|
| 1 | +From 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Octavian Guzu <octavian.guzu@gmail.com> |
| 3 | +Date: Fri, 29 Sep 2023 22:32:34 +0000 |
| 4 | +Subject: [PATCH] [fuzzing result][fuzz_torch_jit_lite_interpreter] |
| 5 | + read-heap-use-after-free (size 8) in std::_Function_base::_M_empty() |
| 6 | + (#110289) |
| 7 | + |
| 8 | +Summary: This diff fixes a heap UAF found by fuzzing in torch/csrc/jit/mobile/interpreter.cpp |
| 9 | + |
| 10 | +Test Plan: |
| 11 | +CI and |
| 12 | +``` |
| 13 | +arc lionhead crash reproduce 1009060456885023 |
| 14 | +``` |
| 15 | +doesn't crash anymore. |
| 16 | + |
| 17 | +Reviewed By: malfet |
| 18 | + |
| 19 | +Differential Revision: D49538326 |
| 20 | + |
| 21 | +Pull Request resolved: https://github.com/pytorch/pytorch/pull/110289 |
| 22 | +Approved by: https://github.com/malfet |
| 23 | +--- |
| 24 | + torch/csrc/jit/mobile/interpreter.cpp | 5 ++++- |
| 25 | + 1 file changed, 4 insertions(+), 1 deletion(-) |
| 26 | + |
| 27 | +diff --git a/torch/csrc/jit/mobile/interpreter.cpp b/torch/csrc/jit/mobile/interpreter.cpp |
| 28 | +index 9183c067f6599e8..6324ea9e3f03a18 100644 |
| 29 | +--- a/torch/csrc/jit/mobile/interpreter.cpp |
| 30 | ++++ b/torch/csrc/jit/mobile/interpreter.cpp |
| 31 | +@@ -128,7 +128,10 @@ bool InterpreterState::run(Stack& stack) { |
| 32 | + mobile_debug_info->setOpIdx(pc); |
| 33 | + } |
| 34 | + } |
| 35 | +- |
| 36 | ++ if (inst.X < 0 || |
| 37 | ++ static_cast<size_t>(inst.X) >= code.operators_.size()) { |
| 38 | ++ throw JITException("Invalid OP Instruction"); |
| 39 | ++ } |
| 40 | + RECORD_EDGE_SCOPE_WITH_DEBUG_HANDLE_AND_INPUTS( |
| 41 | + code.op_names_[inst.X].name, debug_handle, stack); |
| 42 | + code.operators_[inst.X](stack); |
0 commit comments