Uploaded image for project: 'AI Platform Core Components'
  1. AI Platform Core Components
  2. AIPCC-7742

[BOT][Security] NULL Pointer Dereference and Pointer Issues in SpmmReduceKernel.cpp:60-62

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Vulnerability Types: CWE-476 (NULL Pointer Dereference), CWE-824 (Access of Uninitialized Pointer), CWE-822 (Untrusted Pointer Dereference), CWE-823 (Use of Out-of-range Pointer Offset), CWE-465 (Pointer Issues)

      Location:

      • File: aten/src/ATen/native/cpu/SpmmReduceKernel.cpp
      • Lines: 60-62

      Related Exploit Files:
      1. test_cve_null_pointer_dereference.py - Comprehensive exploit test suite with 8 attack vectors
      2. CVE_EXPLOIT_REPORT.md - Detailed vulnerability analysis and impact assessment

      Details:
      The vulnerability exists in the _update function where out_ptr is dereferenced without NULL checking. This affects sparse matrix multiplication operations in PyTorch.

      Root Cause:
      The out_ptr can be NULL when:
      1. Output tensor has NULL data_ptr (uninitialized/empty tensor)
      2. Buffer allocation fails
      3. Sparse tensor has malformed structure
      4. Invalid pointer arithmetic on NULL base

      Vulnerable Code:

      // Line 60
opmath_t out_val = opmath_t(out_ptr[k]);

// Line 62
out_ptr[k] = out_val;

      Impact:
      1. CONFIRMED Denial of Service (DoS) - Process crash with exit code 139 (SIGSEGV)
      2. POSSIBLE Information Disclosure - Out-of-bounds reads may leak memory contents
      3. POSSIBLE Memory Corruption - Out-of-bounds writes can corrupt heap metadata
      4. LOW PROBABILITY Code Execution - Requires precise memory layout control

      Affected Operations:

      • torch.sparse.mm() - Sparse matrix multiplication
      • torch.sparse.addmm() - Sparse addmm operations
      • Any operation using spmm_reduce_kernel
      • Gradient computation with sparse tensors

      Exploit Scenarios:

      1. Malformed Sparse Tensor (CONFIRMED EXPLOIT):

      crow_indices = torch.tensor([0, 2, 10])  # Claims 10 elements but only 4 exist
col_indices = torch.tensor([0, 1, 0, 1])
values = torch.tensor([1.0, 2.0, 3.0, 4.0])
sparse = torch.sparse_csr_tensor(crow_indices, col_indices, values, size=(2, 2))
dense = torch.randn(2, 3)
result = torch.sparse.mm(sparse, dense)  # SEGMENTATION FAULT

      2. Out-of-Bounds Column Indices (CWE-823):

      col_indices = torch.tensor([0, 10, 0, 1])  # Index 10 is out of bounds

      3. Negative Indices (Pointer Underflow):

      col_indices = torch.tensor([0, -1, 0, 1])  # Negative index

      Severity: HIGH
      Exploitability: CONFIRMED - Reproducible crash with malformed sparse tensors
      Recommendation: IMMEDIATE PATCHING REQUIRED

        1. CVE_EXPLOIT_REPORT.md
          12 kB
        2. test_cve_null_pointer_dereference.py
          12 kB

              Unassigned Unassigned
              rh-ee-rpunia Riya Punia
              PyTorch Core
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: