A GCC -fstack-protector vulnerability on arm64

The GCC stack-protector feature detects stack-based buffer overruns byputting a canary value on the stack and noticing if that value is changed.Itturns out, though, that dynamically allocated local variables (such asvariable-length arrays and space obtained with alloca()) areplaced beyond the canary, so overflows of those variables will not bedetected. As a result, arm64 binaries built with vulnerable versions ofGCC are not as protected as they should be and need to be rebuilt.

Dynamic allocations are just as susceptible to overflows as otherlocals. In fact, they're arguably more susceptible because they'realmost always arrays, whereas fixed locals are often integers,pointers, or other types to which variable-length data is neverwritten. GCC's own heuristics for when to use a stack guard reflectthis.

Kees Cook, meanwhile, has pointed out thatthe kernel no longer uses variable-length arrays, so kernel builds shouldnot be affected by this vulnerability.