Uploaded image for project: 'AI Platform Core Components'
  1. AI Platform Core Components
  2. AIPCC-7725

[Security] Multiple NULL Pointer Dereference Vulnerabilities in SpmmReduceKernel.cpp:60-62

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Vulnerability Types: CWE-476 (NULL Pointer Dereference), CWE-754 (Improper Check for Unusual or Exceptional Conditions), CWE-252 (Unchecked Return Value), CWE-465 (Pointer Issues), CWE-20 (Improper Input Validation), CWE-129 (Improper Validation of Array Index), CWE-680 (Integer Overflow to Buffer Overflow), CWE-125 (Out-of-bounds Read), CWE-190 (Integer Overflow or Wraparound)

      Location:

      • File: aten/src/ATen/native/cpu/SpmmReduceKernel.cpp
      • Lines: 60-62

      Related Exploit Files:

      • exploit_cve_null_pointer_deref.py
      • CVE_ANALYSIS_NULL_POINTER_DEREF.md

      Details:
      The _update function in SpmmReduceKernel.cpp contains NULL pointer dereference vulnerabilities at lines 60 and 62. The vulnerable code dereferences out_ptr and other_ptr without proper NULL checks:

      for (; k < K; k++) {
      opmath_t out_val = opmath_t(out_ptr[k]); // Line 60 - NULL deref
      out_val = update<opmath_t, reduce>(out_val, opmath_t(other_ptr[k]) * opmath_t(val));
      out_ptr[k] = out_val; // Line 62 - NULL deref
      }

      The vulnerability can occur when:
      1. out_ptr is NULL (from out.data_ptr<scalar_t>() returning NULL for zero-size or improperly allocated tensors)
      2. other_ptr is NULL (from other.const_data_ptr<scalar_t>() returning NULL for empty dense tensors)
      3. Invalid pointer arithmetic from large column indices causing overflow

      Impact:

      • Denial of Service (DoS) through application crash
      • Potential for memory corruption with malformed CSR tensors
      • Out-of-bounds memory access with invalid column indices
      • Integer overflow in pointer arithmetic (c * K) with large values

      Mitigations in Current Build:

      • Python API validation prevents most attack vectors
      • Early return for empty tensors (nnz=0)
      • Dimension compatibility checks
      • Zero-size handling

      Remaining Vulnerabilities:
      1. Weak CSR format validation - non-monotonic crow_indices are accepted
      2. Missing runtime bounds checks on column indices during computation
      3. No protection against integer overflow in offset calculations
      4. Direct C++ API access can bypass Python validation

      Recommendations:
      1. Strengthen CSR format validation to reject non-monotonic crow_indices
      2. Add runtime bounds checking for column indices
      3. Add NULL pointer checks before dereferencing data_ptr() returns
      4. Implement integer overflow protection using safe arithmetic
      5. Add fuzz testing for edge cases

      Exploitation Difficulty:

      • Via Python API: VERY DIFFICULT (strong validation)
      • Via C++ API: MODERATE (can bypass validation)

      Severity: Medium (Potential DoS/Crash)

        1. CVE_ANALYSIS_NULL_POINTER_DEREF.md
          11 kB
          Riya Punia
        2. exploit_cve_null_pointer_deref.py
          13 kB
          Riya Punia

              Unassigned Unassigned
              rh-ee-rpunia Riya Punia
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: