Skip to content

Add overflow checks to getLeadingDims and getTrailingDims#19270

Open
rascani wants to merge 2 commits intopytorch:mainfrom
rascani:export-D103467782
Open

Add overflow checks to getLeadingDims and getTrailingDims#19270
rascani wants to merge 2 commits intopytorch:mainfrom
rascani:export-D103467782

Conversation

@rascani
Copy link
Copy Markdown
Contributor

@rascani rascani commented May 1, 2026

Summary:
Add c10::mul_overflows() checks to the dimension-product loops in getLeadingDims() and getTrailingDims().

Both functions multiply tensor dimension sizes in a loop with no overflow protection. On 32-bit targets where size_t is 32 bits, malicious tensor dimensions from a crafted .pte file can cause the product to wrap silently, producing a small value that is then used for buffer offset calculations in 40+ kernels via coordinateToIndex(). This enables heap buffer overflows during operator execution.

MACA-2026-001 (T267380210).

Differential Revision: D103467782

@rascani @facebook-github-bot
Add overflow checks to getLeadingDims and getTrailingDims
e611bbc 
Summary:
Add `c10::mul_overflows()` checks to the dimension-product loops in `getLeadingDims()` and `getTrailingDims()`.

Both functions multiply tensor dimension sizes in a loop with no overflow protection. On 32-bit targets where `size_t` is 32 bits, malicious tensor dimensions from a crafted `.pte` file can cause the product to wrap silently, producing a small value that is then used for buffer offset calculations in 40+ kernels via `coordinateToIndex()`. This enables heap buffer overflows during operator execution.

MACA-2026-001 (T267380210).

Differential Revision: D103467782
@pytorch-bot
Copy link
Copy Markdown

pytorch-bot Bot commented May 1, 2026
edited
Loading

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/19270

Note: Links to docs will display an error until the docs builds have been completed.

❌ 2 New Failures, 2 Unrelated Failures

As of commit 34ef14d with merge base a3dd0fa (image):

NEW FAILURES - The following jobs have failed:

BROKEN TRUNK - The following jobs failed but were present on the merge base:

👉 Rebase onto the `viable/strict` branch to avoid these failures

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label May 1, 2026
@meta-codesync
Copy link
Copy Markdown
Contributor

meta-codesync Bot commented May 1, 2026

@rascani has exported this pull request. If you are a Meta employee, you can view the originating Diff in D103467782.

@rascani rascani marked this pull request as draft May 1, 2026 23:53
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 1, 2026

This PR needs a release notes: label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.

@rascani rascani marked this pull request as ready for review May 2, 2026 00:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lucylq lucylq lucylq approved these changes

@JacobSzwejbka JacobSzwejbka Awaiting requested review from JacobSzwejbka JacobSzwejbka is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. fb-exported meta-exported

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rascani @lucylq