Security context
UnratedPYSEC-2024-251 CVE-2024-31583Published Apr 17, 2024

Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.2.0

Details

Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.

The fix

[fuzzing result][fuzz_torch_jit_lite_interpreter]

Octavian Guzu· Sep 29, 2023, 10:32 PM+419c7071b0e3
torch/csrc/jit/mobile/interpreter.cpp+4 1
@@ -128,7 +128,10 @@ bool InterpreterState::run(Stack& stack) {
mobile_debug_info->setOpIdx(pc);
}
}
-
+ if (inst.X < 0 ||
+ static_cast<size_t>(inst.X) >= code.operators_.size()) {
+ throw JITException("Invalid OP Instruction");
+ }
RECORD_EDGE_SCOPE_WITH_DEBUG_HANDLE_AND_INPUTS(
code.op_names_[inst.X].name, debug_handle, stack);
code.operators_[inst.X](stack);

References