BIT-pytorch-2024-31583
Use-After-Free vulnerability in torch (PyPI)
What is BIT-pytorch-2024-31583 About?
This vulnerability is a use-after-free in Pytorch before v2.2.0, specifically located in `torch/csrc/jit/mobile/interpreter.cpp`. It occurs when memory is accessed after it has been freed, potentially leading to crashes, information disclosure, or arbitrary code execution. Exploitation can be complex, often requiring precise timing and memory layout knowledge.
Affected Software
- torch
- <2.2.0
- <9c7071b0e324f9fb68ab881283d6b8d388a4bcd2
Technical Details
The use-after-free vulnerability in Pytorch's torch/csrc/jit/mobile/interpreter.cpp implies a memory management flaw. This occurs when an object or block of memory is deallocated but a pointer to that memory still exists and is subsequently dereferenced. If the freed memory is reallocated for another purpose, the old pointer may now point to newly allocated, active data. Accessing this stale pointer can lead to unpredictable behavior: reading from the freed memory could disclose sensitive information, writing to it could corrupt data or overwrite control flow structures, and either action can cause a crash. The exact conditions to trigger this would involve a specific sequence of operations that free memory and then attempt to use a reference to that freed memory in the interpreter context.
What is the Impact of BIT-pytorch-2024-31583?
Successful exploitation may allow attackers to cause a denial of service (application crash), achieve information disclosure, or, in severe cases, execute arbitrary code with the privileges of the Pytorch process, leading to a compromise of confidentiality, integrity, and availability.
What is the Exploitability of BIT-pytorch-2024-31583?
Exploitation complexity is generally high for use-after-free vulnerabilities, requiring intricate knowledge of memory layouts and precise timing. Prerequisites involve interacting with specific functionalities within the Pytorch mobile interpreter that trigger the memory deallocation and subsequent use. Authentication requirements depend on whether the vulnerable code path can be reached by unauthenticated users; typically, some level of interaction or data processing is needed. Privilege requirements are those of the Pytorch process itself. This could be exploited remotely if Pytorch models are used in a service that processes untrusted, attacker-controlled input. The likelihood of exploitation increases if the buggy code path related to memory management is frequently exercised with complex or adversarial inputs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-pytorch-2024-31583?
Available Upgrade Options
- torch
- <9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 → Upgrade to 9c7071b0e324f9fb68ab881283d6b8d388a4bcd2
- torch
- <2.2.0 → Upgrade to 2.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2024-251
- https://security.snyk.io/vuln/SNYK-PYTHON-TORCH-6619806
- https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2
- https://nvd.nist.gov/vuln/detail/CVE-2024-31583
- https://github.com/pypa/advisory-database/tree/main/vulns/torch/PYSEC-2024-251.yaml
- https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2
- https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2
- https://github.com/pytorch/pytorch/blob/v2.1.2/torch/csrc/jit/mobile/interpreter.cpp#L132
- https://osv.dev/vulnerability/GHSA-pg7h-5qx3-wjr3
- https://gist.github.com/1047524396/43e19a41f2b36503a4a228c32cdbc176
What are Similar Vulnerabilities to BIT-pytorch-2024-31583?
Similar Vulnerabilities: CVE-2023-28447 , CVE-2022-26364 , CVE-2021-43267 , CVE-2020-13757 , CVE-2019-15805
