Skip to content

Add integer overflow checks in Program::LoadSegment#19268

Merged
rascani merged 2 commits into
pytorch:mainfrom
rascani:export-D103467784
May 12, 2026
Merged

Add integer overflow checks in Program::LoadSegment#19268
rascani merged 2 commits into
pytorch:mainfrom
rascani:export-D103467784

Conversation

@rascani
Copy link
Copy Markdown
Contributor

@rascani rascani commented May 1, 2026

Summary:
Add overflow protection to pointer arithmetic in LoadSegment() and load_mutable_subsegment_into().

Three additions were unchecked:

  1. segment_base_offset_ + segment->offset() in LoadSegment() (line 563) — a malicious .pte file can set segment->offset() near UINT64_MAX, wrapping the sum to a small value and causing the loader to read from an unintended file position.

  2. offset + size in load_mutable_subsegment_into() — overflow before the bounds check against segment->size() would bypass the validation entirely.

  3. segment_base_offset_ + segment->offset() + offset in load_mutable_subsegment_into() (line 649) — a triple addition with no overflow check on any intermediate result. Now computed in two validated steps.

The overflow checks use the same ET_CHECK_OR_RETURN_ERROR pattern already established at lines 95-100 for the header-level segment validation.

MACA-2026-001 (T266924552).

Differential Revision: D103467784

@rascani @facebook-github-bot
Add integer overflow checks in Program::LoadSegment
066e3f8 
Summary:
Add overflow protection to pointer arithmetic in `LoadSegment()` and `load_mutable_subsegment_into()`.

Three additions were unchecked:

1. `segment_base_offset_ + segment->offset()` in `LoadSegment()` (line 563) — a malicious `.pte` file can set `segment->offset()` near `UINT64_MAX`, wrapping the sum to a small value and causing the loader to read from an unintended file position.

2. `offset + size` in `load_mutable_subsegment_into()` — overflow before the bounds check against `segment->size()` would bypass the validation entirely.

3. `segment_base_offset_ + segment->offset() + offset` in `load_mutable_subsegment_into()` (line 649) — a triple addition with no overflow check on any intermediate result. Now computed in two validated steps.

The overflow checks use the same `ET_CHECK_OR_RETURN_ERROR` pattern already established at lines 95-100 for the header-level segment validation.

MACA-2026-001 (T266924552).

Differential Revision: D103467784
@pytorch-bot
Copy link
Copy Markdown

pytorch-bot Bot commented May 1, 2026
edited
Loading

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/19268

Note: Links to docs will display an error until the docs builds have been completed.

❌ 1 Cancelled Job

As of commit 2ce7707 with merge base 23a91d5 (image):

CANCELLED JOB - The following job was cancelled. Please retry:

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label May 1, 2026
@meta-codesync
Copy link
Copy Markdown
Contributor

meta-codesync Bot commented May 1, 2026

@rascani has exported this pull request. If you are a Meta employee, you can view the originating Diff in D103467784.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 1, 2026

This PR needs a release notes: label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.

@meta-codesync
Copy link
Copy Markdown
Contributor

meta-codesync Bot commented May 11, 2026

@rascani has imported this pull request. If you are a Meta employee, you can view this in D103467784.

@rascani rascani merged commit beca948 into pytorch:main May 12, 2026
176 of 177 checks passed
@rascani rascani deleted the export-D103467784 branch May 12, 2026 15:37
usamahz pushed a commit to usamahz/executorch that referenced this pull request May 13, 2026
@rascani @usamahz
Add integer overflow checks in Program::LoadSegment (pytorch#19268)
ca7a163 
Summary:
Add overflow protection to pointer arithmetic in `LoadSegment()` and
`load_mutable_subsegment_into()`.

Three additions were unchecked:

1. `segment_base_offset_ + segment->offset()` in `LoadSegment()` (line
563) — a malicious `.pte` file can set `segment->offset()` near
`UINT64_MAX`, wrapping the sum to a small value and causing the loader
to read from an unintended file position.

2. `offset + size` in `load_mutable_subsegment_into()` — overflow before
the bounds check against `segment->size()` would bypass the validation
entirely.

3. `segment_base_offset_ + segment->offset() + offset` in
`load_mutable_subsegment_into()` (line 649) — a triple addition with no
overflow check on any intermediate result. Now computed in two validated
steps.

The overflow checks use the same `ET_CHECK_OR_RETURN_ERROR` pattern
already established at lines 95-100 for the header-level segment
validation.

MACA-2026-001 (T266924552).

Differential Revision: D103467784
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mergennachin mergennachin mergennachin approved these changes

@JacobSzwejbka JacobSzwejbka Awaiting requested review from JacobSzwejbka JacobSzwejbka is a code owner

@lucylq lucylq Awaiting requested review from lucylq lucylq is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. fb-exported meta-exported

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rascani @mergennachin