GHSA-xw5j-gv2g-mjm2: 
Rust vulnerability analysis and mitigation

A regression vulnerability was identified in cortex-m-rt versions 0.7.1 and 0.7.2, affecting stack alignment in Cortex-M targets. The issue was discovered in February 2023 and was assigned the identifier GHSA-xw5j-gv2g-mjm2. The vulnerability causes the stack to not maintain eight-byte alignment before calling the main function or other specified entrypoints, which violates the stack ABI of AAPCS32, the default ABI used by all Cortex-M targets (GitHub Advisory, RustSec Advisory).

The vulnerability stems from a violation of the AAPCS32 stack ABI requirements, specifically affecting stack alignment. The issue impacts all Cortex-M targets including thumbv6m-none-eabi, thumbv7m-none-eabi, thumbv7em-none-eabi, thumbv7em-none-eabihf, thumbv8m.base-none-eabi, thumbv8m.main-none-eabi, and thumbv8m.main-none-eabihf. The regression was introduced in version 0.7.1 and persisted through version 0.7.2. The severity is classified as Moderate (GitHub Discussion).

The misalignment issue can trigger compiler optimizations that assume eight-byte alignment, resulting in incorrect behavior at runtime. This incorrect behavior has been observed in real-world applications, potentially affecting any firmware using the affected versions of cortex-m-rt. Users of probe-run v0.3.6 and earlier may also experience warning messages when stack unwinding goes past the main function (GitHub Discussion).

The issue has been patched in version 0.7.3 of cortex-m-rt. Users of versions 0.7.1 and 0.7.2 are strongly advised to update to version 0.7.3 or later as soon as possible. The update can be applied using the cargo-update command or by manually editing the Cargo.toml file. After updating, all affected firmware binaries must be rebuilt and redeployed to affected devices (GitHub Discussion).

The vulnerability was discovered by peter9477, with significant contributions from the Rust Embedded Matrix community. James Munns wrote the advisory and helped research the impact and solutions, while Dirbaio developed the fix. The community response was swift, leading to a coordinated disclosure and patch release (GitHub Discussion).