79 lines
3.3 KiB
ReStructuredText
79 lines
3.3 KiB
ReStructuredText
========================================
|
|
LLVM Security Group Transparency Reports
|
|
========================================
|
|
|
|
This page lists the yearly LLVM Security group transparency reports.
|
|
|
|
2021
|
|
----
|
|
|
|
The :doc:`LLVM security group <Security>` was established on the 10th of July
|
|
2020 by the act of the `initial
|
|
commit <https://github.com/llvm/llvm-project/commit/7bf73bcf6d93>`_ describing
|
|
the purpose of the group and the processes it follows. Many of the group's
|
|
processes were still not well-defined enough for the group to operate well.
|
|
Over the course of 2021, the key processes were defined well enough to enable
|
|
the group to operate reasonably well:
|
|
|
|
* We defined details on how to report security issues, see `this commit on
|
|
20th of May 2021 <https://github.com/llvm/llvm-project/commit/c9dbaa4c86d2>`_
|
|
* We refined the nomination process for new group members, see `this
|
|
commit on 30th of July 2021 <https://github.com/llvm/llvm-project/commit/4c98e9455aad>`_
|
|
* We started writing an annual transparency report (you're reading the 2021
|
|
report here).
|
|
|
|
Over the course of 2021, we had 2 people leave the LLVM Security group and 4
|
|
people join.
|
|
|
|
In 2021, the security group received 13 issue reports that were made publicly
|
|
visible before 31st of December 2021. The security group judged 2 of these
|
|
reports to be security issues:
|
|
|
|
* https://bugs.chromium.org/p/llvm/issues/detail?id=5
|
|
* https://bugs.chromium.org/p/llvm/issues/detail?id=11
|
|
|
|
Both issues were addressed with source changes: #5 in clangd/vscode-clangd, and
|
|
#11 in llvm-project. No dedicated LLVM release was made for either.
|
|
|
|
We believe that with the publishing of this first annual transparency report,
|
|
the security group now has implemented all necessary processes for the group to
|
|
operate as promised. The group's processes can be improved further, and we do
|
|
expect further improvements to get implemented in 2022. Many of the potential
|
|
improvements end up being discussed on the `monthly public call on LLVM's
|
|
security group <https://llvm.org/docs/GettingInvolved.html#online-sync-ups>`_.
|
|
|
|
|
|
2022
|
|
----
|
|
|
|
In this section we report on the issues the group received in 2022, or on issues
|
|
that were received earlier, but were disclosed in 2022.
|
|
|
|
In 2022, the llvm security group received 15 issues that have been disclosed at
|
|
the time of writing this transparency report.
|
|
|
|
5 of these were judged to be security issues:
|
|
|
|
* https://bugs.chromium.org/p/llvm/issues/detail?id=17 reports a miscompile in
|
|
LLVM that can result in the frame pointer and return address being
|
|
overwritten. This was fixed.
|
|
|
|
* https://bugs.chromium.org/p/llvm/issues/detail?id=19 reports a vulnerability
|
|
in `std::filesystem::remove_all` in libc++. This was fixed.
|
|
|
|
* https://bugs.chromium.org/p/llvm/issues/detail?id=23 reports a new Spectre
|
|
gadget variant that Speculative Load Hardening (SLH) does not mitigate. No
|
|
extension to SLH was implemented to also mitigate against this variant.
|
|
|
|
* https://bugs.chromium.org/p/llvm/issues/detail?id=30 reports missing memory
|
|
safety protection on the (C++) exception handling path. A number of fixes
|
|
were implemented.
|
|
|
|
* https://bugs.chromium.org/p/llvm/issues/detail?id=33 reports the RETBLEED
|
|
vulnerability. The outcome was clang growing a new security hardening feature
|
|
`-mfunction-return=thunk-extern`, see https://reviews.llvm.org/D129572.
|
|
|
|
|
|
No dedicated LLVM releases were made for any of the above issues.
|
|
|