@@ -115,3 +115,171 @@ store introduced by LLVM backends, that regressed due to a procedural oversight.
115115No dedicated LLVM releases were made for any of the above issues.
116116
117117Over the course of 2023 we had one person join the LLVM Security Group.
118+
119+ 2024
120+ ----
121+
122+ .. |br | raw :: html
123+
124+ <br/>
125+
126+
127+ Introduction
128+ ^^^^^^^^^^^^
129+
130+ In the first half of 2024, LLVM used the Chromium issue tracker to enable
131+ reporting security issues responsibly. We switched over to using GitHub's
132+ "privately reporting a security vulnerability" workflow in the middle of 2024.
133+
134+ In previous years, our transparency reports were shorter, since the full
135+ discussion on a security ticket in the Chromium issue tracker is fully visible
136+ once disclosed. This is not the case with issues using GitHub's security
137+ advisory workflow, so instead we give a longer description in this transparency
138+ report, to make the relevant information on the ticket publicly available.
139+
140+ This transparency report doesn't necessarily mention all issues that were deemed
141+ duplicates of other issues, or tickets only created to test the bug tracking
142+ system.
143+
144+ Security issues fixed under a coordinated disclosure process
145+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
146+
147+ This section lists the reported issues where we ended up implementing fixes
148+ under a coordinated disclosure process. While we were still using the Chromium
149+ issue tracker, we did not write security advisories for such issues. Since we
150+ started using the GitHub issues tracker for security issues, we're now
151+ publishing security advisories for those issues at
152+ https://github.com/llvm/llvm-security-repo/security/advisories/.
153+
154+ 1. “Unexpected behavior when using LTO and branch-protection together” |br |
155+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=58
156+ 2. “Security weakness in PCS for CMSE”
157+ (`CVE-2024-0151 <https://nvd.nist.gov/vuln/detail/CVE-2024-0151 >`_) |br |
158+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=68
159+ 3. “CMSE secure state may leak from stack to floating-point registers”
160+ (`CVE-2024-7883 <https://www.cve.org/cverecord?id=CVE-2024-7883 >`_) |br |
161+ Details are available at
162+ `GHSA-wh65-j229-6wfp <https://github.com/llvm/llvm-security-repo/security/advisories/GHSA-wh65-j229-6wfp >`_
163+
164+ Supply chain security related issues and project services-related issues
165+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
166+
167+ 1. “GitHub User Involved in xz backdoor may have attempted to change to clang in order to help hide the exploit” |br |
168+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=71
169+ 2. “llvmbot account suspended due to supicious login” |br |
170+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=72
171+ 3. “.git Exposure” |br |
172+ GHSA-mr8r-vvrc-w6rq |br |
173+ The .git directory was accessible via web browsers under apt.llvm.org, a site
174+ used to serve Debian/Ubuntu nightly packages. This issue has been addressed
175+ by removing the directory, and is not considered a security issue for the
176+ compiler. The .git directory was an artifact of the CI job that maintained
177+ the apt website, and was mirroring an open-source project maintained on
178+ github (under opencollab/llvm-jenkins.debian.net). The issue is not believed
179+ to have leaked any non-public information.
180+ 4. “llvm/llvm-project repo potentially vulnerable to GITHUB\_ TOKEN leaks” |br |
181+ GHSA-f5xj-84f9-mrw6 |br |
182+ GitHub access tokens were being leaked in artifacts generated by GitHub
183+ Actions workflows. The vulnerability was first reported publicly as
184+ ArtiPACKED, generally applicable to GitHub projects, leading to an audit of
185+ LLVM projects and the reporting of this security issue. LLVM contributors
186+ audited the workflows, found that the “release-binaries” workflow was
187+ affected, but only exposed tokens that were ephemeral and read-only, so was
188+ not deemed a privilege escalation concern. The workflow was fixed in a
189+ configuration change as PR
190+ `106310 <https://github.com/llvm/llvm-project/pull/106310 >`_. Older exposed
191+ tokens all expired, and the issue is closed as resolved.
192+ 5. “RCE in Buildkite Pipeline” |br |
193+ GHSA-2j6q-qcfm-3wcx |br |
194+ A Buildkite CI pipeline (llvm-project/rust-llvm-integrate-prototype) allowed
195+ Remote Code Execution on the CI runner. The pipeline automatically runs a
196+ test job when PRs are filed on the rust-lang/rust repo, but those PRs point
197+ to user-controlled branches that could be maliciously modified. A security
198+ researcher reported the issue, and demonstrated it by modifying build scripts
199+ to expose the CI runner's internal cloud service access tokens. The issue has
200+ been addressed with internal configuration changes by owners of the Buildkite
201+ pipeline.
202+
203+ Issues deemed to not require coordinated action before disclosing publicly
204+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
205+
206+ 1. “Clang Address Sanitizer gives False Negative for Array Out of Bounds Compiled with Optimization” |br |
207+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=57
208+ 2. “Found exposed .svn folder” |br |
209+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=59
210+ 3. “Arbitrary code execution when combining SafeStack \+ dynamic stack allocations \+ \_\_ builtin\_ setjmp/longjmp” |br |
211+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=60
212+ 4. “RISC-V: Constants are allocated in writeable .sdata section” |br |
213+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=61
214+ 5. “Manifest File with Out-of-Date Dependencies with CVEs” |br |
215+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=62
216+ 6. “Non-const derived ctor should fail compilation when having a consteval base ctor” |br |
217+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=67
218+ 7. “Wrong assembly code generation. Branching to the corrupted "LR".” |br |
219+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=69
220+ 8. “Security bug report” |br |
221+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=70
222+ 9. “Using ASan with setuid binaries can lead to arbitrary file write and elevation of privileges” |br |
223+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=73
224+ 10. “Interesting bugs for bool variable in clang projects and aarch64 modes outputting inaccurate results.” |br |
225+ GHSA-w7qc-292v-5xh6 |br |
226+ The issue reported is on a source code example having undefined behaviour
227+ (UB), somewhat similar to this: https://godbolt.org/z/vo4P7bPYr.
228+ Therefore, this issue was closed as not a security issue in the compiler. |br |
229+ As part of the analysis on this issue, it was deemed useful to document this
230+ example of UB and similar cases to help users of compilers understand how UB
231+ in source code can lead to security issues. |br |
232+ We concluded that probably the best option to do so is to create a regular
233+ public issue at https://github.com/llvm/llvm-project/issues, with the same
234+ title as the security issue, and to attach a PDF (which should easily be
235+ created using a “print-to-pdf” method in the browser) containing all
236+ comments. Such public tickets probably need some consistent way to indicate
237+ they come from security issues that after analysis were deemed to be outside
238+ the LLVM threat model or weren't accepted as a
239+ needs-resolution-work-in-private security issue for other reasons. The LLVM
240+ Security Response group has so far not taken action to progress this idea. |br |
241+ There was also a suggestion of potentially adding a short section in
242+ https://llsoftsec.github.io/llsoftsecbook/#compiler-introduced-security-vulnerabilities
243+ that summarizes a short example showing that type aliasing UB can and is
244+ causing security vulnerabilities.
245+ 11. “llvm-libc qsort can use very large amounts of stack if an attacker can control its input list” |br |
246+ GHSA-gw5j-473x-p29m |br |
247+ If the llvm-libc `qsort ` function is used in a context where its input list
248+ comes from an attacker, then the attacker can craft a list that causes
249+ `qsort `'s stack usage to be linear in the size of the input array,
250+ potentially overflowing the available memory region for the stack. |br |
251+ After discussion with stakeholders, including maintainers for llvm-libc, the
252+ conclusion was that this doesn't have to be processed as a security issue
253+ needing coordinated disclosure. An improvement to `qsort `'s implementation
254+ was implemented through pull request
255+ https://github.com/llvm/llvm-project/pull/110849.
256+ 12. “VersionFromVCS.cmake may leak secrets in released builds” |br |
257+ GHSA-rcw6-jqvr-fcrx |br |
258+ The LLVM build system may leak secrets of VCS configuration into release
259+ builds if the user clones the repo with an https link that contains their
260+ username and/or password. |br |
261+ Mitigations were implemented in
262+ https://github.com/llvm/llvm-project/pull/105220,
263+ https://github.com/llvm/llvm-project/commit/57dc09341e5eef758b1abce78822c51069157869.
264+ An issue was raised to suggest one more mitigation to be implemented at
265+ https://github.com/llvm/llvm-project/issues/109030.
266+
267+ Invalid issues
268+ ^^^^^^^^^^^^^^
269+
270+ The LLVM security group received 5 issues which were created accidentally or
271+ were not related to the LLVM project. The subject lines for these were:
272+
273+ * “Found this in my android”
274+ * “\[ Not a new security issue\] Continued discussion for GHSA-w7qc-292v-5xh6”
275+ * “please delete it.”
276+ * “Please help me to delete it.”
277+ * “llvm code being used in malicious hacking of network and children's devices”
278+
279+ Furthermore, we had 2 tickets that were created to test the setup and workflow
280+ as part of migrating to GitHub's “security advisory”-based reporting:
281+
282+ 1. “Test if new draft security advisory gets emailed to LLVM security group” |br |
283+ GHSA-82m9-xvw3-rvpv
284+ 2. “Test that a non-admin can create an advisory (no vulnerability).” |br |
285+ GHSA-34gr-6c7h-cc93
0 commit comments