Segmentation fault when running torch.logical_or

[dmc1778]

🐛 Describe the bug

Probably due to large input tensor.

import torch
import numpy as np
arg_1_tensor = torch.randint(-4,16,[2], dtype=torch.int32)
arg_1 = arg_1_tensor.clone()
arg_2_tensor = torch.randint(-16384,32,[], dtype=torch.int64)
arg_2 = arg_2_tensor.clone()
arg_3_tensor = torch.rand([3, 3, 3], dtype=torch.float32)
arg_3 = arg_3_tensor.clone()
try:
  res = torch.logical_or(arg_1,arg_2,out=arg_3,)
except Exception as e:
  print("Error:"+str(e))
```the 

### Versions

PyTorch version: 1.12.0
Is debug build: False
CUDA used to build PyTorch: 10.2
ROCM used to build PyTorch: N/A

OS: Ubuntu 22.04.2 LTS (x86_64)
GCC version: (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
Clang version: Could not collect
CMake version: Could not collect
Libc version: glibc-2.35

Python version: 3.9.16 (main, May 15 2023, 23:46:34) [GCC 11.2.0] (64-bit runtime)
Python platform: Linux-6.2.0-26-generic-x86_64-with-glibc2.35
Is CUDA available: True
CUDA runtime version: Could not collect
CUDA_MODULE_LOADING set to:
GPU models and configuration: GPU 0: NVIDIA GeForce GTX 1660 Ti
Nvidia driver version: 535.86.05
cuDNN version: Could not collect
HIP runtime version: N/A
MIOpen runtime version: N/A
Is XNNPACK available: True

CPU:
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 39 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 16
On-line CPU(s) list: 0-15
Vendor ID: GenuineIntel
Model name: Intel(R) Core(TM) i7-10700F CPU @ 2.90GHz
CPU family: 6
Model: 165
Thread(s) per core: 2
Core(s) per socket: 8
Socket(s): 1
Stepping: 5
CPU max MHz: 4800.0000
CPU min MHz: 800.0000
BogoMIPS: 5799.77
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust sgx bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp pku ospke sgx_lc md_clear flush_l1d arch_capabilities
Virtualization: VT-x
L1d cache: 256 KiB (8 instances)
L1i cache: 256 KiB (8 instances)
L2 cache: 2 MiB (8 instances)
L3 cache: 16 MiB (1 instance)
NUMA node(s): 1
NUMA node0 CPU(s): 0-15
Vulnerability Itlb multihit: KVM: Mitigation: VMX disabled
Vulnerability L1tf: Not affected
Vulnerability Mds: Not affected
Vulnerability Meltdown: Not affected
Vulnerability Mmio stale data: Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Retbleed: Mitigation; Enhanced IBRS
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl
Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2: Mitigation; Enhanced IBRS, IBPB conditional, RSB filling, PBRSB-eIBRS SW sequence
Vulnerability Srbds: Mitigation; Microcode
Vulnerability Tsx async abort: Not affected

Versions of relevant libraries:
[pip3] numpy==1.25.0
[pip3] torch==1.12.0
[pip3] torchaudio==0.12.0
[pip3] torchvision==0.13.0
[conda] blas 1.0 mkl
[conda] cudatoolkit 10.2.89 hfd86e86_1
[conda] ffmpeg 4.3 hf484d3e_0 pytorch
[conda] mkl 2023.1.0 h6d00ec8_46342
[conda] mkl-service 2.4.0 py39h5eee18b_1
[conda] mkl_fft 1.3.6 py39h417a72b_1
[conda] mkl_random 1.2.2 py39h417a72b_1
[conda] numpy 1.25.0 py39h5f9d8c6_0
[conda] numpy-base 1.25.0 py39hb5e798b_0
[conda] pytorch 1.12.0 py3.9_cuda10.2_cudnn7.6.5_0 pytorch
[conda] pytorch-mutex 1.0 cuda pytorch
[conda] torchaudio 0.12.0 py39_cu102 pytorch
[conda] torchvision 0.13.0 py39_cu102 pytorch

cc @malfet

[albanD]

Most likely due to empty Tensor + out variant.
We would accept a PR adding proper error checking here to avoid the segfault.

[deepwilson]

Has this issue been analyzed/rectified?
If not I would like to work on it. @albanD

[albanD]

Hey!
No one has worked on as far as I know as this is an edge case that we don't expect anyone to hit in practice.
Feel free to work on it if you want!

[dmc1778]

Hey! No one has worked on it as far as I know as this is an edge case that we don't expect anyone to hit in practice. Feel free to work on it if you want!

The edge case is exploitable by non-end-users. The test case is generated by a fuzzer. The goal was to generate edge cases that exploit the backend, not logical bugs that typical end-users encounter during ML development pipeline.

[deepwilson]

I cannot reproduce this error on the latest PyTorch(2.0.1+cu118) CPU nor GPU ? @dmc1778 @albanD
Please could you tell me how to proceed?

[dmc1778]

I cannot reproduce this error on the latest PyTorch(2.0.1+cu118) CPU nor GPU ? @dmc1778 @albanD Please could you tell me how to proceed?

Thanks for the reply. The vulnerability is reported for PyTorch version: 1.12.0.

[deepwilson]

@dmc1778 Thanks! So should I work on this(1.12.0) or pick up another issue?
I am specifically targeting segmentation faults.

[dmc1778]

I am not sure about PyTorch policies whether you do backward fixes or not. But, this vulnerability is exploitable on 1.12.0 or 1.13.1.

…

On Mon, Oct 2, 2023 at 8:11 PM Deep Wilson ***@***.***> wrote: @dmc1778 <https://github.com/dmc1778> Thanks! So should I work on this(1.12.0) or pick up another issue? I am specifically targeting segmentation faults. — Reply to this email directly, view it on GitHub <#107434 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AECFFZOL5CSXQORN4GBDTQLX5NJZLAVCNFSM6AAAAAA3U42VN2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBTHE2TANZQGA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[albanD]

I am not sure about PyTorch policies whether you do backward fixes or not.

We do not do backward fix no.

So should I work on this(1.12.0) or pick up another issue?

No need to work on this as this is already solved! You can pick another issue!

I am specifically targeting segmentation faults.

You can look for issues with the label "module: crash"
Thanks for your help!