From b2aff7c870ce29a49f8c3b5bd9bad22811588227 Mon Sep 17 00:00:00 2001
From: zhongling <zhonglingh@linux.alibaba.com>
Date: Thu, 2 Nov 2023 11:50:12 +0800
Subject: [PATCH] fix NVCC parse failure in cast_op

---
 ...around-NVCC-parse-failure-in-cast_op.patch | 51 +++++++++++++++++++
 0002-fix-CVE-2024-31583.patch                 | 45 ++++++++++++++++
 0003-fix-cve-2024-31580.patch                 | 38 ++++++++++++++
 0004-fix-CVE-2024-31584.patch                 | 34 +++++++++++++
 pytorch.spec                                  | 20 ++++++--
 5 files changed, 184 insertions(+), 4 deletions(-)
 create mode 100644 0001-Workaround-NVCC-parse-failure-in-cast_op.patch
 create mode 100644 0002-fix-CVE-2024-31583.patch
 create mode 100644 0003-fix-cve-2024-31580.patch
 create mode 100644 0004-fix-CVE-2024-31584.patch

diff --git a/0001-Workaround-NVCC-parse-failure-in-cast_op.patch b/0001-Workaround-NVCC-parse-failure-in-cast_op.patch
new file mode 100644
index 0000000..01c0fe0
--- /dev/null
+++ b/0001-Workaround-NVCC-parse-failure-in-cast_op.patch
@@ -0,0 +1,51 @@
+From e61ab44254dd585ba0f1bb6d056ecf2dbec7c24a Mon Sep 17 00:00:00 2001
+From: zhongling <zhonglingh@linux.alibaba.com>
+Date: Thu, 2 Nov 2023 11:46:58 +0800
+Subject: [PATCH] Workaround NVCC parse failure in cast_op
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There is a bug in some CUDA versions (observed in CUDA 12.1 and 11.7 w/
+GCC 12.2), that makes cast_op fail to compile:
+cast.h:45:120: error: expected template-name before ‘<’ token
+
+Defining the nested type as an alias and using it allows this to work
+without any change in semantics.
+
+Fixes #4606
+
+The alternative using a static_cast or similar fails due to ambiguity
+with the const Foo& and Foo& operators (one of the tests)
+
+see also: https://github.com/pybind/pybind11/pull/4893/files
+---
+ third_party/pybind11/include/pybind11/cast.h | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/third_party/pybind11/include/pybind11/cast.h b/third_party/pybind11/include/pybind11/cast.h
+index 430c62f3..0482e212 100644
+--- a/third_party/pybind11/include/pybind11/cast.h
++++ b/third_party/pybind11/include/pybind11/cast.h
+@@ -39,13 +39,15 @@ using make_caster = type_caster<intrinsic_t<type>>;
+ // Shortcut for calling a caster's `cast_op_type` cast operator for casting a type_caster to a T
+ template <typename T>
+ typename make_caster<T>::template cast_op_type<T> cast_op(make_caster<T> &caster) {
+-    return caster.operator typename make_caster<T>::template cast_op_type<T>();
++    using result_t = typename make_caster<T>::template cast_op_type<T>;
++    return caster.operator result_t();
+ }
+ template <typename T>
+ typename make_caster<T>::template cast_op_type<typename std::add_rvalue_reference<T>::type>
+ cast_op(make_caster<T> &&caster) {
+-    return std::move(caster).operator typename make_caster<T>::
+-        template cast_op_type<typename std::add_rvalue_reference<T>::type>();
++    using result_t = typename make_caster<T>::template cast_op_type<
++         typename std::add_rvalue_reference<T>::type>;
++    return std::move(caster).operator result_t();
+ }
+ 
+ template <typename type>
+-- 
+2.40.1
+
diff --git a/0002-fix-CVE-2024-31583.patch b/0002-fix-CVE-2024-31583.patch
new file mode 100644
index 0000000..138b869
--- /dev/null
+++ b/0002-fix-CVE-2024-31583.patch
@@ -0,0 +1,45 @@
+From 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 Mon Sep 17 00:00:00 2001
+From: Octavian Guzu <octavian.guzu@gmail.com>
+Date: Fri, 29 Sep 2023 22:32:34 +0000
+Subject: [PATCH] [fuzzing result][fuzz_torch_jit_lite_interpreter]
+ read-heap-use-after-free (size 8) in std::_Function_base::_M_empty()
+ (#110289)
+
+Summary: This diff fixes a heap UAF found by fuzzing in torch/csrc/jit/mobile/interpreter.cpp
+
+Test Plan:
+CI and
+```
+arc lionhead crash reproduce 1009060456885023
+```
+doesn't crash anymore.
+
+Reviewed By: malfet
+
+Differential Revision: D49538326
+
+Pull Request resolved: https://github.com/pytorch/pytorch/pull/110289
+Approved by: https://github.com/malfet
+---
+ torch/csrc/jit/mobile/interpreter.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/torch/csrc/jit/mobile/interpreter.cpp b/torch/csrc/jit/mobile/interpreter.cpp
+index 9183c067f65..6324ea9e3f0 100644
+--- a/torch/csrc/jit/mobile/interpreter.cpp
++++ b/torch/csrc/jit/mobile/interpreter.cpp
+@@ -128,7 +128,10 @@ bool InterpreterState::run(Stack& stack) {
+               mobile_debug_info->setOpIdx(pc);
+             }
+           }
+-
++          if (inst.X < 0 ||
++              static_cast<size_t>(inst.X) >= code.operators_.size()) {
++            throw JITException("Invalid OP Instruction");
++          }
+           RECORD_EDGE_SCOPE_WITH_DEBUG_HANDLE_AND_INPUTS(
+               code.op_names_[inst.X].name, debug_handle, stack);
+           code.operators_[inst.X](stack);
+-- 
+2.39.3
+
diff --git a/0003-fix-cve-2024-31580.patch b/0003-fix-cve-2024-31580.patch
new file mode 100644
index 0000000..6921603
--- /dev/null
+++ b/0003-fix-cve-2024-31580.patch
@@ -0,0 +1,38 @@
+From b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 Mon Sep 17 00:00:00 2001
+From: Octavian Guzu <octavguzu@fb.com>
+Date: Tue, 3 Oct 2023 18:48:08 +0000
+Subject: [PATCH] [fuzzing result][fuzz_torch_jit_lite_interpreter]
+ read-heap-buffer-overflow-far-from-bounds (size 4) in c10::IValue::IValue()
+ (#110441)
+
+Summary: This diff fixes a heap underflow found by fuzzing in torch/csrc/jit/runtime/vararg_functions.cpp
+
+Test Plan:
+CI and
+```
+arc lionhead crash reproduce 1753074381791061
+```
+doesn't crash anymore.
+
+Differential Revision: D49537535
+
+Pull Request resolved: https://github.com/pytorch/pytorch/pull/110441
+Approved by: https://github.com/Skylion007
+---
+ torch/csrc/jit/runtime/vararg_functions.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/torch/csrc/jit/runtime/vararg_functions.cpp b/torch/csrc/jit/runtime/vararg_functions.cpp
+index 69e2c0fc179060..bb28b61fe7e2c8 100644
+--- a/torch/csrc/jit/runtime/vararg_functions.cpp
++++ b/torch/csrc/jit/runtime/vararg_functions.cpp
+@@ -267,6 +267,9 @@ void listUnpack(Stack& stack, size_t num_outputs) {
+ }
+ 
+ void tupleConstruct(Stack& stack, size_t num_inputs) {
++  if (num_inputs > stack.size()) {
++    TORCH_CHECK(false, "Invalid number of inputs: ", num_inputs);
++  }
+   switch (num_inputs) {
+     case 0:
+       stack.emplace_back(c10::ivalue::Tuple::create());
diff --git a/0004-fix-CVE-2024-31584.patch b/0004-fix-CVE-2024-31584.patch
new file mode 100644
index 0000000..823b04c
--- /dev/null
+++ b/0004-fix-CVE-2024-31584.patch
@@ -0,0 +1,34 @@
+From 7c35874ad664e74c8e4252d67521f3986eadb0e6 Mon Sep 17 00:00:00 2001
+From: Andrew Calvano <calvano@fb.com>
+Date: Fri, 17 Nov 2023 17:29:04 +0000
+Subject: [PATCH] Fix for PyTorch mobile flatbuffer loader out of bounds reads
+ (#110162)
+
+Summary:
+The mobile_ivalue_size field in the mobile_bytecode flatbuffer schema can be larger than the ivalues vector. This introduces potential for memory corruption when parsing the mobile_bytecode Module.
+
+This diff fixes the issue by ensuring that  mobile_ivalue_size is less than the size of the ivalues vector.
+
+Test Plan: contbuild & OSS CI
+
+Differential Revision: D49687548
+
+Pull Request resolved: https://github.com/pytorch/pytorch/pull/110162
+Approved by: https://github.com/malfet
+---
+ torch/csrc/jit/mobile/flatbuffer_loader.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/torch/csrc/jit/mobile/flatbuffer_loader.cpp b/torch/csrc/jit/mobile/flatbuffer_loader.cpp
+index d8380d2548b35a..09b5e9acffc66b 100644
+--- a/torch/csrc/jit/mobile/flatbuffer_loader.cpp
++++ b/torch/csrc/jit/mobile/flatbuffer_loader.cpp
+@@ -302,7 +302,7 @@ mobile::Module FlatbufferLoader::parseModule(
+   storage_loaded_.resize(module->storage_data_size(), false);
+ 
+   mobile_ivalue_size_ = module_->mobile_ivalue_size();
+-  if (mobile_ivalue_size_ == 0) {
++  if (mobile_ivalue_size_ == 0 || mobile_ivalue_size_ > ivalues->size()) {
+     mobile_ivalue_size_ = ivalues->size();
+   }
+ 
diff --git a/pytorch.spec b/pytorch.spec
index 3104847..a0156f6 100644
--- a/pytorch.spec
+++ b/pytorch.spec
@@ -1,7 +1,7 @@
-%define anolis_release 3
+%define anolis_release 6
 
 %global vcu_maj 12
-%global vcu_min 1
+%global vcu_min 5
 %global _lto_cflags %{nil}
 %global __cmake_in_source_build 1
 %undefine _hardened_build
@@ -17,6 +17,13 @@ License:        BSD
 
 URL:            https://pytorch.org
 Source0:        https://github.com/pytorch/pytorch/releases/download/v%{version}/pytorch-v%{version}.tar.gz
+Patch0:         0001-Workaround-NVCC-parse-failure-in-cast_op.patch
+# https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2
+Patch0001:      0002-fix-CVE-2024-31583.patch
+# https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81
+Patch0002:      0003-fix-CVE-2024-31580.patch
+# https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6
+Patch0003:      0004-fix-CVE-2024-31584.patch
 
 BuildRequires:  python3-devel cmake gcc-c++
 BuildRequires:  python3-typing-extensions python3-pyyaml python3-setuptools
@@ -66,8 +73,7 @@ Requires:       %{name} = %{version}-%{release}
 This package contains development files for pythorch.
 
 %prep
-%setup -q -n %{name}-v%{version}
-
+%setup p1 -n %{name}-v%{version}
 
 %build
 export BUILD_TEST=False
@@ -134,6 +140,12 @@ end
 %{python3_sitearch}/torch/share
 
 %changelog
+* Mon Jun 16 2025 zjl02254423 <zjl02254423@alibaba-inc.com> -2.0.1-6
+- add patch to fix CVE-2024-31583, CVE-2024-31580, CVE-2024-31584
+
+* Thu Nov 2 2023 Zhongling He <zhonglingh@linux.alibaba.com> - 2.0.1-4
+- fix NVCC parse failure in cast_op
+
 * Tue Aug 29 2023 Chunmei Xu <xuchunmei@linux.alibaba.com> - 2.0.1-3
 - reflator spec file
 
-- 
Gitee