[llvm] 3557621 - Add security group 2022 transparency report.

Kristof Beyls via llvm-commits llvm-commits at lists.llvm.org
Fri Jan 20 00:50:33 PST 2023 

Author: Kristof Beyls
Date: 2023-01-20T09:49:30+01:00
New Revision: 355762145328cea99a886dda964878f12fe37f6e

URL: https://github.com/llvm/llvm-project/commit/355762145328cea99a886dda964878f12fe37f6e
DIFF: https://github.com/llvm/llvm-project/commit/355762145328cea99a886dda964878f12fe37f6e.diff

LOG: Add security group 2022 transparency report.

Added: 
    

Modified: 
    llvm/docs/SecurityTransparencyReports.rst

Removed: 
    


################################################################################
diff  --git a/llvm/docs/SecurityTransparencyReports.rst b/llvm/docs/SecurityTransparencyReports.rst
index bcc28d8a9624f..a857e676880f8 100644
--- a/llvm/docs/SecurityTransparencyReports.rst
+++ b/llvm/docs/SecurityTransparencyReports.rst
@@ -42,3 +42,37 @@ expect further improvements to get implemented in 2022. Many of the potential
 improvements end up being discussed on the `monthly public call on LLVM's
 security group <https://llvm.org/docs/GettingInvolved.html#online-sync-ups>`_.
 
+
+2022
+----
+
+In this section we report on the issues the group received in 2022, or on issues
+that were received earlier, but were disclosed in 2022.
+
+In 2022, the llvm security group received 15 issues that have been disclosed at
+the time of writing this transparency report.
+
+5 of these were judged to be security issues:
+
+* https://bugs.chromium.org/p/llvm/issues/detail?id=17 reports a miscompile in
+  LLVM that can result in the frame pointer and return address being
+  overwritten. This was fixed.
+
+* https://bugs.chromium.org/p/llvm/issues/detail?id=19 reports a vulnerability
+  in `std::filesystem::remove_all` in libc++. This was fixed.
+
+* https://bugs.chromium.org/p/llvm/issues/detail?id=23 reports a new Spectre
+  gadget variant that Speculative Load Hardening (SLH) does not mitigate. No
+  extension to SLH was implemented to also mitigate against this variant.
+
+* https://bugs.chromium.org/p/llvm/issues/detail?id=30 reports missing memory
+  safety protection on the (C++) exception handling path. A number of fixes
+  were implemented.
+
+* https://bugs.chromium.org/p/llvm/issues/detail?id=33 reports the RETBLEED
+  vulnerability. The outcome was clang growing a new security hardening feature
+  `-mfunction-return=thunk-extern`, see https://reviews.llvm.org/D129572.
+
+
+No dedicated LLVM releases were made for any of the above issues.
+

More information about the llvm-commits mailing list