diff -Nru llvm-toolchain-13-13.0.1/debian/changelog llvm-toolchain-13-13.0.1/debian/changelog --- llvm-toolchain-13-13.0.1/debian/changelog 2022-05-31 08:35:52.000000000 +0000 +++ llvm-toolchain-13-13.0.1/debian/changelog 2023-07-14 04:46:26.000000000 +0000 @@ -1,3 +1,21 @@ +llvm-toolchain-13 (1:13.0.1-2ubuntu2.2) jammy-security; urgency=medium + + * SECURITY UPDATE: canonicalize pass crashed with segmentation fault + - debian/patches/CVE-2023-29932.patch: Use default attributes for + intrinsics + - CVE-2023-29932 + * SECURITY UPDATE: convert-scf-to-spirv Pass crashed with segmentation + fault + - debian/patches/CVE-2023-29934.patch: Account for type conversion + failures in scf-to-spirv + - CVE-2023-29934 + * SECURITY UPDATE: spirv-lower-abi-attrs crashes with segmentation faults + - debian/patches/CVE-2023-29939.patch: Fix crash in + spirv-lower-abi-attributes when the are no SPIR-V env attributes + - CVE-2023-29939 + + -- Nishit Majithia Fri, 14 Jul 2023 10:16:26 +0530 + llvm-toolchain-13 (1:13.0.1-2ubuntu2.1) jammy; urgency=medium * Backport D115098 for Rust 1.59 (LP: #1973037) diff -Nru llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29932.patch llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29932.patch --- llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29932.patch 1970-01-01 00:00:00.000000000 +0000 +++ llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29932.patch 2023-07-14 04:22:36.000000000 +0000 @@ -0,0 +1,187 @@ +[Ubuntu note: backport this patch according to this llvm release] +From d35fcf0e97e7bb02381506a71e61ec282b292c50 Mon Sep 17 00:00:00 2001 +From: Nikita Popov +Date: Mon, 7 Nov 2022 15:50:05 +0100 +Subject: [PATCH] [WebAssembly] Use default attributes for intrinsics + +This switches wasm intrinsics to use default attributes, +i.e. nofree, nosync, nocallback and willreturn. Especially +willreturn will be required to avoid optimization regressions +in the future. + +The attributes are omitted from the trapping fptoi intrinsics +(where I assume trapping is considered well-defined, and as such +these aren't willreturn), the throw/rethrow intrinsics (which +will unwind) and the atomic intrinsics (which aren't nosync). + +Differential Revision: https://reviews.llvm.org/D137551 +--- + llvm/include/llvm/IR/IntrinsicsWebAssembly.td | 335 +++++++++--------- + .../CodeGen/WebAssembly/lower-wasm-ehsjlj.ll | 2 +- + 2 files changed, 173 insertions(+), 164 deletions(-) + +--- llvm-toolchain-13-13.0.1.orig/llvm/include/llvm/IR/IntrinsicsWebAssembly.td ++++ llvm-toolchain-13-13.0.1/llvm/include/llvm/IR/IntrinsicsWebAssembly.td +@@ -16,10 +16,10 @@ let TargetPrefix = "wasm" in { // All i + // Query the current memory size, and increase the current memory size. + // Note that memory.size is not IntrNoMem because it must be sequenced with + // respect to memory.grow calls. +-def int_wasm_memory_size : Intrinsic<[llvm_anyint_ty], ++def int_wasm_memory_size : DefaultAttrsIntrinsic<[llvm_anyint_ty], + [llvm_i32_ty], + [IntrReadMem]>; +-def int_wasm_memory_grow : Intrinsic<[llvm_anyint_ty], ++def int_wasm_memory_grow : DefaultAttrsIntrinsic<[llvm_anyint_ty], + [llvm_i32_ty, LLVMMatchType<0>], + []>; + +@@ -38,10 +38,10 @@ def int_wasm_trunc_unsigned : Intrinsic< + // Saturating float-to-int conversions + //===----------------------------------------------------------------------===// + +-def int_wasm_trunc_saturate_signed : Intrinsic<[llvm_anyint_ty], ++def int_wasm_trunc_saturate_signed : DefaultAttrsIntrinsic<[llvm_anyint_ty], + [llvm_anyfloat_ty], + [IntrNoMem, IntrSpeculatable]>; +-def int_wasm_trunc_saturate_unsigned : Intrinsic<[llvm_anyint_ty], ++def int_wasm_trunc_saturate_unsigned : DefaultAttrsIntrinsic<[llvm_anyint_ty], + [llvm_anyfloat_ty], + [IntrNoMem, IntrSpeculatable]>; + +@@ -57,25 +57,25 @@ def int_wasm_rethrow : Intrinsic<[], [], + + // Since wasm does not use landingpad instructions, these instructions return + // exception pointer and selector values until we lower them in WasmEHPrepare. +-def int_wasm_get_exception : Intrinsic<[llvm_ptr_ty], [llvm_token_ty], ++def int_wasm_get_exception : DefaultAttrsIntrinsic<[llvm_ptr_ty], [llvm_token_ty], + [IntrHasSideEffects]>; +-def int_wasm_get_ehselector : Intrinsic<[llvm_i32_ty], [llvm_token_ty], ++def int_wasm_get_ehselector : DefaultAttrsIntrinsic<[llvm_i32_ty], [llvm_token_ty], + [IntrHasSideEffects]>; + + // wasm.catch returns the pointer to the exception object caught by wasm 'catch' + // instruction. This returns a single pointer, which is sufficient for C++ + // support. The immediate argument is an index to for a tag, which is 0 for C++. +-def int_wasm_catch : Intrinsic<[llvm_ptr_ty], [llvm_i32_ty], ++def int_wasm_catch : DefaultAttrsIntrinsic<[llvm_ptr_ty], [llvm_i32_ty], + [IntrHasSideEffects, ImmArg>]>; + + // WebAssembly EH must maintain the landingpads in the order assigned to them + // by WasmEHPrepare pass to generate landingpad table in EHStreamer. This is + // used in order to give them the indices in WasmEHPrepare. +-def int_wasm_landingpad_index: Intrinsic<[], [llvm_token_ty, llvm_i32_ty], ++def int_wasm_landingpad_index: DefaultAttrsIntrinsic<[], [llvm_token_ty, llvm_i32_ty], + [IntrNoMem, ImmArg>]>; + + // Returns LSDA address of the current function. +-def int_wasm_lsda : Intrinsic<[llvm_ptr_ty], [], [IntrNoMem]>; ++def int_wasm_lsda : DefaultAttrsIntrinsic<[llvm_ptr_ty], [], [IntrNoMem]>; + + //===----------------------------------------------------------------------===// + // Atomic intrinsics +@@ -105,69 +105,69 @@ def int_wasm_memory_atomic_notify: + //===----------------------------------------------------------------------===// + + def int_wasm_swizzle : +- Intrinsic<[llvm_v16i8_ty], ++ DefaultAttrsIntrinsic<[llvm_v16i8_ty], + [llvm_v16i8_ty, llvm_v16i8_ty], + [IntrNoMem, IntrSpeculatable]>; + def int_wasm_shuffle : +- Intrinsic<[llvm_v16i8_ty], ++ DefaultAttrsIntrinsic<[llvm_v16i8_ty], + [llvm_v16i8_ty, llvm_v16i8_ty, llvm_i32_ty, llvm_i32_ty, + llvm_i32_ty, llvm_i32_ty, llvm_i32_ty, llvm_i32_ty, llvm_i32_ty, + llvm_i32_ty, llvm_i32_ty, llvm_i32_ty, llvm_i32_ty, llvm_i32_ty, + llvm_i32_ty, llvm_i32_ty, llvm_i32_ty, llvm_i32_ty], + [IntrNoMem, IntrSpeculatable]>; + def int_wasm_sub_sat_signed : +- Intrinsic<[llvm_anyvector_ty], ++ DefaultAttrsIntrinsic<[llvm_anyvector_ty], + [LLVMMatchType<0>, LLVMMatchType<0>], + [IntrNoMem, IntrSpeculatable]>; + def int_wasm_sub_sat_unsigned : +- Intrinsic<[llvm_anyvector_ty], ++ DefaultAttrsIntrinsic<[llvm_anyvector_ty], + [LLVMMatchType<0>, LLVMMatchType<0>], + [IntrNoMem, IntrSpeculatable]>; + def int_wasm_avgr_unsigned : +- Intrinsic<[llvm_anyvector_ty], ++ DefaultAttrsIntrinsic<[llvm_anyvector_ty], + [LLVMMatchType<0>, LLVMMatchType<0>], + [IntrNoMem, IntrSpeculatable]>; + def int_wasm_bitselect : +- Intrinsic<[llvm_anyvector_ty], ++ DefaultAttrsIntrinsic<[llvm_anyvector_ty], + [LLVMMatchType<0>, LLVMMatchType<0>, LLVMMatchType<0>], + [IntrNoMem, IntrSpeculatable]>; + def int_wasm_anytrue : +- Intrinsic<[llvm_i32_ty], ++ DefaultAttrsIntrinsic<[llvm_i32_ty], + [llvm_anyvector_ty], + [IntrNoMem, IntrSpeculatable]>; + def int_wasm_alltrue : +- Intrinsic<[llvm_i32_ty], ++ DefaultAttrsIntrinsic<[llvm_i32_ty], + [llvm_anyvector_ty], + [IntrNoMem, IntrSpeculatable]>; + def int_wasm_bitmask : +- Intrinsic<[llvm_i32_ty], ++ DefaultAttrsIntrinsic<[llvm_i32_ty], + [llvm_anyvector_ty], + [IntrNoMem, IntrSpeculatable]>; + def int_wasm_dot : +- Intrinsic<[llvm_v4i32_ty], ++ DefaultAttrsIntrinsic<[llvm_v4i32_ty], + [llvm_v8i16_ty, llvm_v8i16_ty], + [IntrNoMem, IntrSpeculatable]>; + + def int_wasm_narrow_signed : +- Intrinsic<[llvm_anyvector_ty], ++ DefaultAttrsIntrinsic<[llvm_anyvector_ty], + [llvm_anyvector_ty, LLVMMatchType<1>], + [IntrNoMem, IntrSpeculatable]>; + def int_wasm_narrow_unsigned : +- Intrinsic<[llvm_anyvector_ty], ++ DefaultAttrsIntrinsic<[llvm_anyvector_ty], + [llvm_anyvector_ty, LLVMMatchType<1>], + [IntrNoMem, IntrSpeculatable]>; + + def int_wasm_q15mulr_sat_signed : +- Intrinsic<[llvm_v8i16_ty], ++ DefaultAttrsIntrinsic<[llvm_v8i16_ty], + [llvm_v8i16_ty, llvm_v8i16_ty], + [IntrNoMem, IntrSpeculatable]>; + + def int_wasm_extadd_pairwise_signed : +- Intrinsic<[llvm_anyvector_ty], ++ DefaultAttrsIntrinsic<[llvm_anyvector_ty], + [LLVMSubdivide2VectorType<0>], + [IntrNoMem, IntrSpeculatable]>; + def int_wasm_extadd_pairwise_unsigned : +- Intrinsic<[llvm_anyvector_ty], ++ DefaultAttrsIntrinsic<[llvm_anyvector_ty], + [LLVMSubdivide2VectorType<0>], + [IntrNoMem, IntrSpeculatable]>; + +@@ -176,17 +176,17 @@ def int_wasm_extadd_pairwise_unsigned : + //===----------------------------------------------------------------------===// + + def int_wasm_tls_size : +- Intrinsic<[llvm_anyint_ty], ++ DefaultAttrsIntrinsic<[llvm_anyint_ty], + [], + [IntrNoMem, IntrSpeculatable]>; + + def int_wasm_tls_align : +- Intrinsic<[llvm_anyint_ty], ++ DefaultAttrsIntrinsic<[llvm_anyint_ty], + [], + [IntrNoMem, IntrSpeculatable]>; + + def int_wasm_tls_base : +- Intrinsic<[llvm_ptr_ty], ++ DefaultAttrsIntrinsic<[llvm_ptr_ty], + [], + [IntrReadMem]>; + diff -Nru llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29934.patch llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29934.patch --- llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29934.patch 1970-01-01 00:00:00.000000000 +0000 +++ llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29934.patch 2023-07-14 04:46:26.000000000 +0000 @@ -0,0 +1,58 @@ +From 80d5400d924e543c5420f4e924f5818313605e99 Mon Sep 17 00:00:00 2001 +From: Jakub Kuderski +Date: Mon, 9 Jan 2023 11:35:46 -0500 +Subject: [PATCH] [mlir][spirv] Account for type conversion failures in + scf-to-spirv + +Fixes: https://github.com/llvm/llvm-project/issues/59136 + +Reviewed By: antiagainst + +Differential Revision: https://reviews.llvm.org/D141292 +--- + mlir/lib/Conversion/SCFToSPIRV/SCFToSPIRV.cpp | 5 +++++ + mlir/test/Conversion/SCFToSPIRV/if.mlir | 14 ++++++++++++++ + 2 files changed, 19 insertions(+) + +--- llvm-toolchain-13-13.0.1.orig/mlir/lib/Conversion/SCFToSPIRV/SCFToSPIRV.cpp ++++ llvm-toolchain-13-13.0.1/mlir/lib/Conversion/SCFToSPIRV/SCFToSPIRV.cpp +@@ -17,6 +17,7 @@ + #include "mlir/Dialect/SPIRV/Transforms/SPIRVConversion.h" + #include "mlir/IR/BuiltinOps.h" + #include "mlir/Transforms/DialectConversion.h" ++#include "llvm/Support/FormatVariadic.h" + + using namespace mlir; + +@@ -274,6 +275,10 @@ IfOpConversion::matchAndRewrite(scf::IfO + SmallVector returnTypes; + for (auto result : ifOp.results()) { + auto convertedType = typeConverter.convertType(result.getType()); ++ if (!convertedType) ++ return failure(); ++ ++ + returnTypes.push_back(convertedType); + } + replaceSCFOutputValue(ifOp, selectionOp, rewriter, scfToSPIRVContext, +--- llvm-toolchain-13-13.0.1.orig/mlir/test/Conversion/SCFToSPIRV/if.mlir ++++ llvm-toolchain-13-13.0.1/mlir/test/Conversion/SCFToSPIRV/if.mlir +@@ -153,4 +153,18 @@ func @simple_if_yield_type_change(%arg2 + return + } + ++// Memrefs without a spirv storage class are not supported. The conversion ++// should preserve the `scf.if` and not crash. ++func.func @unsupported_yield_type(%arg0 : memref<8xi32>, %arg1 : memref<8xi32>, %c : i1) { ++// CHECK-LABEL: @unsupported_yield_type ++// CHECK-NEXT: scf.if ++// CHECK: spirv.Return ++ %r = scf.if %c -> (memref<8xi32>) { ++ scf.yield %arg0 : memref<8xi32> ++ } else { ++ scf.yield %arg1 : memref<8xi32> ++ } ++ return ++} ++ + } // end module diff -Nru llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29939.patch llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29939.patch --- llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29939.patch 1970-01-01 00:00:00.000000000 +0000 +++ llvm-toolchain-13-13.0.1/debian/patches/CVE-2023-29939.patch 2023-07-14 04:44:07.000000000 +0000 @@ -0,0 +1,46 @@ +From 466aa585c6dfb096bf9a7ad9bcbc6ce8cc7abff1 Mon Sep 17 00:00:00 2001 +From: Jakub Kuderski +Date: Fri, 13 Jan 2023 10:55:04 -0500 +Subject: [PATCH] [mlir][spirv] Fix crash in spirv-lower-abi-attributes + +... when the are no SPIR-V env attributes. + +Fixes: https://github.com/llvm/llvm-project/issues/59983 + +Reviewed By: antiagainst + +Differential Revision: https://reviews.llvm.org/D141695 +--- + .../SPIRV/Transforms/LowerABIAttributesPass.cpp | 7 ++++++- + mlir/test/Dialect/SPIRV/Transforms/abi-interface.mlir | 10 +++++++++- + 2 files changed, 15 insertions(+), 2 deletions(-) + +--- llvm-toolchain-13-13.0.1.orig/mlir/lib/Dialect/SPIRV/Transforms/LowerABIAttributesPass.cpp ++++ llvm-toolchain-13-13.0.1/mlir/lib/Dialect/SPIRV/Transforms/LowerABIAttributesPass.cpp +@@ -233,7 +233,12 @@ void LowerABIAttributesPass::runOnOperat + spirv::ModuleOp module = getOperation(); + MLIRContext *context = &getContext(); + +- spirv::TargetEnv targetEnv(spirv::lookupTargetEnv(module)); ++ spirv::TargetEnvAttr targetEnvAttr = spirv::lookupTargetEnv(module); ++ if (!targetEnvAttr) { ++ module->emitOpError("missing SPIR-V target env attribute"); ++ return signalPassFailure(); ++ } ++ spirv::TargetEnv targetEnv(targetEnvAttr); + + SPIRVTypeConverter typeConverter(targetEnv); + +--- llvm-toolchain-13-13.0.1.orig/mlir/test/Dialect/SPIRV/Transforms/abi-interface.mlir ++++ llvm-toolchain-13-13.0.1/mlir/test/Dialect/SPIRV/Transforms/abi-interface.mlir +@@ -29,3 +29,10 @@ spv.module Logical GLSL450 { + } // end spv.module + + } // end module ++ ++// ----- ++ ++module { ++// expected-error@+1 {{'spirv.module' op missing SPIR-V target env attribute}} ++spirv.module Logical GLSL450 {} ++} // end module diff -Nru llvm-toolchain-13-13.0.1/debian/patches/series llvm-toolchain-13-13.0.1/debian/patches/series --- llvm-toolchain-13-13.0.1/debian/patches/series 2022-05-31 08:11:23.000000000 +0000 +++ llvm-toolchain-13-13.0.1/debian/patches/series 2023-07-14 04:41:58.000000000 +0000 @@ -159,3 +159,6 @@ llvm-objcopy-COFF-Consider-section-flags-when-adding.patch yaml2obj-COFF-Allow-variable-number-of-directories.patch llvm-objcopy-COFF-Fix-test-for-debug-dir-presence.patch +CVE-2023-29932.patch +CVE-2023-29934.patch +CVE-2023-29939.patch