Wind River Support Network


LIN1021-6517 : Security Advisory - gcc - CVE-2023-4039

Created: Sep 13, 2023    Updated: Mar 17, 2024
Resolved Date: Mar 17, 2024
Found In Version:
Severity: Standard
Applicable for: Wind River Linux LTS 21
Component/s: Toolchain


A failure in the -fstack-protector feature in GCC-based toolchains 
that target AArch64 allows an attacker to exploit an existing buffer 
overflow in dynamically-sized local variables in your application 
without this being detected. This stack-protector failure only applies 
to C99-style dynamically-sized local variables or those created using 
alloca(). The stack-protector operates as intended for statically-sized 
local variables.

The default behavior when the stack-protector 
detects an overflow is to terminate your application, resulting in 
controlled loss of availability. An attacker who can exploit a buffer 
overflow without triggering the stack-protector might be able to change 
program flow control to cause an uncontrolled loss of availability or to
 go further and affect confidentiality or integrity.


Live chat