[AUTO-CHERRYPICK] Patch pytorch for CVE-2025-32434, CVE-2025-3730 [Critical] - branch 3.0-dev (#13563)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/pytorch/CVE-2025-32434.patch

@@ -0,0 +1,75 @@
+From d62cafe6ad9af635318d51d61f870ee038275cfe Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Wed, 23 Apr 2025 06:09:50 +0000
+Subject: [PATCH] Address CVE-2025-32434
+
+Upstream Patch Reference : https://github.com/pytorch/pytorch/commit/8d4b8a920a2172523deb95bf20e8e52d50649c04
+
+Signed-off-by: Kanishk-Bansal <kbkanishk975@gmail.com>
+---
+ test/test_serialization.py |  6 +++++-
+ torch/serialization.py     | 17 ++++++++++++-----
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/test/test_serialization.py b/test/test_serialization.py
+index c7fdbe7..6126fb2 100644
+--- a/test/test_serialization.py
++++ b/test/test_serialization.py
+@@ -426,7 +426,11 @@ class SerializationMixin:
+         b += [a[0].storage()]
+         b += [a[0].reshape(-1)[1:4].clone().storage()]
+         path = download_file('https://download.pytorch.org/test_data/legacy_serialized.pt')
+-        c = torch.load(path, weights_only=weights_only)
++        if weights_only:
++            with self.assertRaisesRegex(RuntimeError,
++                                        "Cannot use ``weights_only=True`` with files saved in the legacy .tar format."):
++                c = torch.load(path, weights_only=weights_only)
++        c = torch.load(path, weights_only=False)
+         self.assertEqual(b, c, atol=0, rtol=0)
+         self.assertTrue(isinstance(c[0], torch.FloatTensor))
+         self.assertTrue(isinstance(c[1], torch.FloatTensor))
+diff --git a/torch/serialization.py b/torch/serialization.py
+index 9d02efd..a67bff1 100644
+--- a/torch/serialization.py
++++ b/torch/serialization.py
+@@ -35,6 +35,13 @@ FILE_LIKE: TypeAlias = Union[str, os.PathLike, BinaryIO, IO[bytes]]
+ MAP_LOCATION: TypeAlias = Optional[Union[Callable[[torch.Tensor, str], torch.Tensor], torch.device, str, Dict[str, str]]]
+ STORAGE: TypeAlias = Union[Storage, torch.storage.TypedStorage, torch.UntypedStorage]
+ 
++UNSAFE_MESSAGE = (
++    "In PyTorch 2.6, we changed the default value of the `weights_only` argument in `torch.load` "
++    "from `False` to `True`. Re-running `torch.load` with `weights_only` set to `False` will likely succeed, "
++    "but it can result in arbitrary code execution. Do it only if you got the file from a "
++    "trusted source."
++)
++
+ __all__ = [
+     'SourceChangeWarning',
+     'mkdtemp',
+@@ -970,11 +977,6 @@ def load(
+         >>> torch.load('module.pt', encoding='ascii', weights_only=False)
+     """
+     torch._C._log_api_usage_once("torch.load")
+-    UNSAFE_MESSAGE = (
+-        "Weights only load failed. Re-running `torch.load` with `weights_only` set to `False`"
+-        " will likely succeed, but it can result in arbitrary code execution."
+-        "Do it only if you get the file from a trusted source. WeightsUnpickler error: "
+-    )
+     # Add ability to force safe only weight loads via environment variable
+     if os.getenv("TORCH_FORCE_WEIGHTS_ONLY_LOAD", "0").lower() in ['1', 'y', 'yes', 'true']:
+         weights_only = True
+@@ -1125,6 +1127,11 @@ def _legacy_load(f, map_location, pickle_module, **pickle_load_args):
+ 
+         with closing(tarfile.open(fileobj=f, mode='r:', format=tarfile.PAX_FORMAT)) as tar, \
+                 mkdtemp() as tmpdir:
++            if pickle_module is _weights_only_unpickler:
++                raise RuntimeError(
++                    "Cannot use ``weights_only=True`` with files saved in the "
++                    "legacy .tar format. " + UNSAFE_MESSAGE
++                )
+ 
+             tar.extract('storages', path=tmpdir)
+             with open(os.path.join(tmpdir, 'storages'), 'rb', 0) as f:
+-- 
+2.45.2
+

SPECS/pytorch/CVE-2025-3730.patch

@@ -0,0 +1,40 @@
+From 76a501810c4444cea0f5959d8650539b450ecbe6 Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Wed, 23 Apr 2025 06:12:30 +0000
+Subject: [PATCH] Address CVE-2025-3730
+
+Upstream Patch Reference : https://github.com/timocafe/pytorch/commit/46fc5d8e360127361211cb237d5f9eef0223e567
+
+Signed-off-by: Kanishk-Bansal <kbkanishk975@gmail.com>
+---
+ aten/src/ATen/native/LossCTC.cpp     | 1 +
+ aten/src/ATen/native/cuda/LossCTC.cu | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/aten/src/ATen/native/LossCTC.cpp b/aten/src/ATen/native/LossCTC.cpp
+index 595eaf9..47c2c40 100644
+--- a/aten/src/ATen/native/LossCTC.cpp
++++ b/aten/src/ATen/native/LossCTC.cpp
+@@ -119,6 +119,7 @@ std::tuple<Tensor, Tensor, size_t, std::vector<int64_t>> ctc_loss_allocate_outpu
+ // the alphas from the user by only returning the loss.
+ template<typename scalar_t, ScalarType target_scalar_type>
+ std::tuple<Tensor, Tensor> ctc_loss_cpu_template(const Tensor& log_probs, const Tensor& targets, IntArrayRef input_lengths, IntArrayRef target_lengths, int64_t BLANK) {
++  TORCH_CHECK(log_probs.numel() > 0, "log_probs tensor must not be empty");
+   // log_probs: input_len x batch_size x num_labels
+   // targets [int64]: batch_size x target_length OR sum(target_lengths)
+   constexpr scalar_t neginf = -std::numeric_limits<scalar_t>::infinity();
+diff --git a/aten/src/ATen/native/cuda/LossCTC.cu b/aten/src/ATen/native/cuda/LossCTC.cu
+index 5fb86d1..4bb90fc 100644
+--- a/aten/src/ATen/native/cuda/LossCTC.cu
++++ b/aten/src/ATen/native/cuda/LossCTC.cu
+@@ -211,6 +211,7 @@ ctc_loss_log_alpha_gpu_kernel(scalar_t* __restrict__ log_alpha_data,
+ // backward. The dispatch function will only return the loss.
+ template<typename scalar_t, ScalarType target_scalar_type>
+ std::tuple<Tensor, Tensor> ctc_loss_gpu_template(const Tensor& log_probs, const Tensor& targets, IntArrayRef input_lengths, IntArrayRef target_lengths, int64_t BLANK) {
++  TORCH_CHECK(log_probs.numel() > 0, "log_probs tensor must not be empty");
+   // log_probs: input_len x batch_size x num_labels
+   // targets [int64]: batch_size x target_length OR sum(target_lengths)
+   CheckedFrom c = "ctc_loss_gpu";
+-- 
+2.45.2
+

SPECS/pytorch/pytorch.spec

@@ -2,7 +2,7 @@
 Summary:        Tensors and Dynamic neural networks in Python with strong GPU acceleration.
 Name:           pytorch
 Version:        2.2.2
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -29,6 +29,8 @@ Patch4:         CVE-2024-27319.patch
 Patch5:         CVE-2021-22918.patch
 Patch6:         CVE-2024-7776.patch
 Patch7:         CVE-2021-22569.patch
+Patch8:         CVE-2025-32434.patch
+Patch9:         CVE-2025-3730.patch
 
 %description
 PyTorch is a Python package that provides two high-level features:
@@ -90,6 +92,9 @@ cp -arf docs %{buildroot}/%{_pkgdocdir}
 %{_docdir}/*
 
 %changelog
+* Wed Apr 23 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.2.2-6
+- Patch CVE-2025-32434, CVE-2025-3730
+
 * Mon Mar 31 2025 Kanishk Bansal <kanbansal@microsoft.com> - 2.2.2-5
 - Patch CVE-2021-22569, CVE-2024-7776