CVE-2020-6096: 
NixOS vulnerability analysis and mitigation

A signed comparison vulnerability (CVE-2020-6096) was discovered in the ARMv7 memcpy() implementation of GNU glibc. The vulnerability was discovered by Jason Royes and Samuel Dytrych of Cisco Security Assessment and Penetration Team and publicly disclosed on May 21, 2020. The vulnerability affects GNU glibc version 2.30.9000 and earlier versions running on ARMv7 targets (Talos Report).

The vulnerability occurs because the ARMv7 memcpy() implementation incorrectly handles the size_t data type for the 'num' parameter. Instead of treating size_t as unsigned, it uses signed branch and arithmetic operations. When memcpy() is called with a negative value for the 'num' parameter, the signed comparison results in incorrect behavior. The vulnerability has a CVSSv3 score of 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-195 (Signed to Unsigned Conversion Error) (Talos Report).

If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this implementation allows program execution to continue in scenarios where a segmentation fault or crash should have occurred, leading to execution with corrupted data (Talos Report).

The fix involves replacing signed branch operations with unsigned equivalents throughout the ARMv7 memcpy() implementation. Instead of using 'bge' (signed branch), the implementation should use 'bhs/bcs' (unsigned greater than or equal comparison) to ensure the num parameter is treated as unsigned. The fix was included in glibc version 2.32, released on August 3rd, 2020 (Sourceware Bug).