Heap Buffer Overflow in PyTorch torch.jit.export Leading to Denial of Service
Overview
A heap-based buffer overflow vulnerability was discovered in the `torch.jit.export` function of the PyTorch library. This function is used to serialize a TorchScript module into a portable representation that can be loaded in other processes or on different systems. The vulnerability can be triggered when exporting a specially crafted TorchScript module that contains tensors with specific, unusual properties. When `torch.jit.export` processes this malicious model, it miscalculates the required buffer size for serialization, leading to a write operation that goes beyond the allocated memory buffer on the heap. This memory corruption reliably crashes the Python interpreter, resulting in a Denial of Service (DoS) condition. An attacker could exploit this by providing a malicious model file to a service that uses this function for model processing or conversion. This could disrupt ML training pipelines, inference APIs, or other systems that rely on the model export functionality. While the immediate impact is DoS, heap buffer overflows can theoretically be exploited for arbitrary code execution, though no such exploit was demonstrated for this specific vulnerability.
Affected Systems
Testing Guide
1. **Check PyTorch Version:** In your Python environment, run `import torch; print(torch.__version__)`. If the version is below 2.0.0, you are vulnerable. 2. **Obtain Proof-of-Concept:** Find a proof-of-concept (PoC) model file that triggers this vulnerability from a public security advisory or bug report. 3. **Execute in a Safe Environment:** In a non-production, isolated environment (like a disposable VM or Docker container), run a Python script that loads the PoC model and calls `torch.jit.export` on it. 4. **Observe Crash:** If the Python process crashes with a segmentation fault or similar memory error, the vulnerability is confirmed.
Mitigation Steps
1. **Upgrade PyTorch:** Update the PyTorch library to version 2.0.0 or later to receive the patched code. 2. **Validate Input Models:** Before processing any model file from an untrusted source, use a safe parsing library or validation tool to check its structure and properties for anomalies. 3. **Isolate Processing:** Run model conversion and serialization tasks in isolated environments (e.g., separate containers or processes) with resource limits to contain the impact of a potential crash and prevent it from affecting the entire application. 4. **Use Safe Formats:** When possible, rely on safer serialization formats like `safetensors` for model exchange, although this vulnerability specifically targets the `torch.jit` export process itself.
Patch Details
The vulnerability was addressed and patched in PyTorch version 2.0.0.