Add task: ecvebench-hashes-001

[devin-ai-integration]

Summary

Adds curated ECVEBench task ecvebench-hashes-001 for GHSA-fc7x-2cmc-8j2g (CVE-2021-45696).

Advisory: The v0.9.7 release of the sha2 Rust crate introduced a buggy AVX2-accelerated backend that miscomputes SHA-512 hash digests for messages spanning multiple blocks (>128 bytes). The bug is in incorrect memory offsets and swapped lane insertion order when loading data for dual-block AVX2 processing.

Vulnerability class: crypto-weakness (CWE-327)
CVSS: 9.8
Repo: RustCrypto/hashes
Patch PR: RustCrypto/hashes#314
Patch commit: 93d895de72c2cb3ac7bc106f03e33715f8f304c2
Pre-patch commit: 726e3c3978a77eb4318b4511eed5ac885375acd0

Files added

• benchmark/data/tasks/ecvebench-hashes-001.json
• benchmark/internal/metadata/GHSA-fc7x-2cmc-8j2g.json

Review & Testing Checklist for Human

• Verify the commit field is the pre-patch SHA (parent), not the patch itself
• Verify post_patch_commit in metadata is the actual patch commit SHA
• Confirm L1 hint contains no file paths, function names, or vulnerability type details
• Confirm L2 hint contains no file paths, function names, or code snippets
• Confirm L3 hints are more specific than L1/L2 but still don't reveal exact file/function names

Notes

• Only 1 non-test source file was changed in the patch (sha2/src/sha512/x86.rs), so noisy_patch is false.
• The sibling sha2/src/sha256/x86.rs was checked but does not contain an AVX2 backend or the same dual-block loading pattern, so no sibling locations were added.

Link to Devin session: https://la-hacks-codebreaker.devinenterprise.com/sessions/66087e68a9ec4effac951a0aaa69bc64
Requested by: @jotalis

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

⚙️ Control Options:

• Disable automatic comment and CI monitoring