From 3af503d66c9279a74d7d2df58d3d77c3169acd15 Mon Sep 17 00:00:00 2001 From: yangjinlin01 Date: Mon, 14 Apr 2025 09:42:54 +0800 Subject: [PATCH 1/2] [CVE] FIX CVE-2024-31583 CVE-2024-31580 to #12087 #12278 add patch to fix CVE-2024-31583 CVE-2024-31580 Project: TC2024080204 Signed-off-by: yangjinlin01 --- ...uzz_torch_jit_lite_interpreter-read-.patch | 45 +++++++++++++++++++ 0003-fix-cve-2024-31580.patch | 38 ++++++++++++++++ pytorch.spec | 9 +++- 3 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 0002-fuzzing-result-fuzz_torch_jit_lite_interpreter-read-.patch create mode 100644 0003-fix-cve-2024-31580.patch diff --git a/0002-fuzzing-result-fuzz_torch_jit_lite_interpreter-read-.patch b/0002-fuzzing-result-fuzz_torch_jit_lite_interpreter-read-.patch new file mode 100644 index 0000000..138b869 --- /dev/null +++ b/0002-fuzzing-result-fuzz_torch_jit_lite_interpreter-read-.patch @@ -0,0 +1,45 @@ +From 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 Mon Sep 17 00:00:00 2001 +From: Octavian Guzu +Date: Fri, 29 Sep 2023 22:32:34 +0000 +Subject: [PATCH] [fuzzing result][fuzz_torch_jit_lite_interpreter] + read-heap-use-after-free (size 8) in std::_Function_base::_M_empty() + (#110289) + +Summary: This diff fixes a heap UAF found by fuzzing in torch/csrc/jit/mobile/interpreter.cpp + +Test Plan: +CI and +``` +arc lionhead crash reproduce 1009060456885023 +``` +doesn't crash anymore. + +Reviewed By: malfet + +Differential Revision: D49538326 + +Pull Request resolved: https://github.com/pytorch/pytorch/pull/110289 +Approved by: https://github.com/malfet +--- + torch/csrc/jit/mobile/interpreter.cpp | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/torch/csrc/jit/mobile/interpreter.cpp b/torch/csrc/jit/mobile/interpreter.cpp +index 9183c067f65..6324ea9e3f0 100644 +--- a/torch/csrc/jit/mobile/interpreter.cpp ++++ b/torch/csrc/jit/mobile/interpreter.cpp +@@ -128,7 +128,10 @@ bool InterpreterState::run(Stack& stack) { + mobile_debug_info->setOpIdx(pc); + } + } +- ++ if (inst.X < 0 || ++ static_cast(inst.X) >= code.operators_.size()) { ++ throw JITException("Invalid OP Instruction"); ++ } + RECORD_EDGE_SCOPE_WITH_DEBUG_HANDLE_AND_INPUTS( + code.op_names_[inst.X].name, debug_handle, stack); + code.operators_[inst.X](stack); +-- +2.39.3 + diff --git a/0003-fix-cve-2024-31580.patch b/0003-fix-cve-2024-31580.patch new file mode 100644 index 0000000..6921603 --- /dev/null +++ b/0003-fix-cve-2024-31580.patch @@ -0,0 +1,38 @@ +From b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 Mon Sep 17 00:00:00 2001 +From: Octavian Guzu +Date: Tue, 3 Oct 2023 18:48:08 +0000 +Subject: [PATCH] [fuzzing result][fuzz_torch_jit_lite_interpreter] + read-heap-buffer-overflow-far-from-bounds (size 4) in c10::IValue::IValue() + (#110441) + +Summary: This diff fixes a heap underflow found by fuzzing in torch/csrc/jit/runtime/vararg_functions.cpp + +Test Plan: +CI and +``` +arc lionhead crash reproduce 1753074381791061 +``` +doesn't crash anymore. + +Differential Revision: D49537535 + +Pull Request resolved: https://github.com/pytorch/pytorch/pull/110441 +Approved by: https://github.com/Skylion007 +--- + torch/csrc/jit/runtime/vararg_functions.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/torch/csrc/jit/runtime/vararg_functions.cpp b/torch/csrc/jit/runtime/vararg_functions.cpp +index 69e2c0fc179060..bb28b61fe7e2c8 100644 +--- a/torch/csrc/jit/runtime/vararg_functions.cpp ++++ b/torch/csrc/jit/runtime/vararg_functions.cpp +@@ -267,6 +267,9 @@ void listUnpack(Stack& stack, size_t num_outputs) { + } + + void tupleConstruct(Stack& stack, size_t num_inputs) { ++ if (num_inputs > stack.size()) { ++ TORCH_CHECK(false, "Invalid number of inputs: ", num_inputs); ++ } + switch (num_inputs) { + case 0: + stack.emplace_back(c10::ivalue::Tuple::create()); diff --git a/pytorch.spec b/pytorch.spec index c04ea59..5fc8b54 100644 --- a/pytorch.spec +++ b/pytorch.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 5 %global vcu_maj 12 %global vcu_min 1 @@ -18,6 +18,8 @@ License: BSD URL: https://pytorch.org Source0: https://github.com/pytorch/pytorch/releases/download/v%{version}/pytorch-v%{version}.tar.gz Patch0: 0001-Workaround-NVCC-parse-failure-in-cast_op.patch +Patch1: 0002-fuzzing-result-fuzz_torch_jit_lite_interpreter-read-.patch +Patch2: 0003-fix-cve-2024-31580.patch BuildRequires: python3-devel cmake gcc-c++ BuildRequires: python3-typing-extensions python3-pyyaml python3-setuptools @@ -69,6 +71,8 @@ This package contains development files for pythorch. %prep %setup -q -n %{name}-v%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build @@ -136,6 +140,9 @@ end %{python3_sitearch}/torch/share %changelog +* Mon Apr 14 2025 yangjinlin01 - 2.0.1-5 +- fix CVE-2024-31580 CVE-2024-31583 + * Thu Nov 2 2023 Zhongling He - 2.0.1-4 - fix NVCC parse failure in cast_op -- Gitee From c2b3ae103e75aa8f7121f45f95bf938e99bb64f5 Mon Sep 17 00:00:00 2001 From: yangjinlin01 Date: Sat, 10 May 2025 10:35:16 +0800 Subject: [PATCH 2/2] [CVE] FIX CVE-2024-31584 to #20251 add patch to fix CVE-2024-31584 Project: TC2024080204 Signed-off-by: yangjinlin01 --- 0004-fix-2024-31584.patch | 34 ++++++++++++++++++++++++++++++++++ pytorch.spec | 7 ++++++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 0004-fix-2024-31584.patch diff --git a/0004-fix-2024-31584.patch b/0004-fix-2024-31584.patch new file mode 100644 index 0000000..823b04c --- /dev/null +++ b/0004-fix-2024-31584.patch @@ -0,0 +1,34 @@ +From 7c35874ad664e74c8e4252d67521f3986eadb0e6 Mon Sep 17 00:00:00 2001 +From: Andrew Calvano +Date: Fri, 17 Nov 2023 17:29:04 +0000 +Subject: [PATCH] Fix for PyTorch mobile flatbuffer loader out of bounds reads + (#110162) + +Summary: +The mobile_ivalue_size field in the mobile_bytecode flatbuffer schema can be larger than the ivalues vector. This introduces potential for memory corruption when parsing the mobile_bytecode Module. + +This diff fixes the issue by ensuring that mobile_ivalue_size is less than the size of the ivalues vector. + +Test Plan: contbuild & OSS CI + +Differential Revision: D49687548 + +Pull Request resolved: https://github.com/pytorch/pytorch/pull/110162 +Approved by: https://github.com/malfet +--- + torch/csrc/jit/mobile/flatbuffer_loader.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/torch/csrc/jit/mobile/flatbuffer_loader.cpp b/torch/csrc/jit/mobile/flatbuffer_loader.cpp +index d8380d2548b35a..09b5e9acffc66b 100644 +--- a/torch/csrc/jit/mobile/flatbuffer_loader.cpp ++++ b/torch/csrc/jit/mobile/flatbuffer_loader.cpp +@@ -302,7 +302,7 @@ mobile::Module FlatbufferLoader::parseModule( + storage_loaded_.resize(module->storage_data_size(), false); + + mobile_ivalue_size_ = module_->mobile_ivalue_size(); +- if (mobile_ivalue_size_ == 0) { ++ if (mobile_ivalue_size_ == 0 || mobile_ivalue_size_ > ivalues->size()) { + mobile_ivalue_size_ = ivalues->size(); + } + diff --git a/pytorch.spec b/pytorch.spec index 5fc8b54..b3aa4d0 100644 --- a/pytorch.spec +++ b/pytorch.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 6 %global vcu_maj 12 %global vcu_min 1 @@ -20,6 +20,7 @@ Source0: https://github.com/pytorch/pytorch/releases/download/v%{version} Patch0: 0001-Workaround-NVCC-parse-failure-in-cast_op.patch Patch1: 0002-fuzzing-result-fuzz_torch_jit_lite_interpreter-read-.patch Patch2: 0003-fix-cve-2024-31580.patch +Patch3: 0004-fix-2024-31584.patch BuildRequires: python3-devel cmake gcc-c++ BuildRequires: python3-typing-extensions python3-pyyaml python3-setuptools @@ -73,6 +74,7 @@ This package contains development files for pythorch. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build @@ -140,6 +142,9 @@ end %{python3_sitearch}/torch/share %changelog +* Sat May 10 2025 yangjinlin01 - 2.0.1-6 +- fix CVE-2024-31584 + * Mon Apr 14 2025 yangjinlin01 - 2.0.1-5 - fix CVE-2024-31580 CVE-2024-31583 -- Gitee