CVE-2023-4039: 
NixOS vulnerability analysis and mitigation

A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables without detection. This vulnerability (CVE-2023-4039) specifically affects C99-style dynamically-sized local variables or those created using alloca(), while the stack-protector operates as intended for statically-sized local variables. The issue was discovered and disclosed on September 12, 2023, affecting all versions of GCC targeting AArch64 architecture (ARM Security, Meta Security).

The vulnerability occurs because GCC's AArch64 backend implements an unconventional stack frame layout where the return address is saved near the bottom of the frame, below the local variables, rather than at the top. The stack guard is placed at the top of the local area, but dynamic allocations reside at the bottom of the stack frame, below the saved registers, with no intervening guard. This architectural design flaw means that buffer overflows in dynamically allocated variables can bypass the stack protection mechanism entirely. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

When the stack-protector detects an overflow, the default behavior is to terminate the application, resulting in a controlled loss of availability. However, due to this vulnerability, an attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control, potentially causing an uncontrolled loss of availability or affecting confidentiality and integrity of the system (Meta Security).

A fix has been made available on GCC's mailing list. Organizations that distribute GCC or ARM64 binaries compiled with GCC are recommended to incorporate this fix. Note that the GCC project argues this is a missed hardening bug rather than a vulnerability by itself (NVD, Meta Security).