[AUTO-CHERRYPICK] Patch pytorch for CVE-2025-32434, CVE-2025-3730 [Critical] - branch main (#13592)

CBL-Mariner-Bot · Kanishk-Bansal · web-flow · commit 6d6e51137f54 · 2025-04-25T17:54:16.000-04:00
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/pytorch/CVE-2025-32434.patch b/SPECS/pytorch/CVE-2025-32434.patch
@@ -0,0 +1,75 @@
+From c27a81c2aee58626189631800841af0cc44e0873 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Wed, 23 Apr 2025 06:43:41 +0000
+Subject: [PATCH] Address CVE-2025-32434
+
+Upstream Patch Reference : https://github.com/pytorch/pytorch/commit/8d4b8a920a2172523deb95bf20e8e52d50649c04
+
+Signed-off-by: Kanishk-Bansal <kbkanishk975@gmail.com>
+---
+ test/test_serialization.py |  6 +++++-
+ torch/serialization.py     | 17 ++++++++++++-----
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/test/test_serialization.py b/test/test_serialization.py
+index 9b9a7133..593f802a 100644
+--- a/test/test_serialization.py
++++ b/test/test_serialization.py
+@@ -404,7 +404,11 @@ class SerializationMixin:
+         b += [a[0].storage()]
+         b += [a[0].reshape(-1)[1:4].clone().storage()]
+         path = download_file('https://download.pytorch.org/test_data/legacy_serialized.pt')
+-        c = torch.load(path, weights_only=weights_only)
++        if weights_only:
++                with self.assertRaisesRegex(RuntimeError,
++                                            "Cannot use ``weights_only=True`` with files saved in the legacy .tar format."):
++                    c = torch.load(path, weights_only=weights_only)
++        c = torch.load(path, weights_only=False)
+         self.assertEqual(b, c, atol=0, rtol=0)
+         self.assertTrue(isinstance(c[0], torch.FloatTensor))
+         self.assertTrue(isinstance(c[1], torch.FloatTensor))
+diff --git a/torch/serialization.py b/torch/serialization.py
+index 83f6fa27..21ba1d07 100644
+--- a/torch/serialization.py
++++ b/torch/serialization.py
+@@ -33,6 +33,13 @@ STORAGE_KEY_SEPARATOR = ','
+ FILE_LIKE: TypeAlias = Union[str, os.PathLike, BinaryIO, IO[bytes]]
+ MAP_LOCATION: TypeAlias = Optional[Union[Callable[[torch.Tensor, str], torch.Tensor], torch.device, str, Dict[str, str]]]
+ 
++UNSAFE_MESSAGE = (
++     "In PyTorch 2.6, we changed the default value of the `weights_only` argument in `torch.load` "
++     "from `False` to `True`. Re-running `torch.load` with `weights_only` set to `False` will likely succeed, "
++     "but it can result in arbitrary code execution. Do it only if you got the file from a "
++     "trusted source."
++ )
++
+ __all__ = [
+     'SourceChangeWarning',
+     'mkdtemp',
+@@ -767,11 +774,6 @@ def load(
+         >>> torch.load('module.pt', encoding='ascii')
+     """
+     torch._C._log_api_usage_once("torch.load")
+-    UNSAFE_MESSAGE = (
+-        "Weights only load failed. Re-running `torch.load` with `weights_only` set to `False`"
+-        " will likely succeed, but it can result in arbitrary code execution."
+-        "Do it only if you get the file from a trusted source. WeightsUnpickler error: "
+-    )
+     # Add ability to force safe only weight loads via environment variable
+     if os.getenv("TORCH_FORCE_WEIGHTS_ONLY_LOAD", "0").lower() in ['1', 'y', 'yes', 'true']:
+         weights_only = True
+@@ -900,6 +902,11 @@ def _legacy_load(f, map_location, pickle_module, **pickle_load_args):
+ 
+         with closing(tarfile.open(fileobj=f, mode='r:', format=tarfile.PAX_FORMAT)) as tar, \
+                 mkdtemp() as tmpdir:
++            if pickle_module is _weights_only_unpickler:
++                raise RuntimeError(
++                    "Cannot use ``weights_only=True`` with files saved in the "
++                    "legacy .tar format. " + UNSAFE_MESSAGE
++                )
+ 
+             tar.extract('storages', path=tmpdir)
+             with open(os.path.join(tmpdir, 'storages'), 'rb', 0) as f:
+-- 
+2.45.2
+
diff --git a/SPECS/pytorch/CVE-2025-3730.patch b/SPECS/pytorch/CVE-2025-3730.patch
@@ -0,0 +1,40 @@
+From ee301f0a1132fa9bd7e3223fc64aa282eca12734 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Wed, 23 Apr 2025 06:37:47 +0000
+Subject: [PATCH] Address CVE-2025-3730
+
+Upstream Patch Reference : https://github.com/timocafe/pytorch/commit/46fc5d8e360127361211cb237d5f9eef0223e567
+
+Signed-off-by: Kanishk-Bansal <kbkanishk975@gmail.com>
+---
+ aten/src/ATen/native/LossCTC.cpp     | 1 +
+ aten/src/ATen/native/cuda/LossCTC.cu | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/aten/src/ATen/native/LossCTC.cpp b/aten/src/ATen/native/LossCTC.cpp
+index 98733364..118cb467 100644
+--- a/aten/src/ATen/native/LossCTC.cpp
++++ b/aten/src/ATen/native/LossCTC.cpp
+@@ -59,6 +59,7 @@ static inline int64_t get_target_prime(target_t* target, int64_t offset, int64_t
+ // the alphas from the user by only returning the loss.
+ template<typename scalar_t, ScalarType target_scalar_type>
+ std::tuple<Tensor, Tensor> ctc_loss_cpu_template(const Tensor& log_probs, const Tensor& targets, IntArrayRef input_lengths, IntArrayRef target_lengths, int64_t BLANK) {
++  TORCH_CHECK(log_probs.numel() > 0, "log_probs tensor must not be empty");
+   // log_probs: input_len x batch_size x num_labels
+   // targets [int64]: batch_size x target_length OR sum(target_lengths)
+   constexpr scalar_t neginf = -std::numeric_limits<scalar_t>::infinity();
+diff --git a/aten/src/ATen/native/cuda/LossCTC.cu b/aten/src/ATen/native/cuda/LossCTC.cu
+index bb70b831..3c862993 100644
+--- a/aten/src/ATen/native/cuda/LossCTC.cu
++++ b/aten/src/ATen/native/cuda/LossCTC.cu
+@@ -211,6 +211,7 @@ ctc_loss_log_alpha_gpu_kernel(scalar_t* __restrict__ log_alpha_data,
+ // backward. The dispatch function will only return the loss.
+ template<typename scalar_t, ScalarType target_scalar_type>
+ std::tuple<Tensor, Tensor> ctc_loss_gpu_template(const Tensor& log_probs, const Tensor& targets, IntArrayRef input_lengths, IntArrayRef target_lengths, int64_t BLANK) {
++  TORCH_CHECK(log_probs.numel() > 0, "log_probs tensor must not be empty");
+   // log_probs: input_len x batch_size x num_labels
+   // targets [int64]: batch_size x target_length OR sum(target_lengths)
+   CheckedFrom c = "ctc_loss_gpu";
+-- 
+2.45.2
+
diff --git a/SPECS/pytorch/pytorch.spec b/SPECS/pytorch/pytorch.spec
@@ -2,7 +2,7 @@
 Summary:        Tensors and Dynamic neural networks in Python with strong GPU acceleration.
 Name:           pytorch
 Version:        2.0.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -16,7 +16,9 @@ Patch1:         CVE-2024-31583.patch
 Patch2:         CVE-2024-27319.patch
 Patch3:         CVE-2024-31584.patch
 Patch4:         CVE-2024-27318.patch
-Patch5:         CVE-2022-1941.patch 
+Patch5:         CVE-2022-1941.patch
+Patch6:         CVE-2025-32434.patch
+Patch7:         CVE-2025-3730.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc
@@ -89,6 +91,9 @@ cp -arf docs %{buildroot}/%{_pkgdocdir}
 %{_docdir}/*
 
 %changelog
+* Wed Apr 23 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.0.0-8
+- Patch CVE-2025-32434, CVE-2025-3730
+
 * Tue Dec 10 2024 Bhagyashri Pathak <bhapathak@microsoft.com> - 2.0.0-7
 - patch CVE-2022-1941
 
