CVE-2024-40897: Vulnerability in Orc Compiler Opens Door to Code Execution Attacks
Security researchers have disclosed a critical vulnerability (CVE-2024-40897) in the Orc compiler, a widely-used tool for compiling and executing simple data-array programs. The vulnerability, stemming from a stack-based buffer overflow error, could enable attackers to execute arbitrary code with the same privileges as the compiler itself.
This vulnerability is of particular concern for developers and CI environments using the Orc compiler (orcc). Threat actors can exploit the flaw by crafting malicious Orc source files that, when compiled, trigger a buffer overflow, leading to potential code execution. This could compromise the integrity and security of the development environment or CI pipeline, potentially exposing sensitive data or enabling further attacks.
While the flaw does not directly impact users of the liborc runtime library, the potential for downstream effects is significant. A compromised development environment could lead to the creation of malicious binaries distributed to end-users.
The Orc project maintainers have released version 0.4.39, which addresses this vulnerability. Developers and organizations using Orc are strongly advised to update to this version immediately. Those using older branches should apply the available patches and recompile their codebase.
Highlights in version 0.4.39:
- Security: Fix error message printing buffer overflow leading to possible code execution in orcc with specific input files (CVE-2024-40897). This only affects developers and CI environments using orcc, not users of liborc.
- div255w: fix off-by-one error in the implementations
- x86: only run AVX detection if xgetbv is available
- x86: fix AVX detection by implementing the check recommended by Intel
- Only enable JIT compilation on Apple arm64 if running on macOS, fixes crashes on iOS
- Fix potential crash in emulation mode if logging is enabled
- Handle undefined TARGET_OS_OSX correctly
- orconce: Fix typo in GCC __sync-based implementation
- orconce: Fix usage of __STDC_NO_ATOMICS__
- Fix build with MSVC 17.10 + C11
- Support stack unwinding on Windows
- Major opcode and instruction set code clean-ups and refactoring
- Refactor allocation and chunk initialization of code regions
- Fall back to emulation on Linux if JIT support is not available, e.g. because of SELinux sandboxing or noexec mounting)
