Pytorch use-after-free vulnerability
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
0 → fixed in 2.2.0
Details
Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.
The fix
[fuzzing result][fuzz_torch_jit_lite_interpreter]
torch/csrc/jit/mobile/interpreter.cpp+4 −1
@@ -128,7 +128,10 @@ bool InterpreterState::run(Stack& stack) {mobile_debug_info->setOpIdx(pc);}}-+if (inst.X < 0 ||+static_cast<size_t>(inst.X) >= code.operators_.size()) {+throw JITException("Invalid OP Instruction");+}RECORD_EDGE_SCOPE_WITH_DEBUG_HANDLE_AND_INPUTS(code.op_names_[inst.X].name, debug_handle, stack);code.operators_[inst.X](stack);
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-31583
- WEBhttps://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2
- WEBhttps://gist.github.com/1047524396/43e19a41f2b36503a4a228c32cdbc176
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/torch/PYSEC-2024-251.yaml
- PACKAGEhttps://github.com/pytorch/pytorch
- WEBhttps://github.com/pytorch/pytorch/blob/v2.1.2/torch/csrc/jit/mobile/interpreter.cpp#L132
- WEBhttps://security.snyk.io/vuln/SNYK-PYTHON-TORCH-6619806