Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Vulnerability Details

CWE Type(s): CWE-78
Severity: CRITICAL
Team: PyTorch Compile

Location

File: torch/_inductor/cpp_builder.py
Lines: 422-427

Description

CRITICAL command injection vulnerability in convert_cubin_to_obj function. The vulnerability occurs when:

File paths with spaces break cmd.split()
kernel_name parameter can inject command arguments
Multiple subprocess.run() calls use unsafe string interpolation

Three instances of f-string command construction with cmd.split() enable argument injection via filenames and kernel_name parameter.

Impact

Argument confusion from filenames with spaces
Command injection via cubin_file parameter
Argument injection via kernel_name parameter
Potential for arbitrary code execution during CUDA compilation

Root Cause

Using f-string command construction with cmd.split() breaks on filenames with spaces. Three instances in convert_cubin_to_obj function enable argument injection via filenames and kernel_name parameter.

Fix Status

MR Link: https://gitlab.com/redhat/rhel-ai/team-pytorch/pytorch/-/merge_requests/54
Fix Branch: security-fix-cwe78-cpp-builder-cubin
Status: IMPLEMENTED

Fix Implementation

Replaced all three instances of f-string command construction and cmd.split() with proper list-based command construction:

Line 422: ld command for converting .cubin to .o
Line 425: objcopy command for renaming .data to .rodata
Line 436: objcopy command for symbol renaming

This eliminates the risk of:

Argument confusion from filenames with spaces
Command injection via cubin_file parameter
Argument injection via kernel_name parameter

Related Exploit Files

test_cmd_injection_cpp_builder_502.py

Exploit Code Sample

# VULNERABLE CODE:
cmd = f"{ld} -r -b binary -z noexecstack -o {obj_file} {cubin_file}"
subprocess.run(cmd.split(), capture_output=True, text=True, check=True)

# ATTACK:
# cubin_file = "kernel.cubin --flag malicious.so"
# kernel_name = "kernel; rm -rf /"

# FIXED CODE:
cmd = [ld, "-r", "-b", "binary", "-z", "noexecstack", "-o", obj_file, cubin_file]
subprocess.run(cmd, capture_output=True, text=True, check=True)

References

CWE Reference: https://cwe.mitre.org/data/definitions/78.html
CVE Table: /pytorch_workspace/Security_related_files/Security_related_files/Command_Injection/Command_Injection_part_002/results/cve_analyzed_report.csv

Generated by CI Security Bot on 2026-01-31

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

test_cmd_injection_cpp_builder_502.py
12 kB
2026/01/31 7:05 PM
test_cwe78_cpp_builder_cmd_split.py
8 kB
2026/01/31 7:43 PM

Assignee:: Unassigned

Reporter:: Riya Punia

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2026/01/31 7:05 PM

Updated:: 2026/01/31 7:43 PM

Details

Description

Vulnerability Details

Location

Description

Impact

Root Cause

Fix Status

Fix Implementation

Related Exploit Files

Exploit Code Sample

References

Attachments

Attachments

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty