114837 – [11/12/13] Fix to security weaknesses in arm PCS for CMSE

Bug 114837 - [11/12/13] Fix to security weaknesses in arm PCS for CMSE

Summary: [11/12/13] Fix to security weaknesses in arm PCS for CMSE

Status:	RESOLVED FIXED

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	target (show other bugs)
Version:	14.0

Importance:	P3 normal
Target Milestone:	---
Assignee:	Richard Ball

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-04-24 15:40 UTC by Richard Ball
Modified:	2024-04-25 14:48 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:	arm
Build:
Known to work:
Known to fail:
Last reconfirmed:	2024-04-24 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Richard Ball 2024-04-24 15:40:05 UTC

Security weaknesses exist in PCS for CMSE. To resolve this a patch will be upstreamed and backported which will:

1) When calling a secure function from non-secure code then any arguments
   smaller than 32-bits that are passed in registers are zero- or sign-extended.
2) After a non-secure function returns into secure code then any return value
   smaller than 32-bits that is passed in a register is  zero- or sign-extended.

This patch will fix the following: CVE-2024-0151.

Comment 1 Richard Ball 2024-04-24 15:58:38 UTC

https://sourceware.org/pipermail/gcc-patches/2024-April/649973.html

Comment 2 GCC Commits 2024-04-25 14:34:30 UTC

The master branch has been updated by Richard Ball <ricbal02@gcc.gnu.org>:

https://gcc.gnu.org/g:ad45086178d833254d66fab518b14234418f002b

commit r14-10122-gad45086178d833254d66fab518b14234418f002b
Author: Richard Ball <richard.ball@arm.com>
Date:   Thu Apr 25 15:30:42 2024 +0100

    arm: Zero/Sign extends for CMSE security
    
    Co-Authored by: Andre Simoes Dias Vieira <Andre.SimoesDiasVieira@arm.com>
    
    This patch makes the following changes:
    
    1) When calling a secure function from non-secure code then any arguments
       smaller than 32-bits that are passed in registers are zero- or sign-extended.
    2) After a non-secure function returns into secure code then any return value
       smaller than 32-bits that is passed in a register is  zero- or sign-extended.
    
    This patch addresses the following CVE-2024-0151.
    
    gcc/ChangeLog:
            PR target/114837
            * config/arm/arm.cc (cmse_nonsecure_call_inline_register_clear):
            Add zero/sign extend.
            (arm_expand_prologue): Add zero/sign extend.
    
    gcc/testsuite/ChangeLog:
    
            * gcc.target/arm/cmse/extend-param.c: New test.
            * gcc.target/arm/cmse/extend-return.c: New test.

Comment 3 Richard Ball 2024-04-25 14:35:44 UTC

Fixed on Trunk so far

Comment 4 GCC Commits 2024-04-25 14:40:51 UTC

The releases/gcc-13 branch has been updated by Richard Ball <ricbal02@gcc.gnu.org>:

https://gcc.gnu.org/g:5550214b58e95320b54e42ef0e37c6479e04b27b

commit r13-8647-g5550214b58e95320b54e42ef0e37c6479e04b27b
Author: Richard Ball <richard.ball@arm.com>
Date:   Thu Apr 25 15:30:42 2024 +0100

    arm: Zero/Sign extends for CMSE security
    
    Co-Authored by: Andre Simoes Dias Vieira <Andre.SimoesDiasVieira@arm.com>
    
    This patch makes the following changes:
    
    1) When calling a secure function from non-secure code then any arguments
       smaller than 32-bits that are passed in registers are zero- or sign-extended.
    2) After a non-secure function returns into secure code then any return value
       smaller than 32-bits that is passed in a register is  zero- or sign-extended.
    
    This patch addresses the following CVE-2024-0151.
    
    gcc/ChangeLog:
            PR target/114837
            * config/arm/arm.cc (cmse_nonsecure_call_inline_register_clear):
            Add zero/sign extend.
            (arm_expand_prologue): Add zero/sign extend.
    
    gcc/testsuite/ChangeLog:
    
            * gcc.target/arm/cmse/extend-param.c: New test.
            * gcc.target/arm/cmse/extend-return.c: New test.
    
    (cherry picked from commit ad45086178d833254d66fab518b14234418f002b)

Comment 5 GCC Commits 2024-04-25 14:44:08 UTC

The releases/gcc-12 branch has been updated by Richard Ball <ricbal02@gcc.gnu.org>:

https://gcc.gnu.org/g:441e194abcf3211de647d74c892f90879ae9ca8c

commit r12-10394-g441e194abcf3211de647d74c892f90879ae9ca8c
Author: Richard Ball <richard.ball@arm.com>
Date:   Thu Apr 25 15:30:42 2024 +0100

    arm: Zero/Sign extends for CMSE security
    
    Co-Authored by: Andre Simoes Dias Vieira <Andre.SimoesDiasVieira@arm.com>
    
    This patch makes the following changes:
    
    1) When calling a secure function from non-secure code then any arguments
       smaller than 32-bits that are passed in registers are zero- or sign-extended.
    2) After a non-secure function returns into secure code then any return value
       smaller than 32-bits that is passed in a register is  zero- or sign-extended.
    
    This patch addresses the following CVE-2024-0151.
    
    gcc/ChangeLog:
            PR target/114837
            * config/arm/arm.cc (cmse_nonsecure_call_inline_register_clear):
            Add zero/sign extend.
            (arm_expand_prologue): Add zero/sign extend.
    
    gcc/testsuite/ChangeLog:
    
            * gcc.target/arm/cmse/extend-param.c: New test.
            * gcc.target/arm/cmse/extend-return.c: New test.
    
    (cherry picked from commit ad45086178d833254d66fab518b14234418f002b)

Comment 6 GCC Commits 2024-04-25 14:46:57 UTC

The releases/gcc-11 branch has been updated by Richard Ball <ricbal02@gcc.gnu.org>:

https://gcc.gnu.org/g:dabd742cc25f8992c24e639510df0965dbf14f21

commit r11-11364-gdabd742cc25f8992c24e639510df0965dbf14f21
Author: Richard Ball <richard.ball@arm.com>
Date:   Thu Apr 25 15:30:42 2024 +0100

    arm: Zero/Sign extends for CMSE security
    
    Co-Authored by: Andre Simoes Dias Vieira <Andre.SimoesDiasVieira@arm.com>
    
    This patch makes the following changes:
    
    1) When calling a secure function from non-secure code then any arguments
       smaller than 32-bits that are passed in registers are zero- or sign-extended.
    2) After a non-secure function returns into secure code then any return value
       smaller than 32-bits that is passed in a register is  zero- or sign-extended.
    
    This patch addresses the following CVE-2024-0151.
    
    gcc/ChangeLog:
            PR target/114837
            * config/arm/arm.c (cmse_nonsecure_call_inline_register_clear):
            Add zero/sign extend.
            (arm_expand_prologue): Add zero/sign extend.
    
    gcc/testsuite/ChangeLog:
    
            * gcc.target/arm/cmse/extend-param.c: New test.
            * gcc.target/arm/cmse/extend-return.c: New test.
    
    (cherry picked from commit ad45086178d833254d66fab518b14234418f002b)

Comment 7 Richard Ball 2024-04-25 14:48:02 UTC

Backported to gcc-11, gcc-12 and gcc-13

Comment 8 Richard Ball 2024-04-25 14:48:27 UTC

Fixed