From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by sourceware.org (Postfix) with ESMTPS id 05E213858D39 for ; Tue, 24 Oct 2023 03:01:05 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 05E213858D39 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 05E213858D39 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::102b ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1698116466; cv=none; b=S4MeD1iZ8HAWYrxmr+ENN2gNSNiivpTOyfX3WsqwbFypuJx1KyscWOT24THm2ZSaFQFYlf3IJGdp1tw9BPNHaSAnuwjXMU9zbawdgHw9AkpRCnj1Hn8ROJuffVh08DB1nOkDzr9wsHLSIduqfMnok+oMzJ8227gW72nflMaULSw= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1698116466; c=relaxed/simple; bh=n1JwhvJpiZXt89Y6rhien8wYxdUu2XZXi0RTMGAWVlE=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=sOGufupkZHd6/UDX+sHjfteyDFpzuEgN2K9h6GzCsesuTM1Cwo8YMFDfxv/F0F46R5KwAc42B0AFpFRaUqxmPhY5ueJHF1cFIFuAxDD+2EqM1wlI+P/WFnnq0G3FoA0us+/3OVWeUfsHC+HFKQ0ApP3FRu4tT2E5d801IySF1XE= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pj1-x102b.google.com with SMTP id 98e67ed59e1d1-27d153c7f00so2643525a91.3 for ; Mon, 23 Oct 2023 20:01:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698116464; x=1698721264; darn=gcc.gnu.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=n1JwhvJpiZXt89Y6rhien8wYxdUu2XZXi0RTMGAWVlE=; b=UA8yV2K5y6FXI9sOMk9ZuWiHrbyMf1af9jgLvqm7eK3nE742dldfUSd6ZsykDYfEFi 2G7H0/LHjAjQ4/MfCnc+WNsMpDiTSYFfQaEVpyiOiTPQRKI7ZHGKwJjubFi3bpSpDoEq vCppqUmgY3EqzH0PNG8iYkon4M6YYWd8dlN10itiSshRwxWBiItyxlVvPiNNAQSqWH0Q GpZrG5waU44HGj+G5GwR8+WBv/si8JTThpbdVpbHDdR/7ZI4+QJ62Gb7TwTtXqF58DeV fRndN87/B4zyNWvWpoiST0SLfN77yTREyoUcAW3JjmAmSk8jIw+sF0tPB+LkFyq3ESNu ow6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698116464; x=1698721264; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=n1JwhvJpiZXt89Y6rhien8wYxdUu2XZXi0RTMGAWVlE=; b=bSXBCVhc7QpZEnl5DlG59m9XzAo9ATjiYiYOiw9pGAjF/lRkRJUTkIgdm+M2EMwWcv rv7eCfhGcf72hm1yKBVl4gpO48aorrlNR7OM7H/I7h/eWQ+xn7ItO1v77K+3GQ/BhjYT FMA3Owbaak2QQypRnPVYiaNjO+VC6fLdedBm8NEiFXfwQXy3aPyQOKgSwufJiUGGS20x pGdrZbCpxiyKatyc+SEWUGGuKgBxRQTul2qBdOJZW19OTECI2uBuOfImnkIUpeHFYprP u3s2ye+bptcAOCfLp3PzbE2cwr0oZmVd15BfT6QmO8SUuYE1Nlr921Tirepq6FqAlMLe vs+w== X-Gm-Message-State: AOJu0YzFYxCxBO3A1itFwkxUgeC3HILLWBSPqxG72Vhk/4QNyplh4kzy LSRmsFeTziyPJ/t4Er1p36vGgkmL6yZIUmRYKCY= X-Google-Smtp-Source: AGHT+IEBM9y5bcK8hosuuqgYyF4RpMpBN9XjmBvsbD/vOBHIPm6P6J150WrNHe9Lei/KepulAUxxwSezcc1z4OJvxNc= X-Received: by 2002:a17:90a:19d2:b0:27d:52b:99ac with SMTP id 18-20020a17090a19d200b0027d052b99acmr8082308pjj.7.1698116463960; Mon, 23 Oct 2023 20:01:03 -0700 (PDT) MIME-Version: 1.0 References: <24f0570b.1ae8.18b5f9a70c6.Coremail.arabain@126.com> In-Reply-To: <24f0570b.1ae8.18b5f9a70c6.Coremail.arabain@126.com> From: Andrew Pinski Date: Mon, 23 Oct 2023 20:00:51 -0700 Message-ID: Subject: Re: Inquiry about ARM gcc5 CVE-2023-4039 Patch To: =?UTF-8?B?6ICB5bCP5a2p6ICB5bCP5a2p?= Cc: gcc-patches@gcc.gnu.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,BODY_8BITS,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,KAM_SHORT,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Mon, Oct 23, 2023 at 7:54=E2=80=AFPM =E8=80=81=E5=B0=8F=E5=AD=A9=E8=80= =81=E5=B0=8F=E5=AD=A9 wrote: > > Dear arms, > > I hope this message finds you well. > > I am writing to inquire about the issue of ARM gcc5 CVE-2023-4039. Accord= ing to the advisory on GitHub (https://github.com/metaredteam/external-disc= losures/security/advisories/GHSA-x7ch-h5rf-w2mf), this bug affects versions= from 5.4.0 to the trunk as of May 15, 2023. > > However, I noticed that currently, patches are only provided for gcc7 and= above, as per the information available on the ARM Security Center (https:= //developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulne= rability%20AArch64). > > Given the potential impact of this vulnerability, I am particularly inter= ested in a patch for gcc5. Could you please provide information on whether = a patch for gcc5 is available or planned? If not, could you suggest any pos= sible workarounds or mitigation strategies for systems that are currently u= sing gcc5? > > I appreciate your attention to this matter and look forward to your respo= nse. THIS should NEVER have been a security CVE in the first place. This is not a security issue with any correct code that GCC will process. GCC does not consider this a security issue according to its security polic= y. See the "Security features implemented in GCC" section of https://gcc.gnu.org/git/?p=3Dgcc.git;a=3Dblob_plain;f=3DSECURITY.txt;hb=3DH= EAD for more information on that policy. Thanks, Andrew Pinski > > Best regards,