.3 and 6.13 and later. The following versions remain unknown: Arm Compiler for Linux versions prior to 19.0 and Arm Compiler 6 versions 6.00 to 6.6.2 inclusive and 6.7 to 6.11 inclusive.","title":"Vendor statment from ARM Limited"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on ARM Limited notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Intel"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Intel notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Google"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Google notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Microsoft"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Microsoft notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from The HSA Foundation"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on The HSA Foundation notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Sony"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Sony notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Fastly"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Fastly notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from The LLVM Foundation"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on The LLVM Foundation notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Facebook"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Facebook notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Apple"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Apple notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from QUALCOMM Incorporated"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on QUALCOMM Incorporated notes"},{"category":"other","text":"No statement is currently available from the vendor regarding this vulnerability.","title":"Vendor statment from Cisco"},{"category":"other","text":"There are no additional comments at this time.","title":"CERT/CC comment on Cisco notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/129209"},{"url":"http://www.llvm.org/","summary":"http://www.llvm.org/"},{"url":"http://www.aosabook.org/en/llvm.html","summary":"http://www.aosabook.org/en/llvm.html"},{"url":"https://developer.arm.com/tools-and-software/embedded/arm-compiler","summary":"https://developer.arm.com/tools-and-software/embedded/arm-compiler"},{"url":"https://lists.llvm.org/mailman/listinfo/llvm-commits","summary":"https://lists.llvm.org/mailman/listinfo/llvm-commits"},{"url":"https://reviews.llvm.org/D64757","summary":"https://reviews.llvm.org/D64757"},{"url":"https://reviews.llvm.org/D64759","summary":"https://reviews.llvm.org/D64759"}],"title":"LLVMs Arm stack protection feature can be rendered ineffective","tracking":{"current_release_date":"2020-06-18T13:39:00+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#129209","initial_release_date":"2019-07-15 00:00:00+00:00","revision_history":[{"date":"2020-06-18T13:39:00+00:00","number":"1.20200618133900.34","summary":"Released on 2020-06-18T13:39:00+00:00"}],"status":"final","version":"1.20200618133900.34"}},"vulnerabilities":[{"title":"placeholder.","notes":[{"category":"summary","text":"placeholder"}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#129209"}],"product_status":{"known_affected":["CSAFPID-489809f6-39f2-11f1-8422-122e2785dc9f","CSAFPID-48997c96-39f2-11f1-8422-122e2785dc9f","CSAFPID-489ac628-39f2-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"ARM Limited","product":{"name":"ARM Limited Products","product_id":"CSAFPID-489809f6-39f2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Google","product":{"name":"Google Products","product_id":"CSAFPID-489845a6-39f2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-489886e2-39f2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"The HSA Foundation","product":{"name":"The HSA Foundation Products","product_id":"CSAFPID-4898c63e-39f2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Sony","product":{"name":"Sony Products","product_id":"CSAFPID-48990fea-39f2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fastly","product":{"name":"Fastly Products","product_id":"CSAFPID-48994906-39f2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"The LLVM Foundation","product":{"name":"The LLVM Foundation Products","product_id":"CSAFPID-48997c96-39f2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Facebook","product":{"name":"Facebook Products","product_id":"CSAFPID-4899c156-39f2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-489a117e-39f2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Apple","product":{"name":"Apple Products","product_id":"CSAFPID-489a7114-39f2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"QUALCOMM Incorporated","product":{"name":"QUALCOMM Incorporated Products","product_id":"CSAFPID-489ac628-39f2-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-489b2492-39f2-11f1-8422-122e2785dc9f"}}]}}