You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is located at /pytorch_fuzz/torch/csrc/jit/frontend/source_range.cpp:93 in torch::jit::SourceRange::print_with_context().
There are a segmentation fault and heap buffer overflow discovered at this function when processing malformed model with torch::jit::load function.
The bug is triggered when begin_line obtained from another function is used to access an element of str array without checking its length.
90 // determine CONTEXT line range
91 size_t begin_line = start(); // beginning of lines to highlight
92 size_t end_line = range_end;
--->93 while (begin_line > 0 && str[begin_line - 1] != '\\n')
94 --begin_line;
The bug could be reproduced with aot_model_compiler binary:
Also there are Asan reports on heap buffer overflow (crash.zip) and heap use after free (crash.zip) for the same place.
Another segmentation fault (crash.zip) is occured in different place but has stacktrace very similar to the segfault described above.
In /pytorch_fuzz/c10/util/intrusive_ptr.h:269:
Python version: 3.8.10 (default, Nov 26 2021, 20:14:08) [GCC 9.3.0] (64-bit runtime)
Python platform: Linux-4.15.0-175-generic-x86_64-with-glibc2.29
Is CUDA available: False
CUDA runtime version: No CUDA
GPU models and configuration: No CUDA
Nvidia driver version: No CUDA
cuDNN version: No CUDA
HIP runtime version: N/A
MIOpen runtime version: N/A
Is XNNPACK available: N/A
Versions of relevant libraries:
[pip3] numpy==1.22.2
[conda] Could not collect
The text was updated successfully, but these errors were encountered:
🐛 Describe the bug
Hi,
I found a bugt during testing with libFuzzer.
It is located at
/pytorch_fuzz/torch/csrc/jit/frontend/source_range.cpp:93
in torch::jit::SourceRange::print_with_context().There are a segmentation fault and heap buffer overflow discovered at this function when processing malformed model with torch::jit::load function.
The bug is triggered when
begin_line
obtained from another function is used to access an element ofstr
array without checking its length.The bug could be reproduced with
aot_model_compiler
binary:Segmentation fault (crash.zip) is reproduced only with sanitizers, on clean binary it is std::out_of_range exception:
Also there are Asan reports on heap buffer overflow (crash.zip) and heap use after free (crash.zip) for the same place.
Another segmentation fault (crash.zip) is occured in different place but has stacktrace very similar to the segfault described above.
In
/pytorch_fuzz/c10/util/intrusive_ptr.h:269
:Versions
PyTorch version: 1.12.0a0
Is debug build: False
CUDA used to build PyTorch: None
ROCM used to build PyTorch: N/A
OS: Ubuntu 20.04.3 LTS (x86_64)
GCC version: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
Clang version: 14.0.0 (https://github.com/llvm/llvm-project.git de5b16d8ca2d14ff0d9b6be9cf40566bc7eb5a01)
CMake version: version 3.22.4
Libc version: glibc-2.31
Python version: 3.8.10 (default, Nov 26 2021, 20:14:08) [GCC 9.3.0] (64-bit runtime)
Python platform: Linux-4.15.0-175-generic-x86_64-with-glibc2.29
Is CUDA available: False
CUDA runtime version: No CUDA
GPU models and configuration: No CUDA
Nvidia driver version: No CUDA
cuDNN version: No CUDA
HIP runtime version: N/A
MIOpen runtime version: N/A
Is XNNPACK available: N/A
Versions of relevant libraries:
[pip3] numpy==1.22.2
[conda] Could not collect
The text was updated successfully, but these errors were encountered: