[AUTO-CHERRYPICK] [Medium] llvm16: patch CVE-2023-29941 - branch main (#12958)

Co-authored-by: Kevin Lockwood <57274670+kevin-b-lockwood@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/llvm/CVE-2023-29933.patch

@@ -0,0 +1,70 @@
+From 38e3c0f2a9d289afd1cf83f7def2e42823084c58 Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Wed, 26 Feb 2025 14:12:06 -0800
+Subject: [PATCH] Patch llvm16 for CVE-2023-29933 [Medium]
+
+Link: https://github.com/llvm/llvm-project/commit/ae8cb6437294ca99ba203607c0dd522db4dbf6b6.patch
+---
+ .../SCF/Transforms/BufferizableOpInterfaceImpl.cpp | 12 ++++++++----
+ .../one-shot-module-bufferize-invalid.mlir         | 14 ++++++++++++++
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/mlir/lib/Dialect/SCF/Transforms/BufferizableOpInterfaceImpl.cpp b/mlir/lib/Dialect/SCF/Transforms/BufferizableOpInterfaceImpl.cpp
+index 630edd300..ad621e50c 100644
+--- a/mlir/lib/Dialect/SCF/Transforms/BufferizableOpInterfaceImpl.cpp
++++ b/mlir/lib/Dialect/SCF/Transforms/BufferizableOpInterfaceImpl.cpp
+@@ -954,10 +954,12 @@ struct WhileOpInterface
+ 
+     auto conditionOp = whileOp.getConditionOp();
+     for (const auto &it : llvm::enumerate(conditionOp.getArgs())) {
++      Block *block = conditionOp->getBlock();
+       if (!it.value().getType().isa<TensorType>())
+         continue;
+-      if (!state.areEquivalentBufferizedValues(
+-              it.value(), conditionOp->getBlock()->getArgument(it.index())))
++      if (it.index() >= block->getNumArguments() ||
++          !state.areEquivalentBufferizedValues(it.value(),
++                                               block->getArgument(it.index())))
+         return conditionOp->emitError()
+                << "Condition arg #" << it.index()
+                << " is not equivalent to the corresponding iter bbArg";
+@@ -965,10 +967,12 @@ struct WhileOpInterface
+ 
+     auto yieldOp = whileOp.getYieldOp();
+     for (const auto &it : llvm::enumerate(yieldOp.getResults())) {
++      Block *block = yieldOp->getBlock();
+       if (!it.value().getType().isa<TensorType>())
+         continue;
+-      if (!state.areEquivalentBufferizedValues(
+-              it.value(), yieldOp->getBlock()->getArgument(it.index())))
++      if (it.index() >= block->getNumArguments() ||
++          !state.areEquivalentBufferizedValues(it.value(),
++                                               block->getArgument(it.index())))
+         return yieldOp->emitError()
+                << "Yield operand #" << it.index()
+                << " is not equivalent to the corresponding iter bbArg";
+diff --git a/mlir/test/Dialect/Bufferization/Transforms/one-shot-module-bufferize-invalid.mlir b/mlir/test/Dialect/Bufferization/Transforms/one-shot-module-bufferize-invalid.mlir
+index da0fe74db..10075fc8a 100644
+--- a/mlir/test/Dialect/Bufferization/Transforms/one-shot-module-bufferize-invalid.mlir
++++ b/mlir/test/Dialect/Bufferization/Transforms/one-shot-module-bufferize-invalid.mlir
+@@ -315,3 +315,17 @@ func.func @yield_alloc_dominance_test_2(%cst : f32, %idx : index,
+   %r = tensor.extract %2[%idx2] : tensor<?xf32>
+   return %r : f32
+ }
++
++// -----
++
++func.func @regression_scf_while() {
++  %false = arith.constant false
++  %8 = bufferization.alloc_tensor() : tensor<10x10xf32>
++  scf.while (%arg0 = %8) : (tensor<10x10xf32>) -> () {
++    scf.condition(%false)
++  } do {
++    // expected-error @+1 {{Yield operand #0 is not equivalent to the corresponding iter bbArg}}
++    scf.yield %8 : tensor<10x10xf32>
++  }
++  return
++}
+-- 
+2.34.1
+

SPECS/llvm/CVE-2023-29941.patch

@@ -0,0 +1,27 @@
+From e6fa2c1c12edb30568f15af3891ec7607964968f Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Wed, 26 Feb 2025 14:03:35 -0800
+Subject: [PATCH] Patch llvm16 for CVE-2023-29941 [Medium]
+
+Link: https://github.com/llvm/llvm-project/commit/9a29d87538842a29b430c6956a4f914896643691.patch
+---
+ .../Dialect/SparseTensor/Transforms/SparseBufferRewriting.cpp  | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/mlir/lib/Dialect/SparseTensor/Transforms/SparseBufferRewriting.cpp b/mlir/lib/Dialect/SparseTensor/Transforms/SparseBufferRewriting.cpp
+index fc9476cd2..2db37a1e4 100644
+--- a/mlir/lib/Dialect/SparseTensor/Transforms/SparseBufferRewriting.cpp
++++ b/mlir/lib/Dialect/SparseTensor/Transforms/SparseBufferRewriting.cpp
+@@ -728,6 +728,9 @@ LogicalResult matchAndRewriteSortOp(OpTy op, ValueRange xys, uint64_t nx,
+     operands.push_back(v);
+   }
+   auto insertPoint = op->template getParentOfType<func::FuncOp>();
++  if (!insertPoint)
++    return failure();
++
+   SmallString<32> funcName(op.getStable() ? kSortStableFuncNamePrefix
+                                           : kSortNonstableFuncNamePrefix);
+   FuncGeneratorType funcGenerator =
+-- 
+2.34.1
+

SPECS/llvm/llvm16.spec

@@ -1,18 +1,21 @@
 Summary:        A collection of modular and reusable compiler and toolchain technologies.
 Name:           llvm16
 Version:        16.0.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        NCSA
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Tools
 URL:            https://llvm.org/
 Source0:        https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-%{version}.tar.gz
+Patch0:         CVE-2023-29941.patch
+Patch1:         CVE-2023-29933.patch
 BuildRequires:  cmake
 BuildRequires:  libffi-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  ninja-build
 BuildRequires:  python3-devel
+BuildRequires:  python3-psutil
 Requires:       libxml2
 Provides:       %{name} = %{version}
 Provides:       %{name} = %{version}-%{release}
@@ -29,7 +32,7 @@ The llvm-devel package contains libraries, header files and documentation
 for developing applications that use llvm.
 
 %prep
-%setup -q -n llvm-project-llvmorg-%{version}
+%autosetup -p1 -n llvm-project-llvmorg-%{version}
 
 %build
 # Disable symbol generation
@@ -89,6 +92,10 @@ ninja check-all
 %{_includedir}/*
 
 %changelog
+* Mon Feb 24 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 16.0.0-4
+- Add patch for CVE-2023-29941
+- Add patch for CVE-2023-29933
+
 * Thu Jun 29 2023 Andrew Phelps <anphel@microsoft.com> - 16.0.0-3
 - Modify parallel compile jobs limit to _smp_ncpus_max if set, or _smp_build_ncpus