From aec66b9948491b69b4da0b6dce03281c2bbcd817 Mon Sep 17 00:00:00 2001
From: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
Date: Wed, 29 May 2024 11:19:58 +0800
Subject: [PATCH] Fix CVE-2024-31583

Backport upstream commit:
https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2

Signed-off-by: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
---
 ...ter-free-size-8-in-std-_Function_bas.patch | 44 +++++++++++++++++++
 pytorch.spec                                  |  6 ++-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 Backport-read-heap-use-after-free-size-8-in-std-_Function_bas.patch

diff --git a/Backport-read-heap-use-after-free-size-8-in-std-_Function_bas.patch b/Backport-read-heap-use-after-free-size-8-in-std-_Function_bas.patch
new file mode 100644
index 0000000..261a6a9
--- /dev/null
+++ b/Backport-read-heap-use-after-free-size-8-in-std-_Function_bas.patch
@@ -0,0 +1,44 @@
+From ed9912d4520cc1792bab476c6d17769c9a5205ee Mon Sep 17 00:00:00 2001
+From: Octavian Guzu <octavian.guzu@gmail.com>
+Date: Fri, 29 Sep 2023 22:32:34 +0000
+Subject: [PATCH] read-heap-use-after-free (size 8) in
+ std::_Function_base::_M_empty() (#110289)
+
+Summary: This diff fixes a heap UAF found by fuzzing in torch/csrc/jit/mobile/interpreter.cpp
+
+Test Plan:
+CI and
+```
+arc lionhead crash reproduce 1009060456885023
+```
+doesn't crash anymore.
+
+Reviewed By: malfet
+
+Differential Revision: D49538326
+
+Pull Request resolved: https://github.com/pytorch/pytorch/pull/110289
+Approved by: https://github.com/malfet
+---
+ torch/csrc/jit/mobile/interpreter.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/torch/csrc/jit/mobile/interpreter.cpp b/torch/csrc/jit/mobile/interpreter.cpp
+index 9183c067..6324ea9e 100644
+--- a/torch/csrc/jit/mobile/interpreter.cpp
++++ b/torch/csrc/jit/mobile/interpreter.cpp
+@@ -128,7 +128,10 @@ bool InterpreterState::run(Stack& stack) {
+               mobile_debug_info->setOpIdx(pc);
+             }
+           }
+-
++          if (inst.X < 0 ||
++              static_cast<size_t>(inst.X) >= code.operators_.size()) {
++            throw JITException("Invalid OP Instruction");
++          }
+           RECORD_EDGE_SCOPE_WITH_DEBUG_HANDLE_AND_INPUTS(
+               code.op_names_[inst.X].name, debug_handle, stack);
+           code.operators_[inst.X](stack);
+-- 
+2.33.0
+
diff --git a/pytorch.spec b/pytorch.spec
index f482014..31ba4b9 100644
--- a/pytorch.spec
+++ b/pytorch.spec
@@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		pytorch
 Version:	2.1.2
-Release:	4
+Release:	5
 Summary:	Tensors and Dynamic neural networks in Python with strong GPU acceleration
 License:	BSD-3-Clause
 URL:		https://pytorch.org/
@@ -12,6 +12,7 @@ Patch2:		0001-Fix-for-PyTorch-mobile-flatbuffer-loader-out-of-bounds-reads.patch
 %ifarch loongarch64
 Patch3:         0003-Add-loongarch64-support-for-third_party.patch
 %endif
+Patch4:         Backport-read-heap-use-after-free-size-8-in-std-_Function_bas.patch
 
 BuildRequires:  g++
 Requires:	python3-future
@@ -91,6 +92,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Wed May 29 2024 Zhao Mengmeng <zhaomengmeng@kylinos.cn> - 2.1.2-5
+- Fix CVE-2024-31583
+
 * Wed May 22 2024 zhangzikang <zhangzikang@kylinos.cn> - 2.1.2-4
 - Fix build error for loongarch64
 
-- 
Gitee