brintos

brintos / llvm-project-archived public Read only

0
0
Text · 19.0 KiB · b909278 Raw
358 lines · plain
1========================================2LLVM Security Group Transparency Reports3========================================4 5This page lists the yearly LLVM Security Response group transparency reports.6 7The LLVM Security Response group started out as the LLVM security group, previous8year's transparency reports keep the original name.9 10Initially the Chromium issue tracker was used to record issues. This11component has been archived and is read-only. A GitHub12llvm/llvm-project issue has been created for each issue in the13Chromium issue tracker. All of these issues contain an attached PDF14with the content of the Chromium issue, and have the SecurityArchive15label.16 17Each Chromium issue has 3 URLs, the first is the original URL recorded in18previous transparency reports. The second is the redirect URL to the archive.19The third is to the GitHub archive issue.20 21202122----23 24The :doc:`LLVM security group <Security>` was established on the 10th of July252020 by the act of the `initial26commit <https://github.com/llvm/llvm-project/commit/7bf73bcf6d93>`_ describing27the purpose of the group and the processes it follows.  Many of the group's28processes were still not well-defined enough for the group to operate well.29Over the course of 2021, the key processes were defined well enough to enable30the group to operate reasonably well:31 32* We defined details on how to report security issues, see `this commit on33  20th of May 2021 <https://github.com/llvm/llvm-project/commit/c9dbaa4c86d2>`_34* We refined the nomination process for new group members, see `this35  commit on 30th of July 2021 <https://github.com/llvm/llvm-project/commit/4c98e9455aad>`_36* We started writing an annual transparency report (you're reading the 202137  report here).38 39Over the course of 2021, we had 2 people leave the LLVM Security group and 440people join.41 42In 2021, the security group received 13 issue reports that were made publicly43visible before 31st of December 2021.  The security group judged 2 of these44reports to be security issues:45 46* original: https://bugs.chromium.org/p/llvm/issues/detail?id=547  redirect: https://issuetracker.google.com/issues/42410043 archive:48  https://github.com/llvm/llvm-project/issues/12570949 50* original: https://bugs.chromium.org/p/llvm/issues/detail?id=1151  redirect: https://issuetracker.google.com/issues/42410002 archive:52  https://github.com/llvm/llvm-project/issues/12764453 54Both issues were addressed with source changes: #5 in clangd/vscode-clangd, and55#11 in llvm-project.  No dedicated LLVM release was made for either.56 57We believe that with the publishing of this first annual transparency report,58the security group now has implemented all necessary processes for the group to59operate as promised. The group's processes can be improved further, and we do60expect further improvements to get implemented in 2022. Many of the potential61improvements end up being discussed on the `monthly public call on LLVM's62security group <https://llvm.org/docs/GettingInvolved.html#online-sync-ups>`_.63 64 65202266----67 68In this section we report on the issues the group received in 2022, or on issues69that were received earlier, but were disclosed in 2022.70 71In 2022, the llvm security group received 15 issues that have been disclosed at72the time of writing this transparency report.73 745 of these were judged to be security issues:75 76* https://bugs.chromium.org/p/llvm/issues/detail?id=17 reports a miscompile in LLVM77  that can result in the frame pointer and return address being overwritten. This78  was fixed. Redirect: https://issuetracker.google.com/issues/42410008 archive:79  https://github.com/llvm/llvm-project/issues/12764580 81* https://bugs.chromium.org/p/llvm/issues/detail?id=19 reports a vulnerability in82  `std::filesystem::remove_all` in libc++. This was fixed.83  Redirect: https://issuetracker.google.com/issues/42410010 archive:84  https://github.com/llvm/llvm-project/issues/12764785 86* https://bugs.chromium.org/p/llvm/issues/detail?id=23 reports a new Spectre87  gadget variant that Speculative Load Hardening (SLH) does not mitigate. No88  extension to SLH was implemented to also mitigate against this variant.89  Redirect: https://issuetracker.google.com/issues/42410015 archive:90  https://github.com/llvm/llvm-project/issues/12764891 92* https://bugs.chromium.org/p/llvm/issues/detail?id=30 reports missing memory93  safety protection on the (C++) exception handling path. A number of fixes94  were implemented. Redirect: https://issuetracker.google.com/issues/4241002395  archive: https://github.com/llvm/llvm-project/issues/12764996 97* https://bugs.chromium.org/p/llvm/issues/detail?id=33 reports the RETBLEED98  vulnerability. The outcome was clang growing a new security hardening feature99  `-mfunction-return=thunk-extern`, see https://reviews.llvm.org/D129572.100  Redirect: https://issuetracker.google.com/issues/42410026 archive:101  https://github.com/llvm/llvm-project/issues/127650102 103 104No dedicated LLVM releases were made for any of the above issues.105 1062023107----108 109In this section we report on the issues the group received in 2023, or on issues110that were received earlier, but were disclosed in 2023.111 1129 of these were judged to be security issues:113 114 * https://bugs.chromium.org/p/llvm/issues/detail?id=36 reports the presence of115   .git folder in https://llvm.org/.git. Redirect:116   https://issuetracker.google.com/issues/42410029 archive:117   https://github.com/llvm/llvm-project/issues/131841118 119 * https://bugs.chromium.org/p/llvm/issues/detail?id=66 reports the presence of a120   GitHub Personal Access token in a DockerHub imaage. Redirect121   https://issuetracker.google.com/issues/42410060 archive:122   https://github.com/llvm/llvm-project/issues/131846123 124 * https://bugs.chromium.org/p/llvm/issues/detail?id=42 reports a potential gap125   in the Armv8.1-m BTI protection, involving a combination of large switch statements126   and __builtin_unreachable() in the default case. Redirect:127   https://issuetracker.google.com/issues/42410035 archive:128   https://github.com/llvm/llvm-project/issues/131848129 130 * https://bugs.chromium.org/p/llvm/issues/detail?id=43 reports a dependency131   on an old version of xml2js with a CVE filed against it. Redirect:132   https://issuetracker.google.com/issues/42410036 archive:133   https://github.com/llvm/llvm-project/issues/131849134 135 * https://bugs.chromium.org/p/llvm/issues/detail?id=45 reports a number of136   dependencies that have had vulnerabilities reported against them. Redirect:137   https://issuetracker.google.com/issues/42410038 archive:138   https://github.com/llvm/llvm-project/issues/131851139 140 * https://bugs.chromium.org/p/llvm/issues/detail?id=46 is related to141   issue 43. Redirect https://issuetracker.google.com/issues/42410039 archive:142   https://github.com/llvm/llvm-project/issues/131852143 144 * https://bugs.chromium.org/p/llvm/issues/detail?id=48 reports a buffer overflow in145   std::format from -fexperimental-library. Redirect:146   https://issuetracker.google.com/issues/42410041 archive:147   https://github.com/llvm/llvm-project/issues/131856148 149 * https://bugs.chromium.org/p/llvm/issues/detail?id=54 reports a memory leak in150   basic_string move assignment when built with libc++ versions <=6.0 and run against151   newer libc++ shared/dylibs. Redirect:152   https://issuetracker.google.com/issues/42410047 archive:153   https://github.com/llvm/llvm-project/issues/131857154 155 * https://bugs.chromium.org/p/llvm/issues/detail?id=56 reports an out156   of bounds buffer store introduced by LLVM backends, that regressed157   due to a procedural oversight. Redirect158   https://issuetracker.google.com/issues/42410049 archive:159   https://github.com/llvm/llvm-project/issues/131858160 161No dedicated LLVM releases were made for any of the above issues.162 163Over the course of 2023 we had one person join the LLVM Security Group.164 1652024166----167 168.. |br| raw:: html169 170  <br/>171 172 173Introduction174^^^^^^^^^^^^175 176In the first half of 2024, LLVM used the Chromium issue tracker to enable177reporting security issues responsibly. We switched over to using GitHub's178"privately reporting a security vulnerability" workflow in the middle of 2024.179 180In previous years, our transparency reports were shorter, since the full181discussion on a security ticket in the Chromium issue tracker is fully visible182once disclosed. This is not the case with issues using GitHub's security183advisory workflow, so instead we give a longer description in this transparency184report, to make the relevant information on the ticket publicly available.185 186This transparency report doesn't necessarily mention all issues that were deemed187duplicates of other issues, or tickets only created to test the bug tracking188system.189 190Security issues fixed under a coordinated disclosure process191^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^192 193This section lists the reported issues where we ended up implementing fixes194under a coordinated disclosure process. While we were still using the Chromium195issue tracker, we did not write security advisories for such issues. Since we196started using the GitHub issues tracker for security issues, we're now197publishing security advisories for those issues at198https://github.com/llvm/llvm-security-repo/security/advisories/.199 2001. “Unexpected behavior when using LTO and branch-protection together” |br|201   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=58 |br|202   redirect: https://issuetracker.google.com/issues/42410051 |br|203   archive: https://github.com/llvm/llvm-project/issues/1321852042. “Security weakness in PCS for CMSE”205   (`CVE-2024-0151 <https://nvd.nist.gov/vuln/detail/CVE-2024-0151>`_) |br|206   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=68 |br|207   redirect: https://issuetracker.google.com/issues/42410062 |br|208   archive: https://github.com/llvm/llvm-project/issues/1321862093. “CMSE secure state may leak from stack to floating-point registers”210   (`CVE-2024-7883 <https://www.cve.org/cverecord?id=CVE-2024-7883>`_) |br|211   Details are available at212   `GHSA-wh65-j229-6wfp <https://github.com/llvm/llvm-security-repo/security/advisories/GHSA-wh65-j229-6wfp>`_213 214Supply chain security related issues and project services-related issues215^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^216 2171. “GitHub User Involved in xz backdoor may have attempted to change to clang in order to help hide the exploit” |br|218   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=71 |br|219   redirect: https://issuetracker.google.com/issues/42410066 |br|220   archive: https://github.com/llvm/llvm-project/issues/1321872212. “llvmbot account suspended due to suspicious login” |br|222   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=72 |br|223   redirect: https://issuetracker.google.com/issues/42410067 |br|224   archive: https://github.com/llvm/llvm-project/issues/1322432253. “.git Exposure” |br|226   GHSA-mr8r-vvrc-w6rq |br|227   The .git directory was accessible via web browsers under apt.llvm.org, a site228   used to serve Debian/Ubuntu nightly packages. This issue has been addressed229   by removing the directory, and is not considered a security issue for the230   compiler. The .git directory was an artifact of the CI job that maintained231   the apt website, and was mirroring an open-source project maintained on232   github (under opencollab/llvm-jenkins.debian.net). The issue is not believed233   to have leaked any non-public information.2344. “llvm/llvm-project repo potentially vulnerable to GITHUB\_TOKEN leaks” |br|235   GHSA-f5xj-84f9-mrw6 |br|236   GitHub access tokens were being leaked in artifacts generated by GitHub237   Actions workflows. The vulnerability was first reported publicly as238   ArtiPACKED, generally applicable to GitHub projects, leading to an audit of239   LLVM projects and the reporting of this security issue. LLVM contributors240   audited the workflows, found that the “release-binaries” workflow was241   affected, but only exposed tokens that were ephemeral and read-only, so was242   not deemed a privilege escalation concern. The workflow was fixed in a243   configuration change as PR244   `106310 <https://github.com/llvm/llvm-project/pull/106310>`_. Older exposed245   tokens all expired, and the issue is closed as resolved.2465. “RCE in Buildkite Pipeline” |br|247   GHSA-2j6q-qcfm-3wcx |br|248   A Buildkite CI pipeline (llvm-project/rust-llvm-integrate-prototype) allowed249   Remote Code Execution on the CI runner. The pipeline automatically runs a250   test job when PRs are filed on the rust-lang/rust repo, but those PRs point251   to user-controlled branches that could be maliciously modified. A security252   researcher reported the issue, and demonstrated it by modifying build scripts253   to expose the CI runner's internal cloud service access tokens. The issue has254   been addressed with internal configuration changes by owners of the Buildkite255   pipeline.256 257Issues deemed to not require coordinated action before disclosing publicly258^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^259 2601. “Clang Address Sanitizer gives False Negative for Array Out of Bounds Compiled with Optimization” |br|261   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=57 |br|262   redirect: https://issuetracker.google.com/issues/42410050 |br|263   archive: https://github.com/llvm/llvm-project/issues/1321912642. “Found exposed .svn folder” |br|265   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=59 |br|266   redirect: https://issuetracker.google.com/issues/42410052267   archive: https://github.com/llvm/llvm-project/issues/1321922683. “Arbitrary code execution when combining SafeStack \+ dynamic stack allocations \+ \_\_builtin\_setjmp/longjmp” |br|269   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=60 |br|270   redirect: https://issuetracker.google.com/issues/42410054271   archive: https://github.com/llvm/llvm-project/issues/1322202724. “RISC-V: Constants are allocated in writeable .sdata section” |br|273   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=61 |br|274   redirect: https://issuetracker.google.com/issues/42410055 |br|275   archive: https://github.com/llvm/llvm-project/issues/1322232765. “Manifest File with Out-of-Date Dependencies with CVEs” |br|277   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=62 |br|278   redirect: https://issuetracker.google.com/issues/42410056 |br|279   archive: https://github.com/llvm/llvm-project/issues/1322252806. “Non-const derived ctor should fail compilation when having a consteval base ctor” |br|281   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=67 |br|282   redirect: https://issuetracker.google.com/issues/42410061 |br|283   archive: https://github.com/llvm/llvm-project/issues/1322262847. “Wrong assembly code generation. Branching to the corrupted "LR".” |br|285   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=69 |br|286   redirect: https://issuetracker.google.com/issues/42410063 |br|287   archive: https://github.com/llvm/llvm-project/issues/1322292888. “Security bug report” |br|289   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=70 |br|290   redirect: https://issuetracker.google.com/issues/42410065 |br|291   archive: https://github.com/llvm/llvm-project/issues/1322332929. “Using ASan with setuid binaries can lead to arbitrary file write and elevation of privileges” |br|293   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=73 |br|294   redirect: https://issuetracker.google.com/issues/42410068 |br|295   archive: https://github.com/llvm/llvm-project/issues/13223529610. “Interesting bugs for bool variable in clang projects and aarch64 modes outputting inaccurate results.” |br|297    GHSA-w7qc-292v-5xh6 |br|298    The issue reported is on a source code example having undefined behaviour299    (UB), somewhat similar to this: https://godbolt.org/z/vo4P7bPYr.300    Therefore, this issue was closed as not a security issue in the compiler. |br|301    As part of the analysis on this issue, it was deemed useful to document this302    example of UB and similar cases to help users of compilers understand how UB303    in source code can lead to security issues. |br|304    We concluded that probably the best option to do so is to create a regular305    public issue at https://github.com/llvm/llvm-project/issues, with the same306    title as the security issue, and to attach a PDF (which should easily be307    created using a “print-to-pdf” method in the browser) containing all308    comments. Such public tickets probably need some consistent way to indicate309    they come from security issues that after analysis were deemed to be outside310    the LLVM threat model or weren't accepted as a311    needs-resolution-work-in-private security issue for other reasons. The LLVM312    Security Response group has so far not taken action to progress this idea. |br|313    There was also a suggestion of potentially adding a short section in314    https://llsoftsec.github.io/llsoftsecbook/#compiler-introduced-security-vulnerabilities315    that summarizes a short example showing that type aliasing UB can and is316    causing security vulnerabilities.31711. “llvm-libc qsort can use very large amounts of stack if an attacker can control its input list” |br|318    GHSA-gw5j-473x-p29m |br|319    If the llvm-libc `qsort` function is used in a context where its input list320    comes from an attacker, then the attacker can craft a list that causes321    `qsort`'s stack usage to be linear in the size of the input array,322    potentially overflowing the available memory region for the stack. |br|323    After discussion with stakeholders, including maintainers for llvm-libc, the324    conclusion was that this doesn't have to be processed as a security issue325    needing coordinated disclosure. An improvement to `qsort`'s implementation326    was implemented through pull request327    https://github.com/llvm/llvm-project/pull/110849.32812. “VersionFromVCS.cmake may leak secrets in released builds” |br|329    GHSA-rcw6-jqvr-fcrx |br|330    The LLVM build system may leak secrets of VCS configuration into release331    builds if the user clones the repo with an https link that contains their332    username and/or password. |br|333    Mitigations were implemented in334    https://github.com/llvm/llvm-project/pull/105220,335    https://github.com/llvm/llvm-project/commit/57dc09341e5eef758b1abce78822c51069157869.336    An issue was raised to suggest one more mitigation to be implemented at337    https://github.com/llvm/llvm-project/issues/109030.338 339Invalid issues340^^^^^^^^^^^^^^341 342The LLVM security group received 5 issues which were created accidentally or343were not related to the LLVM project. The subject lines for these were:344 345* “Found this in my android”346* “\[Not a new security issue\] Continued discussion for GHSA-w7qc-292v-5xh6”347* “please delete it.”348* “Please help me to delete it.”349* “llvm code being used in malicious hacking of network and children's devices”350 351Furthermore, we had 2 tickets that were created to test the setup and workflow352as part of migrating to GitHub's “security advisory”-based reporting:353 3541. “Test if new draft security advisory gets emailed to LLVM security group” |br|355   GHSA-82m9-xvw3-rvpv3562. “Test that a non-admin can create an advisory (no vulnerability).” |br|357   GHSA-34gr-6c7h-cc93358