SEGV in flatbuffers/base.h:406:23 - int flatbuffers::ReadScalar<int>(void const*) #95062
Description
Hi! We've been fuzzing pytorch using oss-sydr-fuzz and found an input, leading to SEGV due to READ memory access in third_party/flatbuffers/include/flatbuffers/base.h:406:23.
How to reproduce the error
-
Build docker container from here
sudo docker build -t oss-sydr-fuzz-pytorch-py . -
Run docker container
sudo docker run --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-pytorch-py /bin/bash -
Run
/load_fuzz.pytarget with inputLD_PRELOAD=/usr/local/lib/python3.8/dist-packages/asan_with_fuzzer.so /load_fuzz.py crash-1feb368861083e3d242e5c3fcb1090869f4819c4.txt -
You will see something like this
AddressSanitizer:DEADLYSIGNAL ================================================================= ==13==ERROR: AddressSanitizer: SEGV on unknown address 0x7f9301dc4b50 (pc 0x7f92e7de1049 bp 0x7ffc5b847790 sp 0x7ffc5b847500 T0) ==13==The signal is caused by a READ memory access. #0 0x7f92e7de1049 in int flatbuffers::ReadScalar<int>(void const*) /pytorch/third_party/flatbuffers/include/flatbuffers/base.h:406:23 #1 0x7f92e7de1049 in flatbuffers::Table::GetVTable() const /pytorch/third_party/flatbuffers/include/flatbuffers/table.h:30:20 #2 0x7f92e7de1049 in flatbuffers::Table::GetOptionalFieldOffset(unsigned short) const /pytorch/third_party/flatbuffers/include/flatbuffers/table.h:37:19 #3 0x7f92e7de1049 in flatbuffers::Vector<flatbuffers::Offset<torch::jit::mobile::serialization::IValue> > const* flatbuffers::Table::GetPointer<flatbuffers::Vector<flatbuffers::Offset<torch::jit::mobile::serialization::IValue> > const*>(unsigned short) /pytorch/third_party/flatbuffers/include/flatbuffers/table.h:51:25 #4 0x7f92e7de1049 in flatbuffers::Vector<flatbuffers::Offset<torch::jit::mobile::serialization::IValue> > const* flatbuffers::Table::GetPointer<flatbuffers::Vector<flatbuffers::Offset<torch::jit::mobile::serialization::IValue> > const*>(unsigned short) const /pytorch/third_party/flatbuffers/include/flatbuffers/table.h:57:39 #5 0x7f92e7de1049 in torch::jit::mobile::serialization::Module::ivalues() const /pytorch/torch/csrc/jit/serialization/mobile_bytecode_generated.h:2259:12 #6 0x7f92e7de1049 in torch::jit::(anonymous namespace)::FlatbufferLoader::parseModule(torch::jit::mobile::serialization::Module*) /pytorch/torch/csrc/jit/mobile/flatbuffer_loader.cpp:292:33 #7 0x7f92e7de6106 in torch::jit::parse_and_initialize_mobile_module_for_jit(void*, unsigned long, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >&, std::vector<c10::IValue, std::allocator<c10::IValue> >&, c10::optional<c10::Device>, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >*) /pytorch/torch/csrc/jit/mobile/flatbuffer_loader.cpp:797:29 #8 0x7f92e8c2cd4c in torch::jit::parse_and_initialize_jit_module(std::shared_ptr<char>, unsigned long, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >&, c10::optional<c10::Device>) /pytorch/torch/csrc/jit/serialization/import.cpp:342:28 #9 0x7f92e8c3a83c in torch::jit::_load_jit_module_from_bytes(std::shared_ptr<char>, unsigned long, std::shared_ptr<torch::jit::CompilationUnit>, c10::optional<c10::Device>, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >&, bool) /pytorch/torch/csrc/jit/serialization/import.cpp:544:14 #10 0x7f92e8c3eb33 in torch::jit::import_ir_module(std::shared_ptr<torch::jit::CompilationUnit>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<c10::Device>, std::unordered_map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::hash<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::equal_to<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >&, bool, bool) /pytorch/torch/csrc/jit/serialization/import.cpp:440:10 #11 0x7f92fb9cf306 in torch::jit::initJitScriptBindings(_object*)::$_83::operator()(std::shared_ptr<torch::jit::CompilationUnit>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, pybind11::object, pybind11::dict const&, bool) const /pytorch/torch/csrc/jit/python/script_init.cpp:1807:20 #12 0x7f92fb9cf306 in torch::jit::Module pybind11::detail::argument_loader<std::shared_ptr<torch::jit::CompilationUnit>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, pybind11::object, pybind11::dict const&, bool>::call_impl<torch::jit::Module, torch::jit::initJitScriptBindings(_object*)::$_83&, 0ul, 1ul, 2ul, 3ul, 4ul, pybind11::detail::void_type>(torch::jit::initJitScriptBindings(_object*)::$_83&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul>, pybind11::detail::void_type&&) && /pytorch/cmake/../third_party/pybind11/include/pybind11/cast.h:1439:16 ... AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /pytorch/third_party/flatbuffers/include/flatbuffers/base.h:406:23 in int flatbuffers::ReadScalar<int>(void const*) ==13==ABORTING
Versions
- OS: ubuntu 20.04
- pytorch version: 49444c3
cc @ezyang @gchanan @zou3519 @EikanWang @jgong5 @wenzhe-nrv @sanchitintel