Sensitive Information in Resource Not Removed Before Reuse Affecting clang package, versions [0,]

Affected versions of this package are vulnerable to Sensitive Information in Resource Not Removed Before Reuse due to the leakage from stack to floating-point registers during a Secure to Non-secure function call that returns a floating-point value. An attacker can read a limited quantity of Secure stack contents by exploiting this vulnerability.

Note:

This is only exploitable if the following conditions are met:

-The program runs in Secure state on a CPU that implements the Security Extension, also known as Arm TrustZone for Armv8-M.

-The program is built by an affected Toolchain.

-The program is compiled to target the Armv8-M mainline architecture using -march=armv8-m.main, -mcpu=cortex-m33 or -mcpu=cortex-m35p. Code compiled for the Armv8.1-M mainline architecture is not affected. Note that it is the options given to the compiler that are important, not the CPU that the program runs on.

-The hard floating-point calling convention is used with the -mfloat-abi=hard option.

-The Secure state program is compiled with -mcmse.

-The Secure state program contains a function that makes a call via a function pointer to a Non-secure state function with the cmse_nonsecure_call attribute.

-The return type of the Non-secure state function is of floating-point type.

-None of the parameters of the Non-secure state function are of floating-point type.

-No floating-point instructions except for VLLDM and VLSTM are executed between the most recent entry to Secure state and the call to the Non-secure state function.

-Must contain at least one Secure state function with the following disassembly pattern:

// No floating-point instructions prior to here since entering Secure state.
// CONTROL_S.SFPA is 0.
vlstm
...
blxns
vmov// or some other floating point instruction, CONTROL_S.SFPA is now 1.
...
vlldm

• ARM Security Advisory
• GitHub Commit
• Red Hat Bugzilla Bug