From edcdf3e566caf42a78be06892952bc7f15dfb55b Mon Sep 17 00:00:00 2001 From: sa-buc Date: Mon, 16 Jun 2025 18:15:32 +0800 Subject: [PATCH 1/2] add patch to fix CVE-2024-31580-31583-31584 --- 0002-fix-CVE-2024-31583.patch | 45 +++++++++++++++++++++++++++++++++++ 0003-fix-CVE-2024-31580.patch | 38 +++++++++++++++++++++++++++++ 0004-fix-CVE-2024-31584.patch | 34 ++++++++++++++++++++++++++ pytorch.spec | 18 ++++++++++---- 4 files changed, 130 insertions(+), 5 deletions(-) create mode 100644 0002-fix-CVE-2024-31583.patch create mode 100644 0003-fix-CVE-2024-31580.patch create mode 100644 0004-fix-CVE-2024-31584.patch diff --git a/0002-fix-CVE-2024-31583.patch b/0002-fix-CVE-2024-31583.patch new file mode 100644 index 0000000..138b869 --- /dev/null +++ b/0002-fix-CVE-2024-31583.patch @@ -0,0 +1,45 @@ +From 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 Mon Sep 17 00:00:00 2001 +From: Octavian Guzu +Date: Fri, 29 Sep 2023 22:32:34 +0000 +Subject: [PATCH] [fuzzing result][fuzz_torch_jit_lite_interpreter] + read-heap-use-after-free (size 8) in std::_Function_base::_M_empty() + (#110289) + +Summary: This diff fixes a heap UAF found by fuzzing in torch/csrc/jit/mobile/interpreter.cpp + +Test Plan: +CI and +``` +arc lionhead crash reproduce 1009060456885023 +``` +doesn't crash anymore. + +Reviewed By: malfet + +Differential Revision: D49538326 + +Pull Request resolved: https://github.com/pytorch/pytorch/pull/110289 +Approved by: https://github.com/malfet +--- + torch/csrc/jit/mobile/interpreter.cpp | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/torch/csrc/jit/mobile/interpreter.cpp b/torch/csrc/jit/mobile/interpreter.cpp +index 9183c067f65..6324ea9e3f0 100644 +--- a/torch/csrc/jit/mobile/interpreter.cpp ++++ b/torch/csrc/jit/mobile/interpreter.cpp +@@ -128,7 +128,10 @@ bool InterpreterState::run(Stack& stack) { + mobile_debug_info->setOpIdx(pc); + } + } +- ++ if (inst.X < 0 || ++ static_cast(inst.X) >= code.operators_.size()) { ++ throw JITException("Invalid OP Instruction"); ++ } + RECORD_EDGE_SCOPE_WITH_DEBUG_HANDLE_AND_INPUTS( + code.op_names_[inst.X].name, debug_handle, stack); + code.operators_[inst.X](stack); +-- +2.39.3 + diff --git a/0003-fix-CVE-2024-31580.patch b/0003-fix-CVE-2024-31580.patch new file mode 100644 index 0000000..6921603 --- /dev/null +++ b/0003-fix-CVE-2024-31580.patch @@ -0,0 +1,38 @@ +From b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 Mon Sep 17 00:00:00 2001 +From: Octavian Guzu +Date: Tue, 3 Oct 2023 18:48:08 +0000 +Subject: [PATCH] [fuzzing result][fuzz_torch_jit_lite_interpreter] + read-heap-buffer-overflow-far-from-bounds (size 4) in c10::IValue::IValue() + (#110441) + +Summary: This diff fixes a heap underflow found by fuzzing in torch/csrc/jit/runtime/vararg_functions.cpp + +Test Plan: +CI and +``` +arc lionhead crash reproduce 1753074381791061 +``` +doesn't crash anymore. + +Differential Revision: D49537535 + +Pull Request resolved: https://github.com/pytorch/pytorch/pull/110441 +Approved by: https://github.com/Skylion007 +--- + torch/csrc/jit/runtime/vararg_functions.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/torch/csrc/jit/runtime/vararg_functions.cpp b/torch/csrc/jit/runtime/vararg_functions.cpp +index 69e2c0fc179060..bb28b61fe7e2c8 100644 +--- a/torch/csrc/jit/runtime/vararg_functions.cpp ++++ b/torch/csrc/jit/runtime/vararg_functions.cpp +@@ -267,6 +267,9 @@ void listUnpack(Stack& stack, size_t num_outputs) { + } + + void tupleConstruct(Stack& stack, size_t num_inputs) { ++ if (num_inputs > stack.size()) { ++ TORCH_CHECK(false, "Invalid number of inputs: ", num_inputs); ++ } + switch (num_inputs) { + case 0: + stack.emplace_back(c10::ivalue::Tuple::create()); diff --git a/0004-fix-CVE-2024-31584.patch b/0004-fix-CVE-2024-31584.patch new file mode 100644 index 0000000..823b04c --- /dev/null +++ b/0004-fix-CVE-2024-31584.patch @@ -0,0 +1,34 @@ +From 7c35874ad664e74c8e4252d67521f3986eadb0e6 Mon Sep 17 00:00:00 2001 +From: Andrew Calvano +Date: Fri, 17 Nov 2023 17:29:04 +0000 +Subject: [PATCH] Fix for PyTorch mobile flatbuffer loader out of bounds reads + (#110162) + +Summary: +The mobile_ivalue_size field in the mobile_bytecode flatbuffer schema can be larger than the ivalues vector. This introduces potential for memory corruption when parsing the mobile_bytecode Module. + +This diff fixes the issue by ensuring that mobile_ivalue_size is less than the size of the ivalues vector. + +Test Plan: contbuild & OSS CI + +Differential Revision: D49687548 + +Pull Request resolved: https://github.com/pytorch/pytorch/pull/110162 +Approved by: https://github.com/malfet +--- + torch/csrc/jit/mobile/flatbuffer_loader.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/torch/csrc/jit/mobile/flatbuffer_loader.cpp b/torch/csrc/jit/mobile/flatbuffer_loader.cpp +index d8380d2548b35a..09b5e9acffc66b 100644 +--- a/torch/csrc/jit/mobile/flatbuffer_loader.cpp ++++ b/torch/csrc/jit/mobile/flatbuffer_loader.cpp +@@ -302,7 +302,7 @@ mobile::Module FlatbufferLoader::parseModule( + storage_loaded_.resize(module->storage_data_size(), false); + + mobile_ivalue_size_ = module_->mobile_ivalue_size(); +- if (mobile_ivalue_size_ == 0) { ++ if (mobile_ivalue_size_ == 0 || mobile_ivalue_size_ > ivalues->size()) { + mobile_ivalue_size_ = ivalues->size(); + } + diff --git a/pytorch.spec b/pytorch.spec index c04ea59..e0b6b30 100644 --- a/pytorch.spec +++ b/pytorch.spec @@ -1,7 +1,7 @@ -%define anolis_release 4 +%define anolis_release 5 %global vcu_maj 12 -%global vcu_min 1 +%global vcu_min 5 %global _lto_cflags %{nil} %global __cmake_in_source_build 1 %undefine _hardened_build @@ -17,7 +17,14 @@ License: BSD URL: https://pytorch.org Source0: https://github.com/pytorch/pytorch/releases/download/v%{version}/pytorch-v%{version}.tar.gz +ExcludeArch: loongarch64 Patch0: 0001-Workaround-NVCC-parse-failure-in-cast_op.patch +# https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 +Patch0001: 0002-fix-CVE-2024-31583.patch +# https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 +Patch0002: 0003-fix-CVE-2024-31580.patch +# https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6 +Patch0003: 0004-fix-CVE-2024-31584.patch BuildRequires: python3-devel cmake gcc-c++ BuildRequires: python3-typing-extensions python3-pyyaml python3-setuptools @@ -67,9 +74,7 @@ Requires: %{name} = %{version}-%{release} This package contains development files for pythorch. %prep -%setup -q -n %{name}-v%{version} -%patch0 -p1 - +%setup p1 -n %{name}-v%{version} %build export BUILD_TEST=False @@ -136,6 +141,9 @@ end %{python3_sitearch}/torch/share %changelog +* Mon Jun 16 2025 zjl02254423 - 2.0.1-5 +- add patch to fix CVE-2024-31583, CVE-2024-31580, CVE-2024-31584 + * Thu Nov 2 2023 Zhongling He - 2.0.1-4 - fix NVCC parse failure in cast_op -- Gitee From 072e15f02ff07f140c21dd389308670b712f6f40 Mon Sep 17 00:00:00 2001 From: sa-buc Date: Tue, 17 Jun 2025 16:44:25 +0800 Subject: [PATCH 2/2] update --- pytorch.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pytorch.spec b/pytorch.spec index e0b6b30..1caa9e8 100644 --- a/pytorch.spec +++ b/pytorch.spec @@ -74,7 +74,7 @@ Requires: %{name} = %{version}-%{release} This package contains development files for pythorch. %prep -%setup p1 -n %{name}-v%{version} +%autosetup -n %{name}-v%{version} -p1 %build export BUILD_TEST=False -- Gitee