Oddbean new post about | logout
 A GCC -fstack-protector vulnerability on arm64

The GCC stack-protector feature detects stack-based buffer overruns by
putting a canary value on the stack and noticing if that value is changed.
<a href="https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" rel="nofollow">It
turns out</a>, though, that dynamically allocated local variables (such as
variable-length arrays and space obtained with alloca()) are
placed beyond the canary, so overflows of those variables will not be
detected.  As a result, arm64 binaries built with vulnerable versions of
GCC are not as protected as they should be and need to be rebuilt.


	Dynamic allocations are just as susceptible to overflows as other
	locals. In fact, they're arguably more susceptible because they're
	almost always arrays, whereas fixed locals are often integers,
	pointers, or other types to which variable-length data is never
	written. GCC's own heuristics for when to use a stack guard reflect
	this.


Kees Cook, meanwhile, has https://fosstodon.org/@kees/111054213020992461
 that
the kernel no longer uses variable-length arrays, so kernel builds should
not be affected by this vulnerability.

https://lwn.net/Articles/944307/