microsoft
diff --git a/‎SPECS/clang/CVE-2023-29933.patch‎
Lines changed: 73 additions & 0 deletions b/‎SPECS/clang/CVE-2023-29933.patch‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎SPECS/clang/CVE-2023-29935.patch‎
Lines changed: 131 additions & 0 deletions b/‎SPECS/clang/CVE-2023-29935.patch‎
Lines changed: 131 additions & 0 deletions
diff --git a/‎SPECS/clang/CVE-2023-29941.patch‎
Lines changed: 27 additions & 0 deletions b/‎SPECS/clang/CVE-2023-29941.patch‎
Lines changed: 27 additions & 0 deletions
@@ -0,0 +1,73 @@
+From cb9d4e3e749f51749927d7531f2807ffebb3a398 Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Mon, 17 Mar 2025 15:57:34 -0700
+Subject: [PATCH] [Medium] patch clang16 for CVE-2023-29933
+
+Link: https://github.com/llvm/llvm-project/commit/ae8cb6437294ca99ba203607c0dd522db4dbf6b6.patch
+---
+ .../SCF/Transforms/BufferizableOpInterfaceImpl.cpp | 12 ++++++++----
+ .../one-shot-bufferize-memory-space-invalid.mlir   | 14 ++++++++++++++
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/mlir/lib/Dialect/SCF/Transforms/BufferizableOpInterfaceImpl.cpp b/mlir/lib/Dialect/SCF/Transforms/BufferizableOpInterfaceImpl.cpp
+index 630edd300..ad621e50c 100644
+--- a/mlir/lib/Dialect/SCF/Transforms/BufferizableOpInterfaceImpl.cpp
++++ b/mlir/lib/Dialect/SCF/Transforms/BufferizableOpInterfaceImpl.cpp
+@@ -954,10 +954,12 @@ struct WhileOpInterface
+ 
+     auto conditionOp = whileOp.getConditionOp();
+     for (const auto &it : llvm::enumerate(conditionOp.getArgs())) {
++      Block *block = conditionOp->getBlock();
+       if (!it.value().getType().isa<TensorType>())
+         continue;
+-      if (!state.areEquivalentBufferizedValues(
+-              it.value(), conditionOp->getBlock()->getArgument(it.index())))
++      if (it.index() >= block->getNumArguments() ||
++          !state.areEquivalentBufferizedValues(it.value(),
++                                               block->getArgument(it.index())))
+         return conditionOp->emitError()
+                << "Condition arg #" << it.index()
+                << " is not equivalent to the corresponding iter bbArg";
+@@ -965,10 +967,12 @@ struct WhileOpInterface
+ 
+     auto yieldOp = whileOp.getYieldOp();
+     for (const auto &it : llvm::enumerate(yieldOp.getResults())) {
++      Block *block = yieldOp->getBlock();
+       if (!it.value().getType().isa<TensorType>())
+         continue;
+-      if (!state.areEquivalentBufferizedValues(
+-              it.value(), yieldOp->getBlock()->getArgument(it.index())))
++      if (it.index() >= block->getNumArguments() ||
++          !state.areEquivalentBufferizedValues(it.value(),
++                                               block->getArgument(it.index())))
+         return yieldOp->emitError()
+                << "Yield operand #" << it.index()
+                << " is not equivalent to the corresponding iter bbArg";
+diff --git a/mlir/test/Dialect/Bufferization/Transforms/one-shot-bufferize-memory-space-invalid.mlir b/mlir/test/Dialect/Bufferization/Transforms/one-shot-bufferize-memory-space-invalid.mlir
+index 5feeab0bc..6cd4b8a06 100644
+--- a/mlir/test/Dialect/Bufferization/Transforms/one-shot-bufferize-memory-space-invalid.mlir
++++ b/mlir/test/Dialect/Bufferization/Transforms/one-shot-bufferize-memory-space-invalid.mlir
+@@ -9,6 +9,20 @@ func.func @alloc_tensor_without_memory_space() -> tensor<10xf32> {
+ 
+ // -----
+ 
++func.func @regression_scf_while() {
++  %false = arith.constant false
++  %8 = bufferization.alloc_tensor() : tensor<10x10xf32>
++  scf.while (%arg0 = %8) : (tensor<10x10xf32>) -> () {
++    scf.condition(%false)
++  } do {
++    // expected-error @+1 {{Yield operand #0 is not equivalent to the corresponding iter bbArg}}
++    scf.yield %8 : tensor<10x10xf32>
++  }
++  return
++}
++
++// -----
++
+ func.func @memory_space_of_unknown_op() -> f32 {
+   %c0 = arith.constant 0 : index
+   // expected-error @+1 {{could not infer memory space}}
+-- 
+2.34.1
+
@@ -0,0 +1,131 @@
+From 012fcbff096e259de26aba5f9e88b05a56444faf Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Tue, 18 Mar 2025 14:07:29 -0700
+Subject: [PATCH] [Medium] patch clang16 for CVE-2023-29935
+
+Link: https://github.com/llvm/llvm-project/commit/e7833c20d835d0f358acf7708a72bc23b1d87973.patch
+---
+ .../Conversion/MemRefToLLVM/MemRefToLLVM.cpp  | 31 ++----------
+ .../MemRefToLLVM/memref-to-llvm.mlir          | 48 +++++++++++++++----
+ 2 files changed, 45 insertions(+), 34 deletions(-)
+
+diff --git a/mlir/lib/Conversion/MemRefToLLVM/MemRefToLLVM.cpp b/mlir/lib/Conversion/MemRefToLLVM/MemRefToLLVM.cpp
+index 7132560ad..a225553f5 100644
+--- a/mlir/lib/Conversion/MemRefToLLVM/MemRefToLLVM.cpp
++++ b/mlir/lib/Conversion/MemRefToLLVM/MemRefToLLVM.cpp
+@@ -534,15 +534,12 @@ struct GenericAtomicRMWOpLowering
+ 
+     // Split the block into initial, loop, and ending parts.
+     auto *initBlock = rewriter.getInsertionBlock();
+-    auto *loopBlock = rewriter.createBlock(
+-        initBlock->getParent(), std::next(Region::iterator(initBlock)),
+-        valueType, loc);
+-    auto *endBlock = rewriter.createBlock(
+-        loopBlock->getParent(), std::next(Region::iterator(loopBlock)));
++    auto *loopBlock = rewriter.splitBlock(initBlock, Block::iterator(atomicOp));
++    loopBlock->addArgument(valueType, loc);
+ 
+-    // Operations range to be moved to `endBlock`.
+-    auto opsToMoveStart = atomicOp->getIterator();
+-    auto opsToMoveEnd = initBlock->back().getIterator();
++
++    auto *endBlock =
++        rewriter.splitBlock(loopBlock, Block::iterator(atomicOp)++);
+ 
+     // Compute the loaded value and branch to the loop block.
+     rewriter.setInsertionPointToEnd(initBlock);
+@@ -585,30 +582,12 @@ struct GenericAtomicRMWOpLowering
+                                     loopBlock, newLoaded);
+ 
+     rewriter.setInsertionPointToEnd(endBlock);
+-    moveOpsRange(atomicOp.getResult(), newLoaded, std::next(opsToMoveStart),
+-                 std::next(opsToMoveEnd), rewriter);
+ 
+     // The 'result' of the atomic_rmw op is the newly loaded value.
+     rewriter.replaceOp(atomicOp, {newLoaded});
+ 
+     return success();
+   }
+-
+-private:
+-  // Clones a segment of ops [start, end) and erases the original.
+-  void moveOpsRange(ValueRange oldResult, ValueRange newResult,
+-                    Block::iterator start, Block::iterator end,
+-                    ConversionPatternRewriter &rewriter) const {
+-    IRMapping mapping;
+-    mapping.map(oldResult, newResult);
+-    SmallVector<Operation *, 2> opsToErase;
+-    for (auto it = start; it != end; ++it) {
+-      rewriter.clone(*it, mapping);
+-      opsToErase.push_back(&*it);
+-    }
+-    for (auto *it : opsToErase)
+-      rewriter.eraseOp(it);
+-  }
+ };
+ 
+ /// Returns the LLVM type of the global variable given the memref type `type`.
+diff --git a/mlir/test/Conversion/MemRefToLLVM/memref-to-llvm.mlir b/mlir/test/Conversion/MemRefToLLVM/memref-to-llvm.mlir
+index 1a8a75d1e..ba2d75fc6 100644
+--- a/mlir/test/Conversion/MemRefToLLVM/memref-to-llvm.mlir
++++ b/mlir/test/Conversion/MemRefToLLVM/memref-to-llvm.mlir
+@@ -366,16 +366,48 @@ func.func @generic_atomic_rmw(%I : memref<10xi32>, %i : index) {
+     ^bb0(%old_value : i32):
+       memref.atomic_yield %old_value : i32
+   }
+-  // CHECK: [[init:%.*]] = llvm.load %{{.*}} : !llvm.ptr<i32>
+-  // CHECK-NEXT: llvm.br ^bb1([[init]] : i32)
+-  // CHECK-NEXT: ^bb1([[loaded:%.*]]: i32):
+-  // CHECK-NEXT: [[pair:%.*]] = llvm.cmpxchg %{{.*}}, [[loaded]], [[loaded]]
+-  // CHECK-SAME:                    acq_rel monotonic : i32
+-  // CHECK-NEXT: [[new:%.*]] = llvm.extractvalue [[pair]][0]
+-  // CHECK-NEXT: [[ok:%.*]] = llvm.extractvalue [[pair]][1]
+-  // CHECK-NEXT: llvm.cond_br [[ok]], ^bb2, ^bb1([[new]] : i32)
+   llvm.return
+ }
++// CHECK:        %[[INIT:.*]] = llvm.load %{{.*}} : !llvm.ptr -> i32
++// CHECK-NEXT:   llvm.br ^bb1(%[[INIT]] : i32)
++// CHECK-NEXT: ^bb1(%[[LOADED:.*]]: i32):
++// CHECK-NEXT:   %[[PAIR:.*]] = llvm.cmpxchg %{{.*}}, %[[LOADED]], %[[LOADED]]
++// CHECK-SAME:                      acq_rel monotonic : !llvm.ptr, i32
++// CHECK-NEXT:   %[[NEW:.*]] = llvm.extractvalue %[[PAIR]][0]
++// CHECK-NEXT:   %[[OK:.*]] = llvm.extractvalue %[[PAIR]][1]
++// CHECK-NEXT:   llvm.cond_br %[[OK]], ^bb2, ^bb1(%[[NEW]] : i32)
++
++// -----
++
++// CHECK-LABEL: func @generic_atomic_rmw_in_alloca_scope
++func.func @generic_atomic_rmw_in_alloca_scope(){
++  %c1 = arith.constant 1 : index
++  %alloc = memref.alloc() : memref<2x3xi32>
++  memref.alloca_scope  {
++    %0 = memref.generic_atomic_rmw %alloc[%c1, %c1] : memref<2x3xi32> {
++    ^bb0(%arg0: i32):
++      memref.atomic_yield %arg0 : i32
++    }
++  }
++  return
++}
++// CHECK:        %[[STACK_SAVE:.*]] = llvm.intr.stacksave : !llvm.ptr
++// CHECK-NEXT:   llvm.br ^bb1
++// CHECK:      ^bb1:
++// CHECK:        %[[INIT:.*]] = llvm.load %[[BUF:.*]] : !llvm.ptr -> i32
++// CHECK-NEXT:   llvm.br ^bb2(%[[INIT]] : i32)
++// CHECK-NEXT: ^bb2(%[[LOADED:.*]]: i32):
++// CHECK-NEXT:   %[[PAIR:.*]] = llvm.cmpxchg %[[BUF]], %[[LOADED]], %[[LOADED]]
++// CHECK-SAME:     acq_rel monotonic : !llvm.ptr, i32
++// CHECK-NEXT:   %[[NEW:.*]] = llvm.extractvalue %[[PAIR]][0]
++// CHECK-NEXT:   %[[OK:.*]] = llvm.extractvalue %[[PAIR]][1]
++// CHECK-NEXT:   llvm.cond_br %[[OK]], ^bb3, ^bb2(%[[NEW]] : i32)
++// CHECK-NEXT: ^bb3:
++// CHECK-NEXT:   llvm.intr.stackrestore %[[STACK_SAVE]] : !llvm.ptr
++// CHECK-NEXT:   llvm.br ^bb4
++// CHECK-NEXT: ^bb4:
++// CHECK-NEXT:   return
++ 
+ 
+ // -----
+ 
+-- 
+2.34.1
+
@@ -0,0 +1,27 @@
+From e6fa2c1c12edb30568f15af3891ec7607964968f Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Wed, 26 Feb 2025 14:03:35 -0800
+Subject: [PATCH] Patch llvm16 for CVE-2023-29941 [Medium]
+
+Link: https://github.com/llvm/llvm-project/commit/9a29d87538842a29b430c6956a4f914896643691.patch
+---
+ .../Dialect/SparseTensor/Transforms/SparseBufferRewriting.cpp  | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/mlir/lib/Dialect/SparseTensor/Transforms/SparseBufferRewriting.cpp b/mlir/lib/Dialect/SparseTensor/Transforms/SparseBufferRewriting.cpp
+index fc9476cd2..2db37a1e4 100644
+--- a/mlir/lib/Dialect/SparseTensor/Transforms/SparseBufferRewriting.cpp
++++ b/mlir/lib/Dialect/SparseTensor/Transforms/SparseBufferRewriting.cpp
+@@ -728,6 +728,9 @@ LogicalResult matchAndRewriteSortOp(OpTy op, ValueRange xys, uint64_t nx,
+     operands.push_back(v);
+   }
+   auto insertPoint = op->template getParentOfType<func::FuncOp>();
++  if (!insertPoint)
++    return failure();
++
+   SmallString<32> funcName(op.getStable() ? kSortStableFuncNamePrefix
+                                           : kSortNonstableFuncNamePrefix);
+   FuncGeneratorType funcGenerator =
+-- 
+2.34.1
+