Loading...

XML

Word

Printable

Type: Bug
Resolution: Obsolete
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: PyTorch
Labels:
- cwe-476
- null-pointer
- pytorch
- security
- spmm
- vulnerability

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Vulnerability Types: CWE-476 (NULL Pointer Dereference), CWE-703 (Improper Check or Handling of Exceptional Conditions), CWE-754 (Improper Check for Unusual or Exceptional Conditions), CWE-252 (Unchecked Return Value), CWE-125 (Out-of-bounds Read), CWE-665 (Improper Initialization), CWE-190 (Integer Overflow), CWE-362 (Race Condition)

Location:

File: aten/src/ATen/native/cpu/SpmmReduceKernel.cpp
Lines: 60-62

Related Exploit Files:

exploit_cve_null_pointer_spmm.py (10 exploit scenarios)
exploit_cve_null_pointer_advanced.py (8 advanced techniques)
exploit_cve_direct_trigger.py (6 direct trigger attempts)
cve_null_pointer_analysis.md (detailed analysis)
CVE_SUMMARY_REPORT.md (summary report)

Details:
NULL pointer dereference vulnerability in PyTorch sparse matrix multiplication kernel. The vulnerability exists in the _update template function where out_ptr and other_ptr are dereferenced without NULL checks in the scalar cleanup loop.

Vulnerable code:

for (; k < K; k++) {
    opmath_t out_val = opmath_t(out_ptr[k]);  // LINE 60 - NULL DEREF
    out_val = update<opmath_t, reduce>(out_val, opmath_t(other_ptr[k]) * opmath_t(val));  // LINE 62 - NULL DEREF
    out_ptr[k] = out_val;
}

Root Cause:
1. out_ptr can be NULL when buffer allocation fails or is not properly initialized
2. other_ptr can be NULL when computed as other_data + c * K with invalid column indices or empty tensors
3. No NULL checks exist before dereferencing these pointers

Impact:

Denial of Service (DoS) through application crash
Potential memory corruption
Exploitable under specific conditions: memory allocation failure, invalid column indices, race conditions, or direct C++ API usage
Current runtime protections (dimension validation, early returns) mitigate but do not eliminate the risk

Exploit Code Samples:

# Scenario 1: Invalid column indices causing out-of-bounds pointer arithmetic
col_indices = torch.tensor([0, 9999], dtype=torch.int64)
sparse = torch.sparse_csr_tensor(crow_indices, col_indices, values, size=(2, 10000))
other = torch.randn(10, 3)  # Dimension mismatch
result = torch.sparse.mm(sparse, other, reduce=sum)

# Scenario 2: Empty tensor attack
values = torch.tensor([], dtype=torch.float32)
sparse = torch.sparse_csr_tensor(crow_indices, col_indices, values, size=(2, 5))

# Scenario 3: Large column index overflow
col_indices = torch.tensor([9223372036854775807], dtype=torch.int64)
sparse = torch.sparse_csr_tensor(crow_indices, col_indices, values, size=(1, 9223372036854775807))

Recommended Fix:
Add NULL pointer checks before dereference:

for (; k < K; k++) {
    TORCH_CHECK(out_ptr != nullptr, "out_ptr is NULL");
    TORCH_CHECK(other_ptr != nullptr, "other_ptr is NULL");
    opmath_t out_val = opmath_t(out_ptr[k]);
    // ...
}

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

cve_null_pointer_analysis.md
4 kB
2025/12/02 7:44 PM
CVE_SUMMARY_REPORT.md
12 kB
2025/12/02 7:44 PM
exploit_cve_direct_trigger.py
10 kB
2025/12/02 7:44 PM
exploit_cve_null_pointer_advanced.py
11 kB
2025/12/02 7:44 PM
exploit_cve_null_pointer_spmm.py
16 kB
2025/12/02 7:43 PM

Assignee:: Unassigned

Reporter:: Riya Punia

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/12/02 7:43 PM

Updated:: 2025/12/03 6:24 AM

Resolved:: 2025/12/03 6:24 AM

Details

Description

Attachments

Attachments

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty