pytorch: patch CVE-2024-27319

ddstreetmicrosoft · ddstreetmicrosoft · commit c4c51f59a6bf · 2024-04-22T15:08:31.000-04:00
diff --git a/SPECS/pytorch/CVE-2024-27319.patch b/SPECS/pytorch/CVE-2024-27319.patch
@@ -0,0 +1,72 @@
+diff -urpN pytorch-v2.0.0/third_party/onnx/onnx/common/assertions.cc b/third_party/onnx/onnx/common/assertions.cc
+--- pytorch-v2.0.0/third_party/onnx/onnx/common/assertions.cc	2023-04-03 15:46:03.000000000 -0400
++++ b/third_party/onnx/onnx/common/assertions.cc	2024-04-22 13:15:05.240131051 -0400
+@@ -6,6 +6,7 @@
+ // Adventurous users should note that the APIs will probably change.
+ 
+ #include "onnx/common/assertions.h"
++#include <array>
+ #include <cstdarg>
+ #include <cstdio>
+ #include "onnx/common/common.h"
+@@ -13,16 +14,20 @@
+ namespace ONNX_NAMESPACE {
+ 
+ std::string barf(const char* fmt, ...) {
+-  char msg[2048];
++  constexpr size_t buffer_size = 2048;
++  std::array<char, buffer_size> msg{};
+   va_list args;
+ 
+   va_start(args, fmt);
+-  // Although vsnprintf might have vulnerability issue while using format string with overflowed length,
+-  // it should be safe here to use fixed length for buffer "msg". No further checking is needed.
+-  vsnprintf(msg, 2048, fmt, args);
++
++  // use fixed length for buffer "msg" to avoid buffer overflow
++  vsnprintf(static_cast<char*>(msg.data()), msg.size() - 1, fmt, args);
++
++  // ensure null-terminated string to avoid out of bounds read
++  msg.back() = '\0';
+   va_end(args);
+ 
+-  return std::string(msg);
++  return std::string(msg.data());
+ }
+ 
+ void throw_assert_error(std::string& msg) {
+diff -urpN pytorch-v2.0.0/third_party/onnx-tensorrt/third_party/onnx/onnx/common/assertions.cc b/third_party/onnx-tensorrt/third_party/onnx/onnx/common/assertions.cc
+--- pytorch-v2.0.0/third_party/onnx-tensorrt/third_party/onnx/onnx/common/assertions.cc	2023-04-03 15:46:03.000000000 -0400
++++ b/third_party/onnx-tensorrt/third_party/onnx/onnx/common/assertions.cc	2024-04-22 13:14:01.512210959 -0400
+@@ -1,6 +1,7 @@
+ // ATTENTION: The code in this file is highly EXPERIMENTAL.
+ // Adventurous users should note that the APIs will probably change.
+ 
++#include <array>
+ #include <cstdarg>
+ #include <cstdio>
+ 
+@@ -9,14 +10,20 @@
+ namespace ONNX_NAMESPACE {
+ 
+ std::string barf(const char* fmt, ...) {
+-  char msg[2048];
++  constexpr size_t buffer_size = 2048;
++  std::array<char, buffer_size> msg{};
+   va_list args;
+ 
+   va_start(args, fmt);
+-  vsnprintf(msg, 2048, fmt, args);
++
++  // use fixed length for buffer "msg" to avoid buffer overflow
++  vsnprintf(static_cast<char*>(msg.data()), msg.size() - 1, fmt, args);
++
++  // ensure null-terminated string to avoid out of bounds read
++  msg.back() = '\0';
+   va_end(args);
+ 
+-  return std::string(msg);
++  return std::string(msg.data());
+ }
+ 
+ void throw_assert_error(std::string& msg) {
diff --git a/SPECS/pytorch/pytorch.spec b/SPECS/pytorch/pytorch.spec
@@ -13,6 +13,8 @@ Source0:        https://github.com/pytorch/pytorch/releases/download/v%{version}
 Source1:        %{name}-%{version}-submodules.tar.gz
 Patch0:         CVE-2024-31580.patch
 Patch1:         CVE-2024-31583.patch
+Patch2:         CVE-2024-27319.patch
+
 BuildRequires:  cmake
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
