ggml: handle ggml_init failure to fix NULL pointer deref #8692
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`ggml_init` can fail if no unused context is found. In that case, a NULL-pointer deref will happen later in the code during a call to `ggml_set_on_alloc`. This fixes it by bailing out if no context is found.
github-actions
bot
added
the
ggml
slaren
approved these changes
Jul 25, 2024
arthw
pushed a commit
to arthw/llama.cpp
that referenced
this pull request
Jul 27, 2024
`ggml_init` can fail if no unused context is found. In that case, a NULL-pointer deref will happen later in the code during a call to `ggml_set_on_alloc`. This fixes it by bailing out if no context is found.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ggml_initcan fail if no unused context is found. In that case, a NULL-pointer deref will happen later in the code during a call toggml_set_on_alloc.This fixes it by bailing out if no context is found.
This was found during development of the harness in google/oss-fuzz#12274
Stacktrace for issue:
================================================================= ==18==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x55d3c1406ab9 bp 0x7ffdd0f0e1d0 sp 0x7ffdd0f0e080 T0) ==18==The signal is caused by a WRITE memory access. ==18==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x55d3c1406ab9 in ggml_set_no_alloc /src/llama.cpp/ggml/src/ggml.c:3535:19 #1 0x55d3c1406ab9 in gguf_init_from_file /src/llama.cpp/ggml/src/ggml.c:21123:9 #2 0x55d3c14e89cd in llama_model_loader::llama_model_loader(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, bool, bool, llama_model_kv_override const*) /src/llama.cpp/src/llama.cpp:3636:16 #3 0x55d3c1483d85 in llama_model_load /src/llama.cpp/src/llama.cpp:7635:28 #4 0x55d3c1483d85 in llama_load_model_from_file /src/llama.cpp/src/llama.cpp:16387:18 #5 0x55d3c199b2c6 in LLVMFuzzerTestOneInput /src/llama.cpp/fuzzers/fuzz_load_model.cpp:44:19