Bug 1222739 (CVE-2024-31852)

Summary: VUL-0: CVE-2024-31852: llvm: LR register can be overwritten without data being saved to the stack on ARM
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: afaerber, camila.matos, matz, meissner, pgajdos, rguenther
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/400484/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-31852:4.2:(AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-12 17:23:07 UTC 
LLVM before 18.1.3 generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. This affects the ARM backend and can be demonstrated with Clang. NOTE: the vendor perspective is "we don't have strong objections for a CVE to be created ... It does seem that the likelihood of this miscompile enabling an exploit remains very low, because the miscompile resulting in this JOP gadget is such that the function is most likely to crash on most valid inputs to the function. So, if this function is covered by any testing, the miscompile is most likely to be discovered before the binary is shipped to production."

References:
https://llvm.org/docs/Security.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-31852
https://www.cve.org/CVERecord?id=CVE-2024-31852
https://bugs.chromium.org/p/llvm/issues/detail?id=69
https://github.com/llvm/llvm-project/issues/80287
https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2
https://bugzilla.redhat.com/show_bug.cgi?id=2273715
Comment 2 Camila Camargo de Matos 2024-04-12 17:38:49 UTC 
As shown in the references for this bug, the GitHub issue related to the vulnerability is issue 80287 [0]. The corresponding PR that fixes the issue is PR 82745 [1]. In this PR's description and even in the message for the merged commit that fixes the issue [2], it is possible to see a reference to PR 75527 [3]. The changes applied through this other PR [4] look like they to need to be applied in order to allow the vulnerability being considered in this bug to be completely patched.

[0] https://github.com/llvm/llvm-project/issues/80287
[1] https://github.com/llvm/llvm-project/pull/82745
[2] https://github.com/llvm/llvm-project/commit/749384c08e042739342c88b521c8ba5dac1b9276
[3] https://github.com/llvm/llvm-project/pull/75527
[4] https://github.com/llvm/llvm-project/commit/b1a5ee1febd8a903cec3dfdad61d57900dc3823e
Comment 5 Richard Biener 2024-04-15 06:29:27 UTC 
The initial description of the LLVM issue says

Clang versions info:

    llvmorg-17-init - bug wasn't detected
    llvmorg-17.0.2 - bug detected
    llvmorg-17.0.6 - bug detected
    llvmorg-18-init - bug detected

I see no indication that llvm versions as old as llvm7 should be affected.

Only arm 32bit is affected, that's the only arch affected by the fix.

I'll note that on SLES there's neither support for clang nor support for
arm 32 code generation using it.  No support for _any_ clang/llvm version.
So SLES is unaffected.

Without indication otherwise only llvm17 or llvm18 are affected.  A fix
will tickle into openSUSE:Factory for the releases upstream still maintains
which is only llvm18.  No further updates are planned, in particular none
to the SLE codestreams.
Comment 6 Petr Gajdos 2024-04-22 07:30:52 UTC 
(In reply to Richard Biener from comment #5)
> Without indication otherwise only llvm17 or llvm18 are affected.  A fix
> will tickle into openSUSE:Factory for the releases upstream still maintains
> which is only llvm18.  No further updates are planned, in particular none
> to the SLE codestreams.

Thanks Richard (a lot!) for your evaluation. Based on that I am reassigning back to the security team.