Re: [OE-core] [kirkstone][PATCH] llvm: Fix CVE-2024-31852

Tue, 30 Jul 2024 06:38:57 -0700 

On Tue, Jul 30, 2024 at 5:15 AM Hemraj, Deepthi via
lists.openembedded.org
<Deepthi.Hemraj=windriver....@lists.openembedded.org> wrote:
>
> From: Deepthi Hemraj <deepthi.hem...@windriver.com>
>
> Signed-off-by: Deepthi Hemraj <deepthi.hem...@windriver.com>
> ---
>  .../llvm/0008-llvm-Fix-CVE-2024-31852-1.patch |  85 +++++++++++++
>  .../llvm/0009-llvm-Fix-CVE-2024-31852-2.patch | 117 ++++++++++++++++++
>  meta/recipes-devtools/llvm/llvm_git.bb        |   2 +
>  3 files changed, 204 insertions(+)
>  create mode 100644 
> meta/recipes-devtools/llvm/llvm/0008-llvm-Fix-CVE-2024-31852-1.patch
>  create mode 100644 
> meta/recipes-devtools/llvm/llvm/0009-llvm-Fix-CVE-2024-31852-2.patch

Preferred filenames would be just CVE-2024-31852-1.patch and
CVE-2024-31852-2.patch

No need to send a V2 as I've fixed this on my end.

Thanks!

Steve

>
> diff --git 
> a/meta/recipes-devtools/llvm/llvm/0008-llvm-Fix-CVE-2024-31852-1.patch 
> b/meta/recipes-devtools/llvm/llvm/0008-llvm-Fix-CVE-2024-31852-1.patch
> new file mode 100644
> index 0000000000..7cf4a52715
> --- /dev/null
> +++ b/meta/recipes-devtools/llvm/llvm/0008-llvm-Fix-CVE-2024-31852-1.patch
> @@ -0,0 +1,85 @@
> +commit b1a5ee1febd8a903cec3dfdad61d57900dc3823e
> +Author: Florian Hahn <f...@fhahn.com>
> +Date:   Wed Dec 20 16:56:15 2023 +0100
> +
> +    [ARM] Check all terms in emitPopInst when clearing Restored for LR. 
> (#75527)
> +
> +    emitPopInst checks a single function exit MBB. If other paths also exit
> +    the function and any of there terminators uses LR implicitly, it is not
> +    save to clear the Restored bit.
> +
> +    Check all terminators for the function before clearing Restored.
> +
> +    This fixes a mis-compile in outlined-fn-may-clobber-lr-in-caller.ll
> +    where the machine-outliner previously introduced BLs that clobbered LR
> +    which in turn is used by the tail call return.
> +
> +    Alternative to #73553
> +
> +Upstream-Status: Backport 
> [https://github.com/llvm/llvm-project/commit/b1a5ee1febd8a903cec3dfdad61d57900dc3823e]
> +CVE: CVE-2024-31852
> +Signed-off-by: Deepthi Hemraj <deepthi.hem...@windriver.com>
> +---
> +diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.cpp 
> b/llvm/lib/Target/ARM/ARMFrameLowering.cpp
> +index 025e43444f9c..a9acf338ebf5 100644
> +--- a/llvm/lib/Target/ARM/ARMFrameLowering.cpp
> ++++ b/llvm/lib/Target/ARM/ARMFrameLowering.cpp
> +@@ -1236,9 +1236,6 @@ void ARMFrameLowering::emitPopInst(MachineBasicBlock 
> &MBB,
> +         // Fold the return instruction into the LDM.
> +         DeleteRet = true;
> +         LdmOpc = AFI->isThumbFunction() ? ARM::t2LDMIA_RET : ARM::LDMIA_RET;
> +-        // We 'restore' LR into PC so it is not live out of the return 
> block:
> +-        // Clear Restored bit.
> +-        Info.setRestored(false);
> +       }
> +
> +       // If NoGap is true, pop consecutive registers and then leave the rest
> +@@ -2292,6 +2289,33 @@ void 
> ARMFrameLowering::determineCalleeSaves(MachineFunction &MF,
> +   AFI->setLRIsSpilled(SavedRegs.test(ARM::LR));
> + }
> +
> ++void ARMFrameLowering::processFunctionBeforeFrameFinalized(
> ++    MachineFunction &MF, RegScavenger *RS) const {
> ++  TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS);
> ++
> ++  MachineFrameInfo &MFI = MF.getFrameInfo();
> ++  if (!MFI.isCalleeSavedInfoValid())
> ++    return;
> ++
> ++  // Check if all terminators do not implicitly use LR. Then we can 
> 'restore' LR
> ++  // into PC so it is not live out of the return block: Clear the Restored 
> bit
> ++  // in that case.
> ++  for (CalleeSavedInfo &Info : MFI.getCalleeSavedInfo()) {
> ++    if (Info.getReg() != ARM::LR)
> ++      continue;
> ++    if (all_of(MF, [](const MachineBasicBlock &MBB) {
> ++          return all_of(MBB.terminators(), [](const MachineInstr &Term) {
> ++            return !Term.isReturn() || Term.getOpcode() == ARM::LDMIA_RET ||
> ++                   Term.getOpcode() == ARM::t2LDMIA_RET ||
> ++                   Term.getOpcode() == ARM::tPOP_RET;
> ++          });
> ++        })) {
> ++      Info.setRestored(false);
> ++      break;
> ++    }
> ++  }
> ++}
> ++
> + void ARMFrameLowering::getCalleeSaves(const MachineFunction &MF,
> +                                       BitVector &SavedRegs) const {
> +   TargetFrameLowering::getCalleeSaves(MF, SavedRegs);
> +diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.h 
> b/llvm/lib/Target/ARM/ARMFrameLowering.h
> +index 9822e2321bb4..266d642bb97b 100644
> +--- a/llvm/lib/Target/ARM/ARMFrameLowering.h
> ++++ b/llvm/lib/Target/ARM/ARMFrameLowering.h
> +@@ -58,6 +58,9 @@ public:
> +   void determineCalleeSaves(MachineFunction &MF, BitVector &SavedRegs,
> +                             RegScavenger *RS) const override;
> +
> ++  void processFunctionBeforeFrameFinalized(
> ++                 MachineFunction &MF, RegScavenger *RS = nullptr) const 
> override;
> ++
> +   void adjustForSegmentedStacks(MachineFunction &MF,
> +                                 MachineBasicBlock &MBB) const override;
> +
> +
> diff --git 
> a/meta/recipes-devtools/llvm/llvm/0009-llvm-Fix-CVE-2024-31852-2.patch 
> b/meta/recipes-devtools/llvm/llvm/0009-llvm-Fix-CVE-2024-31852-2.patch
> new file mode 100644
> index 0000000000..b6082b0ef3
> --- /dev/null
> +++ b/meta/recipes-devtools/llvm/llvm/0009-llvm-Fix-CVE-2024-31852-2.patch
> @@ -0,0 +1,117 @@
> +commit 0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2
> +Author: ostannard <oliver.stann...@arm.com>
> +Date:   Mon Feb 26 12:23:25 2024 +0000
> +
> +    [ARM] Update IsRestored for LR based on all returns (#82745)
> +
> +    PR #75527 fixed ARMFrameLowering to set the IsRestored flag for LR based
> +    on all of the return instructions in the function, not just one.
> +    However, there is also code in ARMLoadStoreOptimizer which changes
> +    return instructions, but it set IsRestored based on the one instruction
> +    it changed, not the whole function.
> +
> +    The fix is to factor out the code added in #75527, and also call it from
> +    ARMLoadStoreOptimizer if it made a change to return instructions.
> +
> +    Fixes #80287.
> +
> +    (cherry picked from commit 749384c08e042739342c88b521c8ba5dac1b9276)
> +
> +Upstream-Status: Backport 
> [https://github.com/llvm/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2]
> +CVE: CVE-2024-31852
> +Signed-off-by: Deepthi Hemraj <deepthi.hem...@windriver.com>
> +---
> +diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.cpp 
> b/llvm/lib/Target/ARM/ARMFrameLowering.cpp
> +index a9acf338ebf5..13d3cbf650ed 100644
> +--- a/llvm/lib/Target/ARM/ARMFrameLowering.cpp
> ++++ b/llvm/lib/Target/ARM/ARMFrameLowering.cpp
> +@@ -2289,10 +2289,7 @@ void 
> ARMFrameLowering::determineCalleeSaves(MachineFunction &MF,
> +   AFI->setLRIsSpilled(SavedRegs.test(ARM::LR));
> + }
> +
> +-void ARMFrameLowering::processFunctionBeforeFrameFinalized(
> +-    MachineFunction &MF, RegScavenger *RS) const {
> +-  TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS);
> +-
> ++void ARMFrameLowering::updateLRRestored(MachineFunction &MF) {
> +   MachineFrameInfo &MFI = MF.getFrameInfo();
> +   if (!MFI.isCalleeSavedInfoValid())
> +     return;
> +@@ -2316,6 +2313,12 @@ void 
> ARMFrameLowering::processFunctionBeforeFrameFinalized(
> +   }
> + }
> +
> ++void ARMFrameLowering::processFunctionBeforeFrameFinalized(
> ++    MachineFunction &MF, RegScavenger *RS) const {
> ++  TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS);
> ++  updateLRRestored(MF);
> ++}
> ++
> + void ARMFrameLowering::getCalleeSaves(const MachineFunction &MF,
> +                                       BitVector &SavedRegs) const {
> +   TargetFrameLowering::getCalleeSaves(MF, SavedRegs);
> +diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.h 
> b/llvm/lib/Target/ARM/ARMFrameLowering.h
> +index 67505b61a5e1..b13b76d7086c 100644
> +--- a/llvm/lib/Target/ARM/ARMFrameLowering.h
> ++++ b/llvm/lib/Target/ARM/ARMFrameLowering.h
> +@@ -58,6 +58,10 @@ public:
> +   void determineCalleeSaves(MachineFunction &MF, BitVector &SavedRegs,
> +                             RegScavenger *RS) const override;
> +
> ++  /// Update the IsRestored flag on LR if it is spilled, based on the return
> ++  /// instructions.
> ++  static void updateLRRestored(MachineFunction &MF);
> ++
> +   void processFunctionBeforeFrameFinalized(
> +                  MachineFunction &MF, RegScavenger *RS = nullptr) const 
> override;
> +
> +diff --git a/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp 
> b/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp
> +index fd06bfdf352c..561c1396190d 100644
> +--- a/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp
> ++++ b/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp
> +@@ -2060,17 +2060,6 @@ bool 
> ARMLoadStoreOpt::MergeReturnIntoLDM(MachineBasicBlock &MBB) {
> +       MO.setReg(ARM::PC);
> +       PrevMI.copyImplicitOps(*MBB.getParent(), *MBBI);
> +       MBB.erase(MBBI);
> +-      // We now restore LR into PC so it is not live-out of the return block
> +-      // anymore: Clear the CSI Restored bit.
> +-      MachineFrameInfo &MFI = MBB.getParent()->getFrameInfo();
> +-      // CSI should be fixed after PrologEpilog Insertion
> +-      assert(MFI.isCalleeSavedInfoValid() && "CSI should be valid");
> +-      for (CalleeSavedInfo &Info : MFI.getCalleeSavedInfo()) {
> +-        if (Info.getReg() == ARM::LR) {
> +-          Info.setRestored(false);
> +-          break;
> +-        }
> +-      }
> +       return true;
> +     }
> +   }
> +@@ -2118,16 +2107,24 @@ bool 
> ARMLoadStoreOpt::runOnMachineFunction(MachineFunction &Fn) {
> +   isThumb2 = AFI->isThumb2Function();
> +   isThumb1 = AFI->isThumbFunction() && !isThumb2;
> +
> +-  bool Modified = false;
> ++  bool Modified = false, ModifiedLDMReturn = false;
> +   for (MachineFunction::iterator MFI = Fn.begin(), E = Fn.end(); MFI != E;
> +        ++MFI) {
> +     MachineBasicBlock &MBB = *MFI;
> +     Modified |= LoadStoreMultipleOpti(MBB);
> +     if (STI->hasV5TOps())
> +-      Modified |= MergeReturnIntoLDM(MBB);
> ++      ModifiedLDMReturn |= MergeReturnIntoLDM(MBB);
> +     if (isThumb1)
> +       Modified |= CombineMovBx(MBB);
> +   }
> ++  Modified |= ModifiedLDMReturn;
> ++
> ++  // If we merged a BX instruction into an LDM, we need to re-calculate 
> whether
> ++  // LR is restored. This check needs to consider the whole function, not 
> just
> ++  // the instruction(s) we changed, because there may be other BX returns 
> which
> ++  // still need LR to be restored.
> ++  if (ModifiedLDMReturn)
> ++    ARMFrameLowering::updateLRRestored(Fn);
> +
> +   Allocator.DestroyAll();
> +   return Modified;
> +
> diff --git a/meta/recipes-devtools/llvm/llvm_git.bb 
> b/meta/recipes-devtools/llvm/llvm_git.bb
> index cedbfb138e..d342da649a 100644
> --- a/meta/recipes-devtools/llvm/llvm_git.bb
> +++ b/meta/recipes-devtools/llvm/llvm_git.bb
> @@ -33,6 +33,8 @@ SRC_URI = 
> "git://github.com/llvm/llvm-project.git;branch=${BRANCH};protocol=http
>             
> file://0007-llvm-allow-env-override-of-exe-path.patch;striplevel=2 \
>             
> file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2
>  \
>             
> file://0001-Support-Add-missing-cstdint-header-to-Signals.h.patch;striplevel=2
>  \
> +           file://0008-llvm-Fix-CVE-2024-31852-1.patch;striplevel=2 \
> +           file://0009-llvm-Fix-CVE-2024-31852-2.patch;striplevel=2 \
>             "
>
>  UPSTREAM_CHECK_GITTAGREGEX = "llvmorg-(?P<pver>\d+(\.\d+)+)"
> --
> 2.43.0
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#202676): 
https://lists.openembedded.org/g/openembedded-core/message/202676
Mute This Topic: https://lists.openembedded.org/mt/107626200/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to