43 строки
1.4 KiB
Diff
43 строки
1.4 KiB
Diff
From 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 Mon Sep 17 00:00:00 2001
|
|
From: Octavian Guzu <octavian.guzu@gmail.com>
|
|
Date: Fri, 29 Sep 2023 22:32:34 +0000
|
|
Subject: [PATCH] [fuzzing result][fuzz_torch_jit_lite_interpreter]
|
|
read-heap-use-after-free (size 8) in std::_Function_base::_M_empty()
|
|
(#110289)
|
|
|
|
Summary: This diff fixes a heap UAF found by fuzzing in torch/csrc/jit/mobile/interpreter.cpp
|
|
|
|
Test Plan:
|
|
CI and
|
|
```
|
|
arc lionhead crash reproduce 1009060456885023
|
|
```
|
|
doesn't crash anymore.
|
|
|
|
Reviewed By: malfet
|
|
|
|
Differential Revision: D49538326
|
|
|
|
Pull Request resolved: https://github.com/pytorch/pytorch/pull/110289
|
|
Approved by: https://github.com/malfet
|
|
---
|
|
torch/csrc/jit/mobile/interpreter.cpp | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/torch/csrc/jit/mobile/interpreter.cpp b/torch/csrc/jit/mobile/interpreter.cpp
|
|
index 9183c067f6599e8..6324ea9e3f03a18 100644
|
|
--- a/torch/csrc/jit/mobile/interpreter.cpp
|
|
+++ b/torch/csrc/jit/mobile/interpreter.cpp
|
|
@@ -128,7 +128,10 @@ bool InterpreterState::run(Stack& stack) {
|
|
mobile_debug_info->setOpIdx(pc);
|
|
}
|
|
}
|
|
-
|
|
+ if (inst.X < 0 ||
|
|
+ static_cast<size_t>(inst.X) >= code.operators_.size()) {
|
|
+ throw JITException("Invalid OP Instruction");
|
|
+ }
|
|
RECORD_EDGE_SCOPE_WITH_DEBUG_HANDLE_AND_INPUTS(
|
|
code.op_names_[inst.X].name, debug_handle, stack);
|
|
code.operators_[inst.X](stack);
|