358 lines · plain
1========================================2LLVM Security Group Transparency Reports3========================================4 5This page lists the yearly LLVM Security Response group transparency reports.6 7The LLVM Security Response group started out as the LLVM security group, previous8year's transparency reports keep the original name.9 10Initially the Chromium issue tracker was used to record issues. This11component has been archived and is read-only. A GitHub12llvm/llvm-project issue has been created for each issue in the13Chromium issue tracker. All of these issues contain an attached PDF14with the content of the Chromium issue, and have the SecurityArchive15label.16 17Each Chromium issue has 3 URLs, the first is the original URL recorded in18previous transparency reports. The second is the redirect URL to the archive.19The third is to the GitHub archive issue.20 21202122----23 24The :doc:`LLVM security group <Security>` was established on the 10th of July252020 by the act of the `initial26commit <https://github.com/llvm/llvm-project/commit/7bf73bcf6d93>`_ describing27the purpose of the group and the processes it follows. Many of the group's28processes were still not well-defined enough for the group to operate well.29Over the course of 2021, the key processes were defined well enough to enable30the group to operate reasonably well:31 32* We defined details on how to report security issues, see `this commit on33 20th of May 2021 <https://github.com/llvm/llvm-project/commit/c9dbaa4c86d2>`_34* We refined the nomination process for new group members, see `this35 commit on 30th of July 2021 <https://github.com/llvm/llvm-project/commit/4c98e9455aad>`_36* We started writing an annual transparency report (you're reading the 202137 report here).38 39Over the course of 2021, we had 2 people leave the LLVM Security group and 440people join.41 42In 2021, the security group received 13 issue reports that were made publicly43visible before 31st of December 2021. The security group judged 2 of these44reports to be security issues:45 46* original: https://bugs.chromium.org/p/llvm/issues/detail?id=547 redirect: https://issuetracker.google.com/issues/42410043 archive:48 https://github.com/llvm/llvm-project/issues/12570949 50* original: https://bugs.chromium.org/p/llvm/issues/detail?id=1151 redirect: https://issuetracker.google.com/issues/42410002 archive:52 https://github.com/llvm/llvm-project/issues/12764453 54Both issues were addressed with source changes: #5 in clangd/vscode-clangd, and55#11 in llvm-project. No dedicated LLVM release was made for either.56 57We believe that with the publishing of this first annual transparency report,58the security group now has implemented all necessary processes for the group to59operate as promised. The group's processes can be improved further, and we do60expect further improvements to get implemented in 2022. Many of the potential61improvements end up being discussed on the `monthly public call on LLVM's62security group <https://llvm.org/docs/GettingInvolved.html#online-sync-ups>`_.63 64 65202266----67 68In this section we report on the issues the group received in 2022, or on issues69that were received earlier, but were disclosed in 2022.70 71In 2022, the llvm security group received 15 issues that have been disclosed at72the time of writing this transparency report.73 745 of these were judged to be security issues:75 76* https://bugs.chromium.org/p/llvm/issues/detail?id=17 reports a miscompile in LLVM77 that can result in the frame pointer and return address being overwritten. This78 was fixed. Redirect: https://issuetracker.google.com/issues/42410008 archive:79 https://github.com/llvm/llvm-project/issues/12764580 81* https://bugs.chromium.org/p/llvm/issues/detail?id=19 reports a vulnerability in82 `std::filesystem::remove_all` in libc++. This was fixed.83 Redirect: https://issuetracker.google.com/issues/42410010 archive:84 https://github.com/llvm/llvm-project/issues/12764785 86* https://bugs.chromium.org/p/llvm/issues/detail?id=23 reports a new Spectre87 gadget variant that Speculative Load Hardening (SLH) does not mitigate. No88 extension to SLH was implemented to also mitigate against this variant.89 Redirect: https://issuetracker.google.com/issues/42410015 archive:90 https://github.com/llvm/llvm-project/issues/12764891 92* https://bugs.chromium.org/p/llvm/issues/detail?id=30 reports missing memory93 safety protection on the (C++) exception handling path. A number of fixes94 were implemented. Redirect: https://issuetracker.google.com/issues/4241002395 archive: https://github.com/llvm/llvm-project/issues/12764996 97* https://bugs.chromium.org/p/llvm/issues/detail?id=33 reports the RETBLEED98 vulnerability. The outcome was clang growing a new security hardening feature99 `-mfunction-return=thunk-extern`, see https://reviews.llvm.org/D129572.100 Redirect: https://issuetracker.google.com/issues/42410026 archive:101 https://github.com/llvm/llvm-project/issues/127650102 103 104No dedicated LLVM releases were made for any of the above issues.105 1062023107----108 109In this section we report on the issues the group received in 2023, or on issues110that were received earlier, but were disclosed in 2023.111 1129 of these were judged to be security issues:113 114 * https://bugs.chromium.org/p/llvm/issues/detail?id=36 reports the presence of115 .git folder in https://llvm.org/.git. Redirect:116 https://issuetracker.google.com/issues/42410029 archive:117 https://github.com/llvm/llvm-project/issues/131841118 119 * https://bugs.chromium.org/p/llvm/issues/detail?id=66 reports the presence of a120 GitHub Personal Access token in a DockerHub imaage. Redirect121 https://issuetracker.google.com/issues/42410060 archive:122 https://github.com/llvm/llvm-project/issues/131846123 124 * https://bugs.chromium.org/p/llvm/issues/detail?id=42 reports a potential gap125 in the Armv8.1-m BTI protection, involving a combination of large switch statements126 and __builtin_unreachable() in the default case. Redirect:127 https://issuetracker.google.com/issues/42410035 archive:128 https://github.com/llvm/llvm-project/issues/131848129 130 * https://bugs.chromium.org/p/llvm/issues/detail?id=43 reports a dependency131 on an old version of xml2js with a CVE filed against it. Redirect:132 https://issuetracker.google.com/issues/42410036 archive:133 https://github.com/llvm/llvm-project/issues/131849134 135 * https://bugs.chromium.org/p/llvm/issues/detail?id=45 reports a number of136 dependencies that have had vulnerabilities reported against them. Redirect:137 https://issuetracker.google.com/issues/42410038 archive:138 https://github.com/llvm/llvm-project/issues/131851139 140 * https://bugs.chromium.org/p/llvm/issues/detail?id=46 is related to141 issue 43. Redirect https://issuetracker.google.com/issues/42410039 archive:142 https://github.com/llvm/llvm-project/issues/131852143 144 * https://bugs.chromium.org/p/llvm/issues/detail?id=48 reports a buffer overflow in145 std::format from -fexperimental-library. Redirect:146 https://issuetracker.google.com/issues/42410041 archive:147 https://github.com/llvm/llvm-project/issues/131856148 149 * https://bugs.chromium.org/p/llvm/issues/detail?id=54 reports a memory leak in150 basic_string move assignment when built with libc++ versions <=6.0 and run against151 newer libc++ shared/dylibs. Redirect:152 https://issuetracker.google.com/issues/42410047 archive:153 https://github.com/llvm/llvm-project/issues/131857154 155 * https://bugs.chromium.org/p/llvm/issues/detail?id=56 reports an out156 of bounds buffer store introduced by LLVM backends, that regressed157 due to a procedural oversight. Redirect158 https://issuetracker.google.com/issues/42410049 archive:159 https://github.com/llvm/llvm-project/issues/131858160 161No dedicated LLVM releases were made for any of the above issues.162 163Over the course of 2023 we had one person join the LLVM Security Group.164 1652024166----167 168.. |br| raw:: html169 170 <br/>171 172 173Introduction174^^^^^^^^^^^^175 176In the first half of 2024, LLVM used the Chromium issue tracker to enable177reporting security issues responsibly. We switched over to using GitHub's178"privately reporting a security vulnerability" workflow in the middle of 2024.179 180In previous years, our transparency reports were shorter, since the full181discussion on a security ticket in the Chromium issue tracker is fully visible182once disclosed. This is not the case with issues using GitHub's security183advisory workflow, so instead we give a longer description in this transparency184report, to make the relevant information on the ticket publicly available.185 186This transparency report doesn't necessarily mention all issues that were deemed187duplicates of other issues, or tickets only created to test the bug tracking188system.189 190Security issues fixed under a coordinated disclosure process191^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^192 193This section lists the reported issues where we ended up implementing fixes194under a coordinated disclosure process. While we were still using the Chromium195issue tracker, we did not write security advisories for such issues. Since we196started using the GitHub issues tracker for security issues, we're now197publishing security advisories for those issues at198https://github.com/llvm/llvm-security-repo/security/advisories/.199 2001. “Unexpected behavior when using LTO and branch-protection together” |br|201 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=58 |br|202 redirect: https://issuetracker.google.com/issues/42410051 |br|203 archive: https://github.com/llvm/llvm-project/issues/1321852042. “Security weakness in PCS for CMSE”205 (`CVE-2024-0151 <https://nvd.nist.gov/vuln/detail/CVE-2024-0151>`_) |br|206 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=68 |br|207 redirect: https://issuetracker.google.com/issues/42410062 |br|208 archive: https://github.com/llvm/llvm-project/issues/1321862093. “CMSE secure state may leak from stack to floating-point registers”210 (`CVE-2024-7883 <https://www.cve.org/cverecord?id=CVE-2024-7883>`_) |br|211 Details are available at212 `GHSA-wh65-j229-6wfp <https://github.com/llvm/llvm-security-repo/security/advisories/GHSA-wh65-j229-6wfp>`_213 214Supply chain security related issues and project services-related issues215^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^216 2171. “GitHub User Involved in xz backdoor may have attempted to change to clang in order to help hide the exploit” |br|218 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=71 |br|219 redirect: https://issuetracker.google.com/issues/42410066 |br|220 archive: https://github.com/llvm/llvm-project/issues/1321872212. “llvmbot account suspended due to suspicious login” |br|222 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=72 |br|223 redirect: https://issuetracker.google.com/issues/42410067 |br|224 archive: https://github.com/llvm/llvm-project/issues/1322432253. “.git Exposure” |br|226 GHSA-mr8r-vvrc-w6rq |br|227 The .git directory was accessible via web browsers under apt.llvm.org, a site228 used to serve Debian/Ubuntu nightly packages. This issue has been addressed229 by removing the directory, and is not considered a security issue for the230 compiler. The .git directory was an artifact of the CI job that maintained231 the apt website, and was mirroring an open-source project maintained on232 github (under opencollab/llvm-jenkins.debian.net). The issue is not believed233 to have leaked any non-public information.2344. “llvm/llvm-project repo potentially vulnerable to GITHUB\_TOKEN leaks” |br|235 GHSA-f5xj-84f9-mrw6 |br|236 GitHub access tokens were being leaked in artifacts generated by GitHub237 Actions workflows. The vulnerability was first reported publicly as238 ArtiPACKED, generally applicable to GitHub projects, leading to an audit of239 LLVM projects and the reporting of this security issue. LLVM contributors240 audited the workflows, found that the “release-binaries” workflow was241 affected, but only exposed tokens that were ephemeral and read-only, so was242 not deemed a privilege escalation concern. The workflow was fixed in a243 configuration change as PR244 `106310 <https://github.com/llvm/llvm-project/pull/106310>`_. Older exposed245 tokens all expired, and the issue is closed as resolved.2465. “RCE in Buildkite Pipeline” |br|247 GHSA-2j6q-qcfm-3wcx |br|248 A Buildkite CI pipeline (llvm-project/rust-llvm-integrate-prototype) allowed249 Remote Code Execution on the CI runner. The pipeline automatically runs a250 test job when PRs are filed on the rust-lang/rust repo, but those PRs point251 to user-controlled branches that could be maliciously modified. A security252 researcher reported the issue, and demonstrated it by modifying build scripts253 to expose the CI runner's internal cloud service access tokens. The issue has254 been addressed with internal configuration changes by owners of the Buildkite255 pipeline.256 257Issues deemed to not require coordinated action before disclosing publicly258^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^259 2601. “Clang Address Sanitizer gives False Negative for Array Out of Bounds Compiled with Optimization” |br|261 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=57 |br|262 redirect: https://issuetracker.google.com/issues/42410050 |br|263 archive: https://github.com/llvm/llvm-project/issues/1321912642. “Found exposed .svn folder” |br|265 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=59 |br|266 redirect: https://issuetracker.google.com/issues/42410052267 archive: https://github.com/llvm/llvm-project/issues/1321922683. “Arbitrary code execution when combining SafeStack \+ dynamic stack allocations \+ \_\_builtin\_setjmp/longjmp” |br|269 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=60 |br|270 redirect: https://issuetracker.google.com/issues/42410054271 archive: https://github.com/llvm/llvm-project/issues/1322202724. “RISC-V: Constants are allocated in writeable .sdata section” |br|273 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=61 |br|274 redirect: https://issuetracker.google.com/issues/42410055 |br|275 archive: https://github.com/llvm/llvm-project/issues/1322232765. “Manifest File with Out-of-Date Dependencies with CVEs” |br|277 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=62 |br|278 redirect: https://issuetracker.google.com/issues/42410056 |br|279 archive: https://github.com/llvm/llvm-project/issues/1322252806. “Non-const derived ctor should fail compilation when having a consteval base ctor” |br|281 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=67 |br|282 redirect: https://issuetracker.google.com/issues/42410061 |br|283 archive: https://github.com/llvm/llvm-project/issues/1322262847. “Wrong assembly code generation. Branching to the corrupted "LR".” |br|285 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=69 |br|286 redirect: https://issuetracker.google.com/issues/42410063 |br|287 archive: https://github.com/llvm/llvm-project/issues/1322292888. “Security bug report” |br|289 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=70 |br|290 redirect: https://issuetracker.google.com/issues/42410065 |br|291 archive: https://github.com/llvm/llvm-project/issues/1322332929. “Using ASan with setuid binaries can lead to arbitrary file write and elevation of privileges” |br|293 Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=73 |br|294 redirect: https://issuetracker.google.com/issues/42410068 |br|295 archive: https://github.com/llvm/llvm-project/issues/13223529610. “Interesting bugs for bool variable in clang projects and aarch64 modes outputting inaccurate results.” |br|297 GHSA-w7qc-292v-5xh6 |br|298 The issue reported is on a source code example having undefined behaviour299 (UB), somewhat similar to this: https://godbolt.org/z/vo4P7bPYr.300 Therefore, this issue was closed as not a security issue in the compiler. |br|301 As part of the analysis on this issue, it was deemed useful to document this302 example of UB and similar cases to help users of compilers understand how UB303 in source code can lead to security issues. |br|304 We concluded that probably the best option to do so is to create a regular305 public issue at https://github.com/llvm/llvm-project/issues, with the same306 title as the security issue, and to attach a PDF (which should easily be307 created using a “print-to-pdf” method in the browser) containing all308 comments. Such public tickets probably need some consistent way to indicate309 they come from security issues that after analysis were deemed to be outside310 the LLVM threat model or weren't accepted as a311 needs-resolution-work-in-private security issue for other reasons. The LLVM312 Security Response group has so far not taken action to progress this idea. |br|313 There was also a suggestion of potentially adding a short section in314 https://llsoftsec.github.io/llsoftsecbook/#compiler-introduced-security-vulnerabilities315 that summarizes a short example showing that type aliasing UB can and is316 causing security vulnerabilities.31711. “llvm-libc qsort can use very large amounts of stack if an attacker can control its input list” |br|318 GHSA-gw5j-473x-p29m |br|319 If the llvm-libc `qsort` function is used in a context where its input list320 comes from an attacker, then the attacker can craft a list that causes321 `qsort`'s stack usage to be linear in the size of the input array,322 potentially overflowing the available memory region for the stack. |br|323 After discussion with stakeholders, including maintainers for llvm-libc, the324 conclusion was that this doesn't have to be processed as a security issue325 needing coordinated disclosure. An improvement to `qsort`'s implementation326 was implemented through pull request327 https://github.com/llvm/llvm-project/pull/110849.32812. “VersionFromVCS.cmake may leak secrets in released builds” |br|329 GHSA-rcw6-jqvr-fcrx |br|330 The LLVM build system may leak secrets of VCS configuration into release331 builds if the user clones the repo with an https link that contains their332 username and/or password. |br|333 Mitigations were implemented in334 https://github.com/llvm/llvm-project/pull/105220,335 https://github.com/llvm/llvm-project/commit/57dc09341e5eef758b1abce78822c51069157869.336 An issue was raised to suggest one more mitigation to be implemented at337 https://github.com/llvm/llvm-project/issues/109030.338 339Invalid issues340^^^^^^^^^^^^^^341 342The LLVM security group received 5 issues which were created accidentally or343were not related to the LLVM project. The subject lines for these were:344 345* “Found this in my android”346* “\[Not a new security issue\] Continued discussion for GHSA-w7qc-292v-5xh6”347* “please delete it.”348* “Please help me to delete it.”349* “llvm code being used in malicious hacking of network and children's devices”350 351Furthermore, we had 2 tickets that were created to test the setup and workflow352as part of migrating to GitHub's “security advisory”-based reporting:353 3541. “Test if new draft security advisory gets emailed to LLVM security group” |br|355 GHSA-82m9-xvw3-rvpv3562. “Test that a non-admin can create an advisory (no vulnerability).” |br|357 GHSA-34gr-6c7h-cc93358