pytorch: fix cve-2024-31580

ddstreetmicrosoft · ddstreetmicrosoft · commit 458c5db4fd39 · 2024-04-22T15:08:31.000-04:00
diff --git a/SPECS/pytorch/CVE-2024-31580.patch b/SPECS/pytorch/CVE-2024-31580.patch
@@ -0,0 +1,38 @@
+From b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 Mon Sep 17 00:00:00 2001
+From: Octavian Guzu <octavguzu@fb.com>
+Date: Tue, 3 Oct 2023 18:48:08 +0000
+Subject: [PATCH] [fuzzing result][fuzz_torch_jit_lite_interpreter]
+ read-heap-buffer-overflow-far-from-bounds (size 4) in c10::IValue::IValue()
+ (#110441)
+
+Summary: This diff fixes a heap underflow found by fuzzing in torch/csrc/jit/runtime/vararg_functions.cpp
+
+Test Plan:
+CI and
+```
+arc lionhead crash reproduce 1753074381791061
+```
+doesn't crash anymore.
+
+Differential Revision: D49537535
+
+Pull Request resolved: https://github.com/pytorch/pytorch/pull/110441
+Approved by: https://github.com/Skylion007
+---
+ torch/csrc/jit/runtime/vararg_functions.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/torch/csrc/jit/runtime/vararg_functions.cpp b/torch/csrc/jit/runtime/vararg_functions.cpp
+index 69e2c0fc1790603..bb28b61fe7e2c89 100644
+--- a/torch/csrc/jit/runtime/vararg_functions.cpp
++++ b/torch/csrc/jit/runtime/vararg_functions.cpp
+@@ -267,6 +267,9 @@ void listUnpack(Stack& stack, size_t num_outputs) {
+ }
+ 
+ void tupleConstruct(Stack& stack, size_t num_inputs) {
++  if (num_inputs > stack.size()) {
++    TORCH_CHECK(false, "Invalid number of inputs: ", num_inputs);
++  }
+   switch (num_inputs) {
+     case 0:
+       stack.emplace_back(c10::ivalue::Tuple::create());
diff --git a/SPECS/pytorch/pytorch.spec b/SPECS/pytorch/pytorch.spec
@@ -2,7 +2,7 @@
 Summary:        Tensors and Dynamic neural networks in Python with strong GPU acceleration.
 Name:           pytorch
 Version:        2.0.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,6 +11,7 @@ URL:            https://pytorch.org/
 Source0:        https://github.com/pytorch/pytorch/releases/download/v%{version}/%{name}-v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # Use the generate_source_tarball.sh script to create a tarball of submodules during version updates.
 Source1:        %{name}-%{version}-submodules.tar.gz
+Patch0:         CVE-2024-31580.patch
 BuildRequires:  cmake
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
@@ -55,7 +56,7 @@ PyTorch is a Python package that provides two high-level features:
 You can reuse your favorite Python packages such as NumPy, SciPy and Cython to extend PyTorch when needed.
 
 %prep
-%autosetup -a 1 -n %{name}-v%{version}
+%autosetup -a 1 -p 1 -n %{name}-v%{version}
 
 %build
 # Use MAX_JOBS=8 to prevent build failure in ADO pipelines
@@ -82,6 +83,9 @@ cp -arf docs %{buildroot}/%{_pkgdocdir}
 %{_docdir}/*
 
 %changelog
+* Mon Apr 22 2024 Dan Streetman <ddstreet@microsoft.com> - 2.0.0-4
+- patch CVE-2024-31580
+
 * Mon Dec 18 2023 Mandeep Plaha <mandeepplaha@microsoft.com> - 2.0.0-3
 - Set MAX_JOBS=8 to prevent build failure in ADO pipelines
 
