Uploaded image for project: 'AI Platform Core Components'
  1. AI Platform Core Components
  2. AIPCC-9495

[BOT][Security] CWE-78 in clang_coverage.py:93-173

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Vulnerability Details

      CWE Type(s): CWE-78 (OS Command Injection)
      Severity: HIGH
      Team: Unassigned

      Location

      • File: tools/code_coverage/package/tool/clang_coverage.py
      • Lines: 93, 173

      Description

      Critical command injection vulnerability in code coverage tool export functionality. The code uses os.system() at line 93 with f-string formatting on untrusted input (llvm_tool_path, binary_file, shared_library_list, merged_file, json_file). This function is called from line 173 in export_target(), creating two related vulnerability points. Unsanitized file paths and tool paths are directly interpolated into shell commands.

      Impact

      • Arbitrary command execution with application privileges during code coverage operations
      • System compromise through malicious file paths or tool paths
      • Build/CI pipeline security risk
      • Potential data exfiltration through injected commands
      • Supply chain attack vector if malicious paths are introduced

      Root Cause

      Line 93 constructs a shell command using os.system() with f-string interpolation of unsanitized variables. Line 173 calls export_target() which invokes the vulnerable code at line 93. No input validation or sanitization is performed on file paths or tool paths before they are used in shell command construction.

      Fix Status

      MR Link: https://gitlab.com/redhat/rhel-ai/team-pytorch/pytorch/-/merge_requests/40
      Fix Branch: security-fix-cwe78-clang-coverage
      Status: IMPLEMENTED

      Fix Summary: Replaced os.system() with subprocess.run() using list arguments (shell=False) to eliminate command injection risk. This single fix resolves both vulnerability points since line 173 calls the fixed function.

      Related Exploit Files

      • test_cmdi_clang_coverage_93.py - Tests for line 93 os.system vulnerability
      • test_cmdi_clang_coverage_173.py - Tests for line 173 export_target call chain

      Exploit Code Sample

      # VULNERABLE CODE (line 93):
cmd = f"{llvm_tool_path} -object={binary_file} -instr-profile={merged_file} -format=text > {json_file}"
os.system(cmd)

# ATTACK VECTOR:
llvm_tool_path = "llvm-cov; cat /etc/passwd #"
# Results in command: llvm-cov; cat /etc/passwd # -object=...
# Executes: cat /etc/passwd

# Or via binary_file:
binary_file = "app.bin; rm -rf / #"
# Results in command execution of: rm -rf /

# SAFE FIX:
subprocess.run([
    llvm_tool_path,
    f"-object={binary_file}",
    f"-instr-profile={merged_file}",
    "-format=text"
], stdout=open(json_file, 'w'), shell=False)

      References

      Generated by CI Security Bot

        1. test_cmdi_clang_coverage_173.py
          8 kB
        2. test_cmdi_clang_coverage_93.py
          9 kB
        3. test_cwe78_clang_coverage_os_system.py
          11 kB
        4. test_cwe78_clang_export_target.py
          10 kB

              Unassigned Unassigned
              pytorch-engineering PyTorch Engineering
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: