Red Hat Security Advisory 2023-2136-01 - Samba is an open-source implementation of the Server Message Block protocol and the related Common Internet File System protocol, which allow PC-compatible machines to share files, printers, and various information.

Red Hat Security Advisory 2023-2136-01

Apple Security Advisory 2023-05-03-1 - AirPods Firmware Update 5E133 and Beats Firmware Update 5B66 address bluetooth authentication vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-05-03-1 AirPods Firmware Update 5E133 andBeats Firmware Update 5B66AirPods Firmware Update 5E133 and Beats Firmware Update 5B66address the following issues. Information about the security contentis also available at https://support.apple.com/HT213752.AirPods Firmware Update 5E133Released April 11, 2023BluetoothAvailable for: AirPods (2nd generation and later), AirPod Pro (all models),AirPods MaxImpact: When your headphones are seeking a connection request to oneof your previously paired devices, an attacker in Bluetooth range might beable to spoof the intended source device and gain access to your headphones.Description: An authentication issue was addressed with improved statemanagement.CVE-2023-27964: Yun-hao Chung and Archie Pusaka of GoogleChromeOSFirmware updates are automatically delivered while your AirPods arecharging and in Bluetooth range of your iPhone, iPad, or Mac.Learn more about firmware updates for AirPods. Beats Firmware Update 5B66Released May 2, 2023BluetoothAvailable for: Powerbeats Pro, Beats Fit ProImpact: When your headphones are seeking a connection request to oneof your previously paired devices, an attacker in Bluetooth range might beable to spoof the intended source device and gain access to your headphones.Description: An authentication issue was addressed with improved statemanagement.CVE-2023-27964: Yun-hao Chung and Archie Pusaka of GoogleChromeOSIf you paired your Beats wireless headphones with your iPhone, iPad, orMac, your Beats will update automatically. Learn more about firmware updatesfor Beats. You can check the firmware version of your wireless headphones in Bluetoothsettings on your device. 1. On your iPhone or iPad, go to Settings > Bluetooth. On your Mac, go toSystem Settings > Bluetooth. 2. Tap on the info button next to your headphones.-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmRS94AACgkQ4RjMIDkeNxnu4g/+ORGK+ShjgE7mTdv7kmpBLzslblq6S9h/z3Q5GDcs9nyzxkXt3Q9/WRRdgUoPdGavnsIqfY5yU7qig1ybUQItEsGuEz4jF32gmXTuUMTUnAYHVSZYgmo/6tlT2Vvo08R+5fNWjBNxqEQMM0hQjzj3I37fsIEBR7CwGvzvsofrctRkfPuEi6q+yztMmM1LuVAixeHTy2J/GLXPA62WBUVdfooEAEIHQADHbXRgvvjALhIegyut4DY7BjJKSYo/n5U8NHxh/HjocgxATJUAUJU2ua2QrRWnzLA1n2HS9mJdm385FS3NZTRXfvTMMeAix7DAE82utWkweTIF5rmycjnQ8GHgqFSgtUWS9aMe7Hjj9872rDmIFwi2EQk0LtWAElhqF4yGkwa42+CKraa48XR1Ai9/QBNoeJPkNzRu7UZrrB5inYNaWP6nGX8XTS2rrxHDo1PFUYI7eEkqu5pq78LEQzyvnfx5scBwBXfc4dmkuzmn9+UbYlHLoKmni1w6mS8v0yXqCPXI+gG3dO3lmoshtPbqvaE+yTjLcG57rS61Dxol2Q00iL4ZvDbbYp/9c08W1SkVh4PCeKss3+CxBZ2/a4GBpESjkq7EdipRVkXC3TjN+ZvGMETXetBW102+c0gF49uBR+w+nouTRxK+boYBqPxAkhHsn7z6o31sCT2Op9s==AsH2-----END PGP SIGNATURE-----

Apple Security Advisory 2023-05-03-1

llvm-project commit a0138390 was discovered to contain a segmentation fault via the component mlir::Type::isa<mlir::LLVM::LLVMVoidType.

MLIR built at commit a0138390  
Reproduced with:  
mlir-opt --convert-spirv-to-llvm temp.mlir

temp.mlir:

module { 
  spirv.module Logical GLSL450 {
    spirv.GlobalVariable @var01\_scalar bind(0, 1) {aliased} : !spirv.ptr<!spirv.struct<(!spirv.rtarray<f32, stride\=4\> \[0\])>, StorageBuffer\>
    spirv.GlobalVariable @var01\_vec2 bind(0, 1) {aliased} : !spirv.ptr<!spirv.struct<(!spirv.rtarray<vector<2xf32\>, stride\=8\> \[0\])>, StorageBuffer\>
    spirv.GlobalVariable @var01\_vec4 bind(0, 1) {aliased} : !spirv.ptr<!spirv.struct<(!spirv.rtarray<vector<4xf32\>, stride\=16\> \[0\])>, StorageBuffer\>
  
    spirv.func @load\_different\_vector\_sizes(%i0: i32) -> vector<4xf32\> "None" {
      %c0 = spirv.Constant 0 : i32
  
      %addr0 = spirv.mlir.addressof @var01\_vec4 : !spirv.ptr<!spirv.struct<(!spirv.rtarray<vector<4xf32\>, stride\=16\> \[0\])>, StorageBuffer\>
      %ac0 = spirv.AccessChain %addr0\[%c0, %i0\] : !spirv.ptr<!spirv.struct<(!spirv.rtarray<vector<4xf32\>, stride\=16\> \[0\])>, StorageBuffer\>, i32, i32
      %vec4val = spirv.Load "StorageBuffer" %ac0 : vector<4xf32\>
  
      %addr1 = spirv.mlir.addressof @var01\_scalar : !spirv.ptr<!spirv.struct<(!spirv.rtarray<f32, stride\=4\> \[0\])>, StorageBuffer\>
      %ac1 = spirv.AccessChain %addr1\[%c0, %i0\] : !spirv.ptr<!spirv.struct<(!spirv.rtarray<f32, stride\=4\> \[0\])>, StorageBuffer\>, i32, i32
      %scalarval = spirv.Load "StorageBuffer" %ac1 : f32
  
      %val = spirv.CompositeInsert %scalarval, %vec4val\[0 : i32\] : f32 into vector<4xf32\>
      spirv.ReturnValue %val : vector<4xf32\>
    }
  }
  
  
}

trace:

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.	Program arguments: mlir-opt --convert-spirv-to-llvm temp.mlir
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var \`LLVM\_SYMBOLIZER\_PATH\` to point to it):
0  mlir-opt                 0x00000001023fc5bc llvm::sys::PrintStackTrace(llvm::raw\_ostream&, int) + 56
1  mlir-opt                 0x00000001023fb624 llvm::sys::RunSignalHandlers() + 112
2  mlir-opt                 0x00000001023fcc54 SignalHandler(int) + 344
3  libsystem\_platform.dylib 0x00000001a56894c4 \_sigtramp + 56
4  mlir-opt                 0x0000000102a8a668 bool mlir::Type::isa<mlir::LLVM::LLVMVoidType, mlir::LLVM::LLVMLabelType, mlir::LLVM::LLVMMetadataType, mlir::LLVM::LLVMFunctionType, mlir::LLVM::LLVMTokenType, mlir::LLVM::LLVMScalableVectorType>() const + 24
5  mlir-opt                 0x0000000102a8a668 bool mlir::Type::isa<mlir::LLVM::LLVMVoidType, mlir::LLVM::LLVMLabelType, mlir::LLVM::LLVMMetadataType, mlir::LLVM::LLVMFunctionType, mlir::LLVM::LLVMTokenType, mlir::LLVM::LLVMScalableVectorType>() const + 24
6  mlir-opt                 0x0000000102a8bef8 mlir::LLVM::LLVMStructType::verify(llvm::function\_ref<mlir::InFlightDiagnostic ()>, llvm::ArrayRef<mlir::Type>, bool) + 76
7  mlir-opt                 0x0000000102a8bcc8 mlir::LLVM::LLVMStructType mlir::detail::StorageUserBase<mlir::LLVM::LLVMStructType, mlir::Type, mlir::LLVM::detail::LLVMStructTypeStorage, mlir::detail::TypeUniquer, mlir::DataLayoutTypeInterface::Trait, mlir::SubElementTypeInterface::Trait, mlir::TypeTrait::IsMutable>::get<llvm::ArrayRef<mlir::Type>, bool>(mlir::MLIRContext\*, llvm::ArrayRef<mlir::Type>, bool) + 76
8  mlir-opt                 0x000000010332d334 std::\_\_1::\_\_function::\_\_func<std::\_\_1::enable\_if<std::is\_invocable\_v<mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$\_5, mlir::spirv::StructType, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>>, std::\_\_1::function<std::\_\_1::optional<mlir::LogicalResult> (mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>>::type mlir::TypeConverter::wrapCallback<mlir::spirv::StructType, std::\_\_1::enable\_if<std::is\_invocable\_v<mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$\_5, mlir::spirv::StructType>, std::\_\_1::function<std::\_\_1::optional<mlir::LogicalResult> (mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>>::type mlir::TypeConverter::wrapCallback<mlir::spirv::StructType, mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$\_5>(mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$\_5&&)::'lambda'(mlir::spirv::StructType, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>(mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$\_5&&)::'lambda'(mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>), std::\_\_1::allocator<std::\_\_1::enable\_if<std::is\_invocable\_v<mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$\_5, mlir::spirv::StructType, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>>, std::\_\_1::function<std::\_\_1::optional<mlir::LogicalResult> (mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>>::type mlir::TypeConverter::wrapCallback<mlir::spirv::StructType, std::\_\_1::enable\_if<std::is\_invocable\_v<mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$\_5, mlir::spirv::StructType>, std::\_\_1::function<std::\_\_1::optional<mlir::LogicalResult> (mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>>::type mlir::TypeConverter::wrapCallback<mlir::spirv::StructType, mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$\_5>(mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$\_5&&)::'lambda'(mlir::spirv::StructType, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>(mlir::populateSPIRVToLLVMTypeConversion(mlir::LLVMTypeConverter&)::$\_5&&)::'lambda'(mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>, std::\_\_1::optional<mlir::LogicalResult> (mlir::Type, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>)>::operator()(mlir::Type&&, llvm::SmallVectorImpl<mlir::Type>&, llvm::ArrayRef<mlir::Type>&&) + 776
9  mlir-opt                 0x000000010363a9e4 mlir::TypeConverter::convertType(mlir::Type, llvm::SmallVectorImpl<mlir::Type>&) + 764
10 mlir-opt                 0x000000010363f0f4 mlir::TypeConverter::convertType(mlir::Type) + 64
11 mlir-opt                 0x0000000103346d14 (anonymous namespace)::GlobalVariablePattern::matchAndRewrite(mlir::spirv::GlobalVariableOp, mlir::spirv::GlobalVariableOpAdaptor, mlir::ConversionPatternRewriter&) const + 124
12 mlir-opt                 0x0000000102f78af4 mlir::OpConversionPattern<mlir::spirv::GlobalVariableOp>::matchAndRewrite(mlir::Operation\*, llvm::ArrayRef<mlir::Value>, mlir::ConversionPatternRewriter&) const + 144
13 mlir-opt                 0x000000010363ee34 mlir::ConversionPattern::matchAndRewrite(mlir::Operation\*, mlir::PatternRewriter&) const + 200
14 mlir-opt                 0x000000010389bbd0 mlir::PatternApplicator::matchAndRewrite(mlir::Operation\*, mlir::PatternRewriter&, llvm::function\_ref<bool (mlir::Pattern const&)>, llvm::function\_ref<void (mlir::Pattern const&)>, llvm::function\_ref<mlir::LogicalResult (mlir::Pattern const&)>) + 1440
15 mlir-opt                 0x00000001036494b0 (anonymous namespace)::OperationLegalizer::legalize(mlir::Operation\*, mlir::ConversionPatternRewriter&) + 1948
16 mlir-opt                 0x0000000103642b1c (anonymous namespace)::OperationConverter::convertOperations(llvm::ArrayRef<mlir::Operation\*>, llvm::function\_ref<void (mlir::Diagnostic&)>) + 928
17 mlir-opt                 0x0000000103644d18 mlir::applyPartialConversion(mlir::Operation\*, mlir::ConversionTarget&, mlir::FrozenRewritePatternSet const&, llvm::DenseSet<mlir::Operation\*, llvm::DenseMapInfo<mlir::Operation\*, void>>\*) + 80
18 mlir-opt                 0x000000010334dc20 (anonymous namespace)::ConvertSPIRVToLLVMPass::runOnOperation() + 600
19 mlir-opt                 0x00000001036074dc mlir::detail::OpToOpPassAdaptor::run(mlir::Pass\*, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int) + 420
20 mlir-opt                 0x0000000103607a0c mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor\*, mlir::PassInstrumentation::PipelineParentInfo const\*) + 320
21 mlir-opt                 0x0000000103609388 mlir::PassManager::run(mlir::Operation\*) + 1148
22 mlir-opt                 0x0000000103602840 performActions(llvm::raw\_ostream&, bool, bool, std::\_\_1::shared\_ptr<llvm::SourceMgr> const&, mlir::MLIRContext\*, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 504
23 mlir-opt                 0x0000000103602410 mlir::LogicalResult llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>::callback\_fn<mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$\_0>(long, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) + 704
24 mlir-opt                 0x000000010366d02c mlir::splitAndProcessBuffer(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>, llvm::raw\_ostream&, bool, bool) + 656
25 mlir-opt                 0x0000000103600838 mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 216
26 mlir-opt                 0x0000000103600d2c mlir::MlirOptMain(int, char\*\*, llvm::StringRef, mlir::DialectRegistry&, bool) + 1208
27 mlir-opt                 0x000000010229f0a0 main + 108
28 dyld                     0x0000000106ad5088 start + 516

CVE-2023-29942: [mlir] Convert-spirv-to-llvm Pass trigger Segmentation fault in LLVMStructType verifier · Issue #59990 · llvm/llvm-project

llvm-project commit a0138390 was discovered to contain an assertion failure at !replacements.count(op) && "operation was already replaced.

MLIR built at commit 12ebfca  
Reproduced with:  
mlir-opt --gpu-to-llvm temp.mlir

temp.mlir:

module {
  func.func @func1(){
    %c1 = arith.constant 1 : index
    %alloc\_6 = memref.alloc() : memref<2x3xf32\>
    memref.alloca\_scope  {
      %41 = memref.generic\_atomic\_rmw %alloc\_6\[%c1, %c1\] : memref<2x3xf32\> {
      ^bb0(%arg0: f32):
        memref.atomic\_yield %arg0 : f32
      }
    }
    return
  }
}

trace:

Assertion failed: (!replacements.count(op) && "operation was already replaced"), function notifyOpReplaced, file DialectConversion.cpp, line 1404.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.	Program arguments: mlir-opt -gpu-to-llvm temp.mlir
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var \`LLVM\_SYMBOLIZER\_PATH\` to point to it):
0  mlir-opt                 0x00000001055fff5c llvm::sys::PrintStackTrace(llvm::raw\_ostream&, int) + 72
1  mlir-opt                 0x0000000105600478 PrintStackTraceSignalHandler(void\*) + 28
2  mlir-opt                 0x00000001055fe588 llvm::sys::RunSignalHandlers() + 148
3  mlir-opt                 0x0000000105601d48 SignalHandler(int) + 252
4  libsystem\_platform.dylib 0x000000019fc254c4 \_sigtramp + 56
5  libsystem\_pthread.dylib  0x000000019fc0dee0 pthread\_kill + 288
6  libsystem\_c.dylib        0x000000019fb48340 abort + 168
7  libsystem\_c.dylib        0x000000019fb47754 err + 0
8  mlir-opt                 0x0000000109346380 mlir::detail::ConversionPatternRewriterImpl::notifyOpReplaced(mlir::Operation\*, mlir::ValueRange) + 208
9  mlir-opt                 0x0000000109347758 mlir::ConversionPatternRewriter::eraseOp(mlir::Operation\*) + 300
10 mlir-opt                 0x000000010834561c (anonymous namespace)::GenericAtomicRMWOpLowering::moveOpsRange(mlir::ValueRange, mlir::ValueRange, llvm::ilist\_iterator<llvm::ilist\_detail::node\_options<mlir::Operation, true, false, void>, false, false>, llvm::ilist\_iterator<llvm::ilist\_detail::node\_options<mlir::Operation, true, false, void>, false, false>, mlir::ConversionPatternRewriter&) const + 304
11 mlir-opt                 0x0000000108344630 (anonymous namespace)::GenericAtomicRMWOpLowering::matchAndRewrite(mlir::memref::GenericAtomicRMWOp, mlir::memref::GenericAtomicRMWOpAdaptor, mlir::ConversionPatternRewriter&) const + 1600
12 mlir-opt                 0x0000000108343f28 mlir::ConvertOpToLLVMPattern<mlir::memref::GenericAtomicRMWOp>::matchAndRewrite(mlir::Operation\*, llvm::ArrayRef<mlir::Value>, mlir::ConversionPatternRewriter&) const + 192
13 mlir-opt                 0x0000000109348b50 mlir::ConversionPattern::matchAndRewrite(mlir::Operation\*, mlir::PatternRewriter&) const + 368
14 mlir-opt                 0x000000010a06cbb8 mlir::PatternApplicator::matchAndRewrite(mlir::Operation\*, mlir::PatternRewriter&, llvm::function\_ref<bool (mlir::Pattern const&)>, llvm::function\_ref<void (mlir::Pattern const&)>, llvm::function\_ref<mlir::LogicalResult (mlir::Pattern const&)>) + 1356
15 mlir-opt                 0x0000000109369a1c (anonymous namespace)::OperationLegalizer::legalizeWithPattern(mlir::Operation\*, mlir::ConversionPatternRewriter&) + 328
16 mlir-opt                 0x0000000109369170 (anonymous namespace)::OperationLegalizer::legalize(mlir::Operation\*, mlir::ConversionPatternRewriter&) + 996
17 mlir-opt                 0x0000000109368760 (anonymous namespace)::OperationConverter::convert(mlir::ConversionPatternRewriter&, mlir::Operation\*) + 64
18 mlir-opt                 0x000000010934cc60 (anonymous namespace)::OperationConverter::convertOperations(llvm::ArrayRef<mlir::Operation\*>, llvm::function\_ref<void (mlir::Diagnostic&)>) + 568
19 mlir-opt                 0x000000010934c990 mlir::applyPartialConversion(llvm::ArrayRef<mlir::Operation\*>, mlir::ConversionTarget&, mlir::FrozenRewritePatternSet const&, llvm::DenseSet<mlir::Operation\*, llvm::DenseMapInfo<mlir::Operation\*, void>>\*) + 124
20 mlir-opt                 0x000000010934ce84 mlir::applyPartialConversion(mlir::Operation\*, mlir::ConversionTarget&, mlir::FrozenRewritePatternSet const&, llvm::DenseSet<mlir::Operation\*, llvm::DenseMapInfo<mlir::Operation\*, void>>\*) + 72
21 mlir-opt                 0x00000001080bc8d4 (anonymous namespace)::GpuToLLVMConversionPass::runOnOperation() + 384
22 mlir-opt                 0x000000010920c524 mlir::detail::OpToOpPassAdaptor::run(mlir::Pass\*, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int) + 512
23 mlir-opt                 0x000000010920cbf4 mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor\*, mlir::PassInstrumentation::PipelineParentInfo const\*) + 364
24 mlir-opt                 0x000000010920ee38 mlir::PassManager::runPasses(mlir::Operation\*, mlir::AnalysisManager) + 108
25 mlir-opt                 0x000000010920ec10 mlir::PassManager::run(mlir::Operation\*) + 864
26 mlir-opt                 0x00000001091f4010 performActions(llvm::raw\_ostream&, bool, bool, llvm::SourceMgr&, mlir::MLIRContext\*, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 560
27 mlir-opt                 0x00000001091f3ba4 processBuffer(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, bool, bool, bool, bool, bool, bool, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, llvm::ThreadPool\*) + 496
28 mlir-opt                 0x00000001091f396c mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$\_0::operator()(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) const + 204
29 mlir-opt                 0x00000001091f3880 mlir::LogicalResult llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>::callback\_fn<mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$\_0>(long, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) + 80
30 mlir-opt                 0x00000001093fea44 llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>::operator()(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) const + 96
31 mlir-opt                 0x00000001093fe528 mlir::splitAndProcessBuffer(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>, llvm::raw\_ostream&, bool, bool) + 128
32 mlir-opt                 0x00000001091f12c0 mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 320
33 mlir-opt                 0x00000001091f14c8 mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, mlir::PassPipelineCLParser const&, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool, bool) + 296
34 mlir-opt                 0x00000001091f208c mlir::MlirOptMain(int, char\*\*, llvm::StringRef, mlir::DialectRegistry&, bool) + 2912
35 mlir-opt                 0x0000000104e21fa0 main + 148
36 dyld                     0x0000000122ab5088 start + 516
zsh: abort      mlir-opt -gpu-to-llvm temp.mlir

CVE-2023-29935: [mlir] gpu-to-llvm Pass crashed with error message "Assertion failed: (!replacements.count(op) && "operation was already replaced")" · Issue #59182 · llvm/llvm-project

llvm-project commit a0138390 was discovered to contain a segmentation fault via the component matchAndRewriteSortOp<mlir::sparse_tensor::SortOp>(mlir::sparse_tensor::SortOp.

MLIR built at commit a0138390  
Reproduced with:  
mlir-opt --sparse-buffer-rewrite temp.mlir

temp.mlir:

module attributes {llvm.data\_layout \= ""} {
  llvm.func @func(%arg0: i64, %arg1: !llvm.ptr<i8\>, %arg2: !llvm.ptr<i8\>, %arg3: i64, %arg4: i64, %arg5: i64, %arg6: !llvm.ptr<i8\>, %arg7: !llvm.ptr<i8\>, %arg8: i64, %arg9: i64, %arg10: i64, %arg11: !llvm.ptr<f64\>, %arg12: !llvm.ptr<f64\>, %arg13: i64, %arg14: i64, %arg15: i64) -> !llvm.struct<(struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)>)> {
    %0 = builtin.unrealized\_conversion\_cast %arg0 : i64 to index
    %1 = llvm.mlir.undef : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>
    %2 = llvm.insertvalue %arg1, %1\[0\] : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %3 = llvm.insertvalue %arg2, %2\[1\] : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %4 = llvm.insertvalue %arg3, %3\[2\] : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %5 = llvm.insertvalue %arg4, %4\[3, 0\] : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %6 = llvm.insertvalue %arg5, %5\[4, 0\] : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %7 = builtin.unrealized\_conversion\_cast %6 : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> to memref<10xi8\>
    %8 = llvm.mlir.undef : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>
    %9 = llvm.insertvalue %arg6, %8\[0\] : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %10 = llvm.insertvalue %arg7, %9\[1\] : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %11 = llvm.insertvalue %arg8, %10\[2\] : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %12 = llvm.insertvalue %arg9, %11\[3, 0\] : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %13 = llvm.insertvalue %arg10, %12\[4, 0\] : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %14 = builtin.unrealized\_conversion\_cast %13 : !llvm.struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)> to memref<20xi8\>
    %15 = llvm.mlir.undef : !llvm.struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)>
    %16 = llvm.insertvalue %arg11, %15\[0\] : !llvm.struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %17 = llvm.insertvalue %arg12, %16\[1\] : !llvm.struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %18 = llvm.insertvalue %arg13, %17\[2\] : !llvm.struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %19 = llvm.insertvalue %arg14, %18\[3, 0\] : !llvm.struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %20 = llvm.insertvalue %arg15, %19\[4, 0\] : !llvm.struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)> 
    %21 = builtin.unrealized\_conversion\_cast %20 : !llvm.struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)> to memref<10xf64\>
    sparse\_tensor.sort %0, %7, %14 jointly %21 : memref<10xi8\>, memref<20xi8\> jointly memref<10xf64\>
    %22 = llvm.mlir.undef : !llvm.struct<(struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)>)>
    %23 = llvm.insertvalue %6, %22\[0\] : !llvm.struct<(struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)>)> 
    %24 = llvm.insertvalue %13, %23\[1\] : !llvm.struct<(struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)>)> 
    %25 = llvm.insertvalue %20, %24\[2\] : !llvm.struct<(struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)>)> 
    llvm.return %25 : !llvm.struct<(struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<i8\>, ptr<i8\>, i64, array<1 x i64\>, array<1 x i64\>)>, struct<(ptr<f64\>, ptr<f64\>, i64, array<1 x i64\>, array<1 x i64\>)>)>
  }
}

trace:

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.	Program arguments: mlir-opt --sparse-buffer-rewrite temp.mlir
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var \`LLVM\_SYMBOLIZER\_PATH\` to point to it):
0  mlir-opt                 0x0000000100d785bc llvm::sys::PrintStackTrace(llvm::raw\_ostream&, int) + 56
1  mlir-opt                 0x0000000100d77624 llvm::sys::RunSignalHandlers() + 112
2  mlir-opt                 0x0000000100d78c54 SignalHandler(int) + 344
3  libsystem\_platform.dylib 0x00000001a56894c4 \_sigtramp + 56
4  mlir-opt                 0x00000001016f1050 getMangledSortHelperFunc(mlir::OpBuilder&, mlir::func::FuncOp, mlir::TypeRange, llvm::StringRef, unsigned long long, unsigned long long, bool, mlir::ValueRange, llvm::function\_ref<void (mlir::OpBuilder&, mlir::ModuleOp, mlir::func::FuncOp, unsigned long long, unsigned long long, bool)>) + 764
5  mlir-opt                 0x00000001016f0300 mlir::LogicalResult matchAndRewriteSortOp<mlir::sparse\_tensor::SortOp>(mlir::sparse\_tensor::SortOp, mlir::ValueRange, unsigned long long, unsigned long long, bool, mlir::PatternRewriter&) + 692
6  mlir-opt                 0x00000001016efff4 (anonymous namespace)::SortRewriter::matchAndRewrite(mlir::sparse\_tensor::SortOp, mlir::PatternRewriter&) const + 676
7  mlir-opt                 0x0000000102217bd0 mlir::PatternApplicator::matchAndRewrite(mlir::Operation\*, mlir::PatternRewriter&, llvm::function\_ref<bool (mlir::Pattern const&)>, llvm::function\_ref<void (mlir::Pattern const&)>, llvm::function\_ref<mlir::LogicalResult (mlir::Pattern const&)>) + 1440
8  mlir-opt                 0x0000000101fd2328 mlir::applyPatternsAndFoldGreedily(llvm::MutableArrayRef<mlir::Region>, mlir::FrozenRewritePatternSet const&, mlir::GreedyRewriteConfig) + 3808
9  mlir-opt                 0x0000000101714fb8 (anonymous namespace)::SparseBufferRewritePass::runOnOperation() + 292
10 mlir-opt                 0x0000000101f834dc mlir::detail::OpToOpPassAdaptor::run(mlir::Pass\*, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int) + 420
11 mlir-opt                 0x0000000101f83a0c mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor\*, mlir::PassInstrumentation::PipelineParentInfo const\*) + 320
12 mlir-opt                 0x0000000101f85388 mlir::PassManager::run(mlir::Operation\*) + 1148
13 mlir-opt                 0x0000000101f7e840 performActions(llvm::raw\_ostream&, bool, bool, std::\_\_1::shared\_ptr<llvm::SourceMgr> const&, mlir::MLIRContext\*, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 504
14 mlir-opt                 0x0000000101f7e410 mlir::LogicalResult llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>::callback\_fn<mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$\_0>(long, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) + 704
15 mlir-opt                 0x0000000101fe902c mlir::splitAndProcessBuffer(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>, llvm::raw\_ostream&, bool, bool) + 656
16 mlir-opt                 0x0000000101f7c838 mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 216
17 mlir-opt                 0x0000000101f7cd2c mlir::MlirOptMain(int, char\*\*, llvm::StringRef, mlir::DialectRegistry&, bool) + 1208
18 mlir-opt                 0x0000000100c1b0a0 main + 108
19 dyld                     0x00000001053fd088 start + 516

CVE-2023-29941: [mlir] Sparse-buffer-rewrite pass crashes with  Segmentation fault · Issue #59988 · llvm/llvm-project

llvm-project commit fdbc55a5 was discovered to contain a segmentation fault via the component mlir::IROperand<mlir::OpOperand.

Reproduced at commit fdbc55a5

mlir-opt --canonicalize temp.mlir

temp.mlir.txt

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.	Program arguments: mlir-opt --canonicalize temp.mlir
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var \`LLVM\_SYMBOLIZER\_PATH\` to point to it):
0  mlir-opt                 0x000000010528a10c llvm::sys::PrintStackTrace(llvm::raw\_ostream&, int) + 72
1  mlir-opt                 0x000000010528a628 PrintStackTraceSignalHandler(void\*) + 28
2  mlir-opt                 0x0000000105288738 llvm::sys::RunSignalHandlers() + 148
3  mlir-opt                 0x000000010528bef8 SignalHandler(int) + 252
4  libsystem\_platform.dylib 0x00000001a33254c4 \_sigtramp + 56
5  mlir-opt                 0x0000000105320820 mlir::IROperand<mlir::OpOperand, mlir::Value>::insertIntoCurrent() + 52
6  mlir-opt                 0x0000000105320674 mlir::IROperand<mlir::OpOperand, mlir::Value>::set(mlir::Value) + 48
7  mlir-opt                 0x000000010532056c void mlir::IRObjectWithUseList<mlir::OpOperand>::replaceAllUsesWith<mlir::Value&>(mlir::Value&) + 228
8  mlir-opt                 0x00000001052ef310 mlir::Value::replaceAllUsesWith(mlir::Value) const + 40
9  mlir-opt                 0x0000000106b8f834 std::\_\_1::enable\_if<!std::is\_convertible<mlir::ValueRange&, mlir::Operation\*>::value, void>::type mlir::ResultRange::replaceAllUsesWith<mlir::ValueRange&>(mlir::ValueRange&) + 332
10 mlir-opt                 0x0000000106b8f36c void mlir::Operation::replaceAllUsesWith<mlir::ValueRange&>(mlir::ValueRange&) + 64
11 mlir-opt                 0x0000000109157758 mlir::RewriterBase::replaceOp(mlir::Operation\*, mlir::ValueRange) + 200
12 mlir-opt                 0x0000000105cb2ee8 (anonymous namespace)::DeduplicateAndRemoveDeadOperandsAndResults::matchAndRewrite(mlir::linalg::GenericOp, mlir::PatternRewriter&) const + 1240
13 mlir-opt                 0x0000000105f5a700 mlir::detail::OpOrInterfaceRewritePatternBase<mlir::linalg::GenericOp>::matchAndRewrite(mlir::Operation\*, mlir::PatternRewriter&) const + 72
14 mlir-opt                 0x0000000109b158e8 mlir::PatternApplicator::matchAndRewrite(mlir::Operation\*, mlir::PatternRewriter&, llvm::function\_ref<bool (mlir::Pattern const&)>, llvm::function\_ref<void (mlir::Pattern const&)>, llvm::function\_ref<mlir::LogicalResult (mlir::Pattern const&)>) + 1432
15 mlir-opt                 0x0000000108e67820 (anonymous namespace)::GreedyPatternRewriteDriver::simplify(llvm::MutableArrayRef<mlir::Region>) + 1640
16 mlir-opt                 0x0000000108e67068 mlir::applyPatternsAndFoldGreedily(llvm::MutableArrayRef<mlir::Region>, mlir::FrozenRewritePatternSet const&, mlir::GreedyRewriteConfig) + 240
17 mlir-opt                 0x0000000105915fb4 mlir::applyPatternsAndFoldGreedily(mlir::Operation\*, mlir::FrozenRewritePatternSet const&, mlir::GreedyRewriteConfig) + 76
18 mlir-opt                 0x0000000108d581d0 (anonymous namespace)::Canonicalizer::runOnOperation() + 132
19 mlir-opt                 0x0000000108ce0838 mlir::detail::OpToOpPassAdaptor::run(mlir::Pass\*, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int) + 512
20 mlir-opt                 0x0000000108ce0f08 mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor\*, mlir::PassInstrumentation::PipelineParentInfo const\*) + 364
21 mlir-opt                 0x0000000108ce30cc mlir::PassManager::runPasses(mlir::Operation\*, mlir::AnalysisManager) + 108
22 mlir-opt                 0x0000000108ce2ea0 mlir::PassManager::run(mlir::Operation\*) + 732
23 mlir-opt                 0x0000000108cc7b80 performActions(llvm::raw\_ostream&, bool, bool, llvm::SourceMgr&, mlir::MLIRContext\*, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 560
24 mlir-opt                 0x0000000108cc7714 processBuffer(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, bool, bool, bool, bool, bool, bool, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, llvm::ThreadPool\*) + 496
25 mlir-opt                 0x0000000108cc74dc mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$\_0::operator()(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) const + 204
26 mlir-opt                 0x0000000108cc73f0 mlir::LogicalResult llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>::callback\_fn<mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$\_0>(long, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) + 80
27 mlir-opt                 0x0000000108ec4700 llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>::operator()(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) const + 96
28 mlir-opt                 0x0000000108ec41e4 mlir::splitAndProcessBuffer(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>, llvm::raw\_ostream&, bool, bool) + 128
29 mlir-opt                 0x0000000108cc4e48 mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 320
30 mlir-opt                 0x0000000108cc5050 mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, mlir::PassPipelineCLParser const&, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool, bool) + 296
31 mlir-opt                 0x0000000108cc5bfc mlir::MlirOptMain(int, char\*\*, llvm::StringRef, mlir::DialectRegistry&, bool) + 2888
32 mlir-opt                 0x0000000104ac9df8 main + 148
33 dyld                     0x0000000121d1d088 start + 516

CVE-2023-29932: [mlir] canonicalize pass crashed with segmentation fault · Issue #58745 · llvm/llvm-project

llvm-project commit 6c01b5c was discovered to contain a segmentation fault via the component mlir::Type::getDialect().

MLIR built at commit 6c01b5c

Reproduced with:  
mlir-opt --convert-scf-to-spirv temp.mlir

module {
  func.func @func1(%arg0: tensor<2x2xi1\>, %arg1: f32) -> f32 {
    %true = arith.constant true
    %c36976552\_i32 = arith.constant 36976552 : i32
    %cst\_4 = arith.constant 1.59615526E+9 : f32
    %true\_5 = arith.constant true
    %c1998615473\_i32 = arith.constant 1998615473 : i32
    %alloc\_46 = memref.alloc() : memref<3xi32\>
    %alloc\_107 = memref.alloc() : memref<2xi32\>
    %94 = scf.if %true\_5 -> (i32) {
      scf.yield %c36976552\_i32 : i32
    } else {
      scf.yield %c1998615473\_i32 : i32
    }
    %214 = scf.if %true -> (memref<3xi32\>) {
      scf.yield %alloc\_46 : memref<3xi32\>
    } else {
      %264 = arith.shrsi %94, %c36976552\_i32 : i32
      scf.yield %alloc\_46 : memref<3xi32\>
    }
    memref.assume\_alignment %alloc\_107, 8 : memref<2xi32\>
    return %cst\_4 : f32
  }
}

trace:

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.	Program arguments: mlir-opt --convert-scf-to-spirv temp.mlir
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var \`LLVM\_SYMBOLIZER\_PATH\` to point to it):
0  mlir-opt                 0x00000001032c76f8 llvm::sys::PrintStackTrace(llvm::raw\_ostream&, int) + 72
1  mlir-opt                 0x00000001032c7c14 PrintStackTraceSignalHandler(void\*) + 28
2  mlir-opt                 0x00000001032c5d18 llvm::sys::RunSignalHandlers() + 148
3  mlir-opt                 0x00000001032c94e4 SignalHandler(int) + 252
4  libsystem\_platform.dylib 0x000000019fc254c4 \_sigtramp + 56
5  mlir-opt                 0x0000000103a6c974 mlir::Type::getDialect() const + 28
6  mlir-opt                 0x0000000103a6c974 mlir::Type::getDialect() const + 28
7  mlir-opt                 0x00000001073813b0 mlir::Type::getContext() const + 24
8  mlir-opt                 0x000000010552bd84 mlir::spirv::PointerType::get(mlir::Type, mlir::spirv::StorageClass) + 32
9  mlir-opt                 0x00000001061a1388 void replaceSCFOutputValue<mlir::scf::IfOp, mlir::spirv::SelectionOp>(mlir::scf::IfOp, mlir::spirv::SelectionOp, mlir::ConversionPatternRewriter&, mlir::ScfToSPIRVContextImpl\*, llvm::ArrayRef<mlir::Type>) + 240
10 mlir-opt                 0x00000001061a0b24 (anonymous namespace)::IfOpConversion::matchAndRewrite(mlir::scf::IfOp, mlir::scf::IfOpAdaptor, mlir::ConversionPatternRewriter&) const + 1016
11 mlir-opt                 0x00000001061a06bc mlir::OpConversionPattern<mlir::scf::IfOp>::matchAndRewrite(mlir::Operation\*, llvm::ArrayRef<mlir::Value>, mlir::ConversionPatternRewriter&) const + 176
12 mlir-opt                 0x0000000107000b24 mlir::ConversionPattern::matchAndRewrite(mlir::Operation\*, mlir::PatternRewriter&) const + 368
13 mlir-opt                 0x0000000107d211e8 mlir::PatternApplicator::matchAndRewrite(mlir::Operation\*, mlir::PatternRewriter&, llvm::function\_ref<bool (mlir::Pattern const&)>, llvm::function\_ref<void (mlir::Pattern const&)>, llvm::function\_ref<mlir::LogicalResult (mlir::Pattern const&)>) + 1356
14 mlir-opt                 0x0000000107021a78 (anonymous namespace)::OperationLegalizer::legalizeWithPattern(mlir::Operation\*, mlir::ConversionPatternRewriter&) + 328
15 mlir-opt                 0x00000001070211cc (anonymous namespace)::OperationLegalizer::legalize(mlir::Operation\*, mlir::ConversionPatternRewriter&) + 996
16 mlir-opt                 0x00000001070207bc (anonymous namespace)::OperationConverter::convert(mlir::ConversionPatternRewriter&, mlir::Operation\*) + 64
17 mlir-opt                 0x0000000107004c58 (anonymous namespace)::OperationConverter::convertOperations(llvm::ArrayRef<mlir::Operation\*>, llvm::function\_ref<void (mlir::Diagnostic&)>) + 568
18 mlir-opt                 0x0000000107004988 mlir::applyPartialConversion(llvm::ArrayRef<mlir::Operation\*>, mlir::ConversionTarget&, mlir::FrozenRewritePatternSet const&, llvm::DenseSet<mlir::Operation\*, llvm::DenseMapInfo<mlir::Operation\*, void>>\*) + 124
19 mlir-opt                 0x0000000107004e7c mlir::applyPartialConversion(mlir::Operation\*, mlir::ConversionTarget&, mlir::FrozenRewritePatternSet const&, llvm::DenseSet<mlir::Operation\*, llvm::DenseMapInfo<mlir::Operation\*, void>>\*) + 72
20 mlir-opt                 0x00000001061a5ed4 (anonymous namespace)::SCFToSPIRVPass::runOnOperation() + 392
21 mlir-opt                 0x0000000106ec44ac mlir::detail::OpToOpPassAdaptor::run(mlir::Pass\*, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int) + 512
22 mlir-opt                 0x0000000106ec4b7c mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor\*, mlir::PassInstrumentation::PipelineParentInfo const\*) + 364
23 mlir-opt                 0x0000000106ec6dc0 mlir::PassManager::runPasses(mlir::Operation\*, mlir::AnalysisManager) + 108
24 mlir-opt                 0x0000000106ec6b98 mlir::PassManager::run(mlir::Operation\*) + 864
25 mlir-opt                 0x0000000106eabf94 performActions(llvm::raw\_ostream&, bool, bool, llvm::SourceMgr&, mlir::MLIRContext\*, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 560
26 mlir-opt                 0x0000000106eabb28 processBuffer(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, bool, bool, bool, bool, bool, bool, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, llvm::ThreadPool\*) + 496
27 mlir-opt                 0x0000000106eab8f0 mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$\_0::operator()(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) const + 204
28 mlir-opt                 0x0000000106eab804 mlir::LogicalResult llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>::callback\_fn<mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$\_0>(long, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) + 80
29 mlir-opt                 0x00000001070b692c llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>::operator()(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) const + 96
30 mlir-opt                 0x00000001070b6410 mlir::splitAndProcessBuffer(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>, llvm::raw\_ostream&, bool, bool) + 128
31 mlir-opt                 0x0000000106ea9244 mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 320
32 mlir-opt                 0x0000000106ea944c mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, mlir::PassPipelineCLParser const&, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool, bool) + 296
33 mlir-opt                 0x0000000106eaa010 mlir::MlirOptMain(int, char\*\*, llvm::StringRef, mlir::DialectRegistry&, bool) + 2912
34 mlir-opt                 0x0000000102ae9278 main + 148
35 dyld                     0x0000000120745088 start + 516

CVE-2023-29934: [mlir] convert-scf-to-spirv Pass crashed with segmentation fault · Issue #59136 · llvm/llvm-project

llvm-project commit bd456297 was discovered to contain a segmentation fault via the component mlir::Block::getArgument.

MLIR built at commit 0ee6bad  
Reproduced with:  
mlir-opt --one-shot-bufferize temp.mlir

temp.mlir:

module { 
  func.func @func() {
    %false = arith.constant false
    %8 = tensor.empty() : tensor<10x10xf32\> 
    scf.while (%arg0 = %8) : (tensor<10x10xf32\>) -> () {
      scf.condition(%false)
    } do {
      scf.yield %8 : tensor<10x10xf32\>
    }
    return
  }
}

trace:

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0\.      Program arguments: mlir-opt --one-shot-bufferize temp.mlir
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var \`LLVM\_SYMBOLIZER\_PATH\` to point to it):
0  mlir-opt                 0x000000010152e568 llvm::sys::PrintStackTrace(llvm::raw\_ostream&, int) + 72
1  mlir-opt                 0x000000010152ea84 PrintStackTraceSignalHandler(void\*) + 28
2  mlir-opt                 0x000000010152cb34 llvm::sys::RunSignalHandlers() + 148
3  mlir-opt                 0x00000001015306f0 SignalHandler(int) + 252
4  libsystem\_platform.dylib 0x000000019970d4c4 \_sigtramp + 56
5  mlir-opt                 0x0000000102c160b8 mlir::Block::getArgument(unsigned int) + 40
6  mlir-opt                 0x0000000102f5fa2c mlir::scf::(anonymous namespace)::WhileOpInterface::verifyAnalysis(mlir::Operation\*, mlir::bufferization::AnalysisState const&) const + 760
7  mlir-opt                 0x0000000102f5d2ac mlir::bufferization::detail::BufferizableOpInterfaceInterfaceTraits::FallbackModel<mlir::scf::(anonymous namespace)::WhileOpInterface>::verifyAnalysis(mlir::bufferization::detail::BufferizableOpInterfaceInterfaceTraits::Concept const\*, mlir::Operation\*, mlir::bufferization::AnalysisState const&) + 40
8  mlir-opt                 0x0000000101b053d4 mlir::bufferization::BufferizableOpInterface::verifyAnalysis(mlir::bufferization::AnalysisState const&) + 88
9  mlir-opt                 0x0000000101c36c84 mlir::bufferization::analyzeOp(mlir::Operation\*, mlir::bufferization::OneShotAnalysisState&)::$\_5::operator()(mlir::Operation\*) const + 84
10 mlir-opt                 0x0000000101c36c24 void llvm::function\_ref<void (mlir::Operation\*)>::callback\_fn<mlir::bufferization::analyzeOp(mlir::Operation\*, mlir::bufferization::OneShotAnalysisState&)::$\_5>(long, mlir::Operation\*) + 52
11 mlir-opt                 0x0000000105423bf8 llvm::function\_ref<void (mlir::Operation\*)>::operator()(mlir::Operation\*) const + 68
12 mlir-opt                 0x000000010576a6d8 mlir::detail::walk(mlir::Operation\*, llvm::function\_ref<void (mlir::Operation\*)>, mlir::WalkOrder) + 404
13 mlir-opt                 0x000000010576a688 mlir::detail::walk(mlir::Operation\*, llvm::function\_ref<void (mlir::Operation\*)>, mlir::WalkOrder) + 324
14 mlir-opt                 0x000000010576a688 mlir::detail::walk(mlir::Operation\*, llvm::function\_ref<void (mlir::Operation\*)>, mlir::WalkOrder) + 324
15 mlir-opt                 0x0000000101c36b58 std::\_\_1::enable\_if<llvm::is\_one\_of<mlir::Operation\*, mlir::Operation\*, mlir::Region\*, mlir::Block\*>::value, void>::type mlir::detail::walk<(mlir::WalkOrder)1, mlir::bufferization::analyzeOp(mlir::Operation\*, mlir::bufferization::OneShotAnalysisState&)::$\_5, mlir::Operation\*, void>(mlir::Operation\*, mlir::bufferization::analyzeOp(mlir::Operation\*, mlir::bufferization::OneShotAnalysisState&)::$\_5&&) + 68
16 mlir-opt                 0x0000000101c2b39c std::\_\_1::enable\_if<llvm::function\_traits<std::\_\_1::decay<mlir::bufferization::analyzeOp(mlir::Operation\*, mlir::bufferization::OneShotAnalysisState&)::$\_5>::type>::num\_args == 1, void>::type mlir::Operation::walk<(mlir::WalkOrder)1, mlir::bufferization::analyzeOp(mlir::Operation\*, mlir::bufferization::OneShotAnalysisState&)::$\_5, void>(mlir::bufferization::analyzeOp(mlir::Operation\*, mlir::bufferization::OneShotAnalysisState&)::$\_5&&) + 48
17 mlir-opt                 0x0000000101c2b0ac mlir::bufferization::analyzeOp(mlir::Operation\*, mlir::bufferization::OneShotAnalysisState&) + 380
18 mlir-opt                 0x0000000101c4453c mlir::bufferization::insertTensorCopies(mlir::Operation\*, mlir::bufferization::OneShotBufferizationOptions const&) + 184
19 mlir-opt                 0x0000000101c2b47c mlir::bufferization::runOneShotBufferize(mlir::Operation\*, mlir::bufferization::OneShotBufferizationOptions const&) + 148
20 mlir-opt                 0x0000000101b7e82c (anonymous namespace)::OneShotBufferizePass::runOnOperation() + 612
21 mlir-opt                 0x0000000105294c58 mlir::detail::OpToOpPassAdaptor::run(mlir::Pass\*, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int) + 512
22 mlir-opt                 0x0000000105295328 mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor\*, mlir::PassInstrumentation::PipelineParentInfo const\*) + 364
23 mlir-opt                 0x000000010529756c mlir::PassManager::runPasses(mlir::Operation\*, mlir::AnalysisManager) + 108
24 mlir-opt                 0x0000000105297344 mlir::PassManager::run(mlir::Operation\*) + 864
25 mlir-opt                 0x000000010527c61c performActions(llvm::raw\_ostream&, bool, bool, llvm::SourceMgr&, mlir::MLIRContext\*, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 560
26 mlir-opt                 0x000000010527c1b0 processBuffer(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, bool, bool, bool, bool, bool, bool, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, llvm::ThreadPool\*) + 496
27 mlir-opt                 0x000000010527bf78 mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$\_0::operator()(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) const + 204
28 mlir-opt                 0x000000010527be8c mlir::LogicalResult llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>::callback\_fn<mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$\_0>(long, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) + 80
29 mlir-opt                 0x0000000105487440 llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>::operator()(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) const + 96
30 mlir-opt                 0x0000000105486f24 mlir::splitAndProcessBuffer(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>, llvm::raw\_ostream&, bool, bool) + 128
31 mlir-opt                 0x00000001052798cc mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 320
32 mlir-opt                 0x0000000105279ad4 mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, mlir::PassPipelineCLParser const&, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool, bool) + 296
33 mlir-opt                 0x000000010527a698 mlir::MlirOptMain(int, char\*\*, llvm::StringRef, mlir::DialectRegistry&, bool) + 2912
34 mlir-opt                 0x0000000100d44f50 main + 148
35 dyld                     0x000000011f271088 start + 516

CVE-2023-29933: [mlir] One shot bufferize crashed with segmentation fault. · Issue #59442 · llvm/llvm-project

llvm-project commit a0138390 was discovered to contain a segmentation fault via the component mlir::spirv::TargetEnv::TargetEnv(mlir::spirv::TargetEnvAttr).

MLIR built at commit a0138390  
Reproduced with:  
mlir-opt --spirv-lower-abi-attrs temp.mlir

temp.mlir:

    spirv.module Logical GLSL450 {
      spirv.SpecConstant @sc1 = 1.500000e+00 : f32
      spirv.SpecConstant @sc2 = 2.500000e+00 : f32 
      spirv.SpecConstantComposite @scc (@sc1, @sc2) : vector<2xf32>
    }
    

trace:

PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0\.      Program arguments: mlir-opt --spirv-lower-abi-attrs temp.mlir
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var \`LLVM\_SYMBOLIZER\_PATH\` to point to it):
0  mlir-opt                 0x0000000102dc05bc llvm::sys::PrintStackTrace(llvm::raw\_ostream&, int) + 56
1  mlir-opt                 0x0000000102dbf624 llvm::sys::RunSignalHandlers() + 112
2  mlir-opt                 0x0000000102dc0c54 SignalHandler(int) + 344
3  libsystem\_platform.dylib 0x00000001a56894c4 \_sigtramp + 56
4  mlir-opt                 0x0000000103927344 mlir::spirv::TargetEnv::TargetEnv(mlir::spirv::TargetEnvAttr) + 136
5  mlir-opt                 0x0000000103927344 mlir::spirv::TargetEnv::TargetEnv(mlir::spirv::TargetEnvAttr) + 136
6  mlir-opt                 0x0000000103932a80 (anonymous namespace)::LowerABIAttributesPass::runOnOperation() + 132
7  mlir-opt                 0x0000000103fcb4dc mlir::detail::OpToOpPassAdaptor::run(mlir::Pass\*, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int) + 420
8  mlir-opt                 0x0000000103fcba0c mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor\*, mlir::PassInstrumentation::PipelineParentInfo const\*) + 320
9  mlir-opt                 0x0000000103fcfa90 mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::$\_14::operator()(mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::OpPMInfo&) const + 176
10 mlir-opt                 0x0000000103fcf90c mlir::LogicalResult mlir::failableParallelForEach<std::\_\_1::\_\_wrap\_iter<mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::OpPMInfo\*>, mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::$\_14&>(mlir::MLIRContext\*, std::\_\_1::\_\_wrap\_iter<mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::OpPMInfo\*>, std::\_\_1::\_\_wrap\_iter<mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::OpPMInfo\*>, mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool)::$\_14&) + 360
11 mlir-opt                 0x0000000103fcc6d4 mlir::detail::OpToOpPassAdaptor::runOnOperationAsyncImpl(bool) + 1396
12 mlir-opt                 0x0000000103fcb60c mlir::detail::OpToOpPassAdaptor::run(mlir::Pass\*, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int) + 724
13 mlir-opt                 0x0000000103fcba0c mlir::detail::OpToOpPassAdaptor::runPipeline(mlir::OpPassManager&, mlir::Operation\*, mlir::AnalysisManager, bool, unsigned int, mlir::PassInstrumentor\*, mlir::PassInstrumentation::PipelineParentInfo const\*) + 320
14 mlir-opt                 0x0000000103fcd388 mlir::PassManager::run(mlir::Operation\*) + 1148
15 mlir-opt                 0x0000000103fc6840 performActions(llvm::raw\_ostream&, bool, bool, std::\_\_1::shared\_ptr<llvm::SourceMgr> const&, mlir::MLIRContext\*, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, bool, bool) + 504
16 mlir-opt                 0x0000000103fc6410 mlir::LogicalResult llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>::callback\_fn<mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool)::$\_0>(long, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&) + 704
17 mlir-opt                 0x000000010403102c mlir::splitAndProcessBuffer(std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::raw\_ostream&)>, llvm::raw\_ostream&, bool, bool) + 656
18 mlir-opt                 0x0000000103fc4838 mlir::MlirOptMain(llvm::raw\_ostream&, std::\_\_1::unique\_ptr<llvm::MemoryBuffer, std::\_\_1::default\_delete<llvm::MemoryBuffer>>, llvm::function\_ref<mlir::LogicalResult (mlir::PassManager&)>, mlir::DialectRegistry&, bool, bool, bool, bool, bool, bool, bool) + 216
19 mlir-opt                 0x0000000103fc4d2c mlir::MlirOptMain(int, char\*\*, llvm::StringRef, mlir::DialectRegistry&, bool) + 1208
20 mlir-opt                 0x0000000102c630a0 main + 108
21 dyld                     0x000000010746d088 start + 516
zsh: segmentation fault  mlir-opt --spirv-lower-abi-attrs temp.mlir

CVE-2023-29939: [mlir] spirv-lower-abi-attrs crashes with segmentation faults · Issue #59983 · llvm/llvm-project

Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019.
"The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter legitimate banking transfers performed by the victims by changing the beneficiary and transferring

Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called **drIBAN** since at least 2019.

"The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter legitimate banking transfers performed by the victims by changing the beneficiary and transferring money to an illegitimate bank account," Cleafy researchers Federico Valentini and Alessandro Strino said.

The bank accounts, per the Italian cybersecurity firm, are either controlled by the threat actors themselves or their affiliates, who are then tasked with laundering the stolen funds.

The use of web injects is a time-tested tactic that makes it possible for malware to inject custom scripts on the client side by means of a man-in-the-browser (MitB) attack and intercept traffic to and from the server.

The fraudulent transactions are often realized by means of a technique called Automated Transfer System (ATS) that's capable of bypassing anti-fraud systems put in place by banks and initiating unauthorized wire transfers from a victim's own computer.

Over the years, the operators behind drIBAN have gotten more savvy at avoiding detection and developing effective social engineering strategies, in addition to establishing a foothold for long periods in corporate bank networks.

Cleafy said 2021 was the year when the classic "banking trojan" operation evolved into an advanced persistent threat. Furthermore, there are indications that the activity cluster overlaps with a 2018 campaign mounted by an actor tracked by Proofpoint as TA554 targeting users in Canada, Italy, and the U.K.

The attack chain begins with a certified email (or PEC email) in an attempt to lull victims into a false sense of security. These phishing emails come bearing an executable file that acts as a downloader for a malware called sLoad (aka Starslord loader).

A PowerShell loader, sLoad is a reconnaissance tool that collects and exfiltrates information from the compromised host, with the purpose of assessing the target and dropping a more significant payload like Ramnit if the target is deemed profitable.

"This 'enrichment phase' could continue for days or weeks, depending on the number of infected machines," Cleafy noted. "Additional data will be exfiltrated to make the resulting botnet more and more solid and consistent."

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

sLoad also leverages living-off-the-land (LotL) techniques by abusing legitimate Windows tools like PowerShell and BITSAdmin as part of its evasion mechanisms.

Another characteristic of the malware is its ability to check against a predefined list of corporate banking institutions to determine if the hacked workstation is one among the targets, and if so, proceed with the infection.

"All the bots that successfully pass those steps will be selected by botnet operators and considered as 'new candidates' for banking fraud operations moving forward to the next stage, where Ramnit, one of the most advanced banking trojans, will be installed," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac