Skip to content

Fix allocation-size-too-big crash in prepare_input_tensors #8233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 6, 2025
Merged

Fix allocation-size-too-big crash in prepare_input_tensors #8233

merged 1 commit into from
Feb 6, 2025

Conversation

dbort
Copy link
Contributor

@dbort dbort commented Feb 5, 2025

Summary:
(Adapted from an LLM-suggested fix for a fuzzer-discovered crash)

The crash is an allocation-size-too-big error that occurs when the prepare_input_tensors function attempts to allocate an excessively large amount of memory for the inputs array. This crash is caused by the function's inability to handle large numbers of inputs, resulting in an attempt to allocate a huge amount of memory that exceeds the system's limits.

The root cause of the crash is the lack of bounds checking on the num_inputs variable, which allows the function to attempt to allocate an arbitrarily large amount of memory. This is exacerbated by the fact that the function allocates memory for each input tensor separately, without checking the total size of all tensors before allocating memory for the inputs array.

The patch fixes the crash by adding bounds checking on the num_inputs variable and calculating the total size of all tensors before allocating memory for the inputs array.

Differential Revision: D68876117

@pytorch-bot PyTorch Bot
Copy link

pytorch-bot bot commented Feb 5, 2025
edited
Loading

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/8233

Note: Links to docs will display an error until the docs builds have been completed.

❗ 1 Active SEVs

There are 1 currently active SEVs. If your PR is affected, please view them below:

❌ 1 New Failure, 2 Pending

As of commit f71670a with merge base e7fd150 (image):

NEW FAILURE - The following job has failed:

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@facebook-github-bot facebook-github-bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Feb 5, 2025
@facebook-github-bot
Copy link
Contributor

This pull request was exported from Phabricator. Differential Revision: D68876117

@dbort dbort added module: extension Issues related to code under extension/ release notes: misc Miscellaneous and removed module: extension Issues related to code under extension/ labels Feb 5, 2025
dbort
dbort commented Feb 5, 2025
View reviewed changes
extension/runner_util/inputs.cpp
@@ -40,10 +62,29 @@ Result<BufferCleanup> prepare_input_tensors(Method& method) {
}
Result<TensorInfo> tensor_meta = method_meta.input_tensor_meta(i);
if (!tensor_meta.ok()) {
BufferCleanup cleanup({inputs, num_allocated});
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR also fixes this buffer leak

@dbort
Copy link
Contributor Author

dbort commented Feb 5, 2025

I was thinking that testing would require adding PTE files with a large number of inputs and large allocations, but I could use an existing PTE and just reduce the limits. I'll look into it.

@dbort @facebook-github-bot
Fix allocation-size-too-big crash in prepare_input_tensors (pytorch#8233
f71670a 
)

Summary:

(Adapted from an LLM-suggested fix for a fuzzer-discovered crash)

The crash is an allocation-size-too-big error that occurs when the `prepare_input_tensors` function attempts to allocate an excessively large amount of memory for the `inputs` array. This crash is caused by the function's inability to handle large numbers of inputs, resulting in an attempt to allocate a huge amount of memory that exceeds the system's limits.

The root cause of the crash is the lack of bounds checking on the `num_inputs` variable, which allows the function to attempt to allocate an arbitrarily large amount of memory. This is exacerbated by the fact that the function allocates memory for each input tensor separately, without checking the total size of all tensors before allocating memory for the `inputs` array.

The patch fixes the crash by adding bounds checking on the `num_inputs` variable and calculating the total size of all tensors before allocating memory for the `inputs` array.

Differential Revision: D68876117
@facebook-github-bot
Copy link
Contributor

This pull request was exported from Phabricator. Differential Revision: D68876117

@dbort
Copy link
Contributor Author

dbort commented Feb 5, 2025

Added tests, thanks for pushing me to do so :) So many of these fuzzer fixes aren't unit-testable without corrupt PTE files, but this fix is.

@dbort dbort merged commit fad9447 into pytorch:main Feb 6, 2025
45 of 47 checks passed
@dbort dbort deleted the export-D68876117 branch February 6, 2025 01:04
This was referenced Feb 11, 2025
Open
Open
This was referenced Feb 24, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@larryliu0820 larryliu0820 larryliu0820 approved these changes

Assignees
No one assigned
Labels
CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. fb-exported release notes: misc Miscellaneous
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dbort @facebook-github-bot @larryliu0820