diff --git a/0002-fix-CVE-2024-31583.patch b/0002-fix-CVE-2024-31583.patch new file mode 100644 index 0000000000000000000000000000000000000000..138b869e8e3e049c10893ea90db4133ee4a9024c --- /dev/null +++ b/0002-fix-CVE-2024-31583.patch @@ -0,0 +1,45 @@ +From 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 Mon Sep 17 00:00:00 2001 +From: Octavian Guzu +Date: Fri, 29 Sep 2023 22:32:34 +0000 +Subject: [PATCH] [fuzzing result][fuzz_torch_jit_lite_interpreter] + read-heap-use-after-free (size 8) in std::_Function_base::_M_empty() + (#110289) + +Summary: This diff fixes a heap UAF found by fuzzing in torch/csrc/jit/mobile/interpreter.cpp + +Test Plan: +CI and +``` +arc lionhead crash reproduce 1009060456885023 +``` +doesn't crash anymore. + +Reviewed By: malfet + +Differential Revision: D49538326 + +Pull Request resolved: https://github.com/pytorch/pytorch/pull/110289 +Approved by: https://github.com/malfet +--- + torch/csrc/jit/mobile/interpreter.cpp | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/torch/csrc/jit/mobile/interpreter.cpp b/torch/csrc/jit/mobile/interpreter.cpp +index 9183c067f65..6324ea9e3f0 100644 +--- a/torch/csrc/jit/mobile/interpreter.cpp ++++ b/torch/csrc/jit/mobile/interpreter.cpp +@@ -128,7 +128,10 @@ bool InterpreterState::run(Stack& stack) { + mobile_debug_info->setOpIdx(pc); + } + } +- ++ if (inst.X < 0 || ++ static_cast(inst.X) >= code.operators_.size()) { ++ throw JITException("Invalid OP Instruction"); ++ } + RECORD_EDGE_SCOPE_WITH_DEBUG_HANDLE_AND_INPUTS( + code.op_names_[inst.X].name, debug_handle, stack); + code.operators_[inst.X](stack); +-- +2.39.3 + diff --git a/0003-fix-CVE-2024-31580.patch b/0003-fix-CVE-2024-31580.patch new file mode 100644 index 0000000000000000000000000000000000000000..692160346ded9be97bfe20048161bafae1f9401b --- /dev/null +++ b/0003-fix-CVE-2024-31580.patch @@ -0,0 +1,38 @@ +From b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 Mon Sep 17 00:00:00 2001 +From: Octavian Guzu +Date: Tue, 3 Oct 2023 18:48:08 +0000 +Subject: [PATCH] [fuzzing result][fuzz_torch_jit_lite_interpreter] + read-heap-buffer-overflow-far-from-bounds (size 4) in c10::IValue::IValue() + (#110441) + +Summary: This diff fixes a heap underflow found by fuzzing in torch/csrc/jit/runtime/vararg_functions.cpp + +Test Plan: +CI and +``` +arc lionhead crash reproduce 1753074381791061 +``` +doesn't crash anymore. + +Differential Revision: D49537535 + +Pull Request resolved: https://github.com/pytorch/pytorch/pull/110441 +Approved by: https://github.com/Skylion007 +--- + torch/csrc/jit/runtime/vararg_functions.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/torch/csrc/jit/runtime/vararg_functions.cpp b/torch/csrc/jit/runtime/vararg_functions.cpp +index 69e2c0fc179060..bb28b61fe7e2c8 100644 +--- a/torch/csrc/jit/runtime/vararg_functions.cpp ++++ b/torch/csrc/jit/runtime/vararg_functions.cpp +@@ -267,6 +267,9 @@ void listUnpack(Stack& stack, size_t num_outputs) { + } + + void tupleConstruct(Stack& stack, size_t num_inputs) { ++ if (num_inputs > stack.size()) { ++ TORCH_CHECK(false, "Invalid number of inputs: ", num_inputs); ++ } + switch (num_inputs) { + case 0: + stack.emplace_back(c10::ivalue::Tuple::create()); diff --git a/0004-fix-CVE-2024-31584.patch b/0004-fix-CVE-2024-31584.patch new file mode 100644 index 0000000000000000000000000000000000000000..823b04c32c8a2cdc66abcdb75809e82a987104e0 --- /dev/null +++ b/0004-fix-CVE-2024-31584.patch @@ -0,0 +1,34 @@ +From 7c35874ad664e74c8e4252d67521f3986eadb0e6 Mon Sep 17 00:00:00 2001 +From: Andrew Calvano +Date: Fri, 17 Nov 2023 17:29:04 +0000 +Subject: [PATCH] Fix for PyTorch mobile flatbuffer loader out of bounds reads + (#110162) + +Summary: +The mobile_ivalue_size field in the mobile_bytecode flatbuffer schema can be larger than the ivalues vector. This introduces potential for memory corruption when parsing the mobile_bytecode Module. + +This diff fixes the issue by ensuring that mobile_ivalue_size is less than the size of the ivalues vector. + +Test Plan: contbuild & OSS CI + +Differential Revision: D49687548 + +Pull Request resolved: https://github.com/pytorch/pytorch/pull/110162 +Approved by: https://github.com/malfet +--- + torch/csrc/jit/mobile/flatbuffer_loader.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/torch/csrc/jit/mobile/flatbuffer_loader.cpp b/torch/csrc/jit/mobile/flatbuffer_loader.cpp +index d8380d2548b35a..09b5e9acffc66b 100644 +--- a/torch/csrc/jit/mobile/flatbuffer_loader.cpp ++++ b/torch/csrc/jit/mobile/flatbuffer_loader.cpp +@@ -302,7 +302,7 @@ mobile::Module FlatbufferLoader::parseModule( + storage_loaded_.resize(module->storage_data_size(), false); + + mobile_ivalue_size_ = module_->mobile_ivalue_size(); +- if (mobile_ivalue_size_ == 0) { ++ if (mobile_ivalue_size_ == 0 || mobile_ivalue_size_ > ivalues->size()) { + mobile_ivalue_size_ = ivalues->size(); + } + diff --git a/pytorch.spec b/pytorch.spec index c04ea59aa98c919ed22e036fcf9f6e5e159d6002..e19def849559f08cb540c55a2bc750c475b8c2d4 100644 --- a/pytorch.spec +++ b/pytorch.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 5 %global vcu_maj 12 %global vcu_min 1 @@ -18,6 +18,12 @@ License: BSD URL: https://pytorch.org Source0: https://github.com/pytorch/pytorch/releases/download/v%{version}/pytorch-v%{version}.tar.gz Patch0: 0001-Workaround-NVCC-parse-failure-in-cast_op.patch +# https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 +Patch0001: 0002-fix-CVE-2024-31583.patch +# https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 +Patch0002: 0003-fix-CVE-2024-31580.patch +# https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6 +Patch0003: 0004-fix-CVE-2024-31584.patch BuildRequires: python3-devel cmake gcc-c++ BuildRequires: python3-typing-extensions python3-pyyaml python3-setuptools @@ -69,6 +75,9 @@ This package contains development files for pythorch. %prep %setup -q -n %{name}-v%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build @@ -136,6 +145,9 @@ end %{python3_sitearch}/torch/share %changelog +* Mon Jun 16 2025 wenxin - 2.0.1-5 +- add patch to fix CVE-2024-31583, CVE-2024-31580, CVE-2024-31584 + * Thu Nov 2 2023 Zhongling He - 2.0.1-4 - fix NVCC parse failure in cast_op