pytorch - 💡(How to fix) Fix Crashes in torch::jit::load() from crafted .pt files (4 distinct crash sites) [3 comments, 2 participants]

🐛 Describe the bug

Description

Fuzzing torch::jit::load() with mutated .pt files uncovered 4 distinct crash sites in TorchScript model deserialization. Per your security policy, TorchScript models are treated as executable code and these are not security vulnerabilities — but they are reproducible crashes that could be hardened against for robustness.

All crashes reproduce with libtorch 2.10.0+cpu on Fedora 43 x86_64. Minimized PoCs (3–13 KB) are attached.

Crash 1: SEGV in vector reallocation during type parsing (poc-031-realloc.pt, 13,160 bytes)

SEGV on unknown address
  #1 vector<string_view>::_M_realloc_insert
  #2 SourceImporter::loadType()
  #3 ScriptTypeParser::parseType()
  → readArchiveAndTensors() → torch::jit::load()

A corrupted source archive in the .pt ZIP causes invalid memory access during vector reallocation when building string_view vectors from parsed type information.

Crash 2: SEGV in SourceRangeDeserializer (poc-033-sourcerange.pt, 3,297 bytes)

SEGV on unknown address
  #1 SourceRangeDeserializer::deserialize_source()  [+0x6681107]
  → readArchiveAndTensors() → torch::jit::load()

SourceRangeDeserializer::deserialize_source() accesses invalid memory when processing malformed source range data. Two distinct offsets within the same function were observed (+0x6681107, +0x66811cc).

Crash 3: SEGV in StringCordView::find (poc-034-stringcord.pt, 3,297 bytes)

SEGV on unknown address
  #1 StringCordView::find()
  #2 ScriptTypeParser::parseTypeFromExpr()
  → readArchiveAndTensors() → torch::jit::load()

StringCordView::find() dereferences invalid internal pointers when searching through corrupted source text stored in the archive.

Crash 4: Uncaught c10::Error → std::terminate (poc-035-deadly.pt, 7,601 bytes)

c10::Error: Expected PROTO opcode at the start of pickle archive
  #1 Unpickler::run()
  #2 CompilationUnit::define()
  #3 GraphFunction::ensure_defined()
  → std::terminate → abort

When the pickle archive within the .pt file has an invalid opcode, Unpickler::run() throws c10::Error. This exception propagates uncaught through the deserialization stack to std::terminate(). Unlike the SEGV crashes, this one could be fixed with a simple try/catch wrapper.

Reproduction

import torch
# Any of the 4 PoC files:
torch.jit.load("poc-031-realloc.pt")      # SEGV
torch.jit.load("poc-033-sourcerange.pt")   # SEGV
torch.jit.load("poc-034-stringcord.pt")    # SEGV
torch.jit.load("poc-035-deadly.pt")        # terminate/abort

#include <torch/script.h>
int main(int argc, char* argv[]) {
    torch::jit::load(argv[1]);
    return 0;
}

Suggested Improvements

1. Catch all exceptions in torch::jit::load() entry points (fixes Crash 4 immediately)
2. Validate source range offsets before accessing source text (fixes Crashes 2, 3)
3. Bounds-check vector operations in SourceImporter::loadType() (fixes Crash 1)
4. Add structured fuzzing targeting torch::jit::load() in CI to catch future regressions

Environment

• libtorch 2.10.0+cpu (pre-built release)
• Fedora 43, x86_64, clang 19
• Found via Crucible fuzzer with libFuzzer instrumentation

Related

A separate, more severe bug in the ZIP container parsing layer (caffe2/serialize/in_memory_adapter.h) was reported via GHSA as it affects the generic serialization infrastructure rather than TorchScript execution specifically.

Versions

Environment

• libtorch 2.10.0+cpu (pre-built release)
• Fedora 43, x86_64, clang 19
• Found via Crucible fuzzer with libFuzzer instrumentation