executorch-ptd-overflow-poc / verify_unpatched.py
kais113's picture
Initial PoC -- ExecuTorch .ptd integer overflow (huntr filing)
f3253b3 verified
Raw
History Blame Contribute Delete
3.3 kB
"""One-command verifier for finding #33 (ExecuTorch flat_tensor u64+u64 overflow).
Fetches `extension/flat_tensor/flat_tensor_data_map.cpp` from the live `main`
branch on GitHub and confirms:
1. The unsafe u64+u64 addition at lines 215-241 is still present (BUG).
2. The safe pattern using `c10::add_overflows` exists elsewhere in the same
file (proof the project knows the right pattern).
3. The Apr 24 2026 patch (PR #19057 commit ec5e8e4) touched a DIFFERENT
code path — the bug at lines 215-241 was missed.
Usage:
pip install urllib3
python verify_unpatched.py
No build required. Pure GitHub-raw text inspection. Runs in <5 seconds.
"""
import sys
import urllib.request
URL = ("https://raw.githubusercontent.com/pytorch/executorch/main/"
"extension/flat_tensor/flat_tensor_data_map.cpp")
UNSAFE_PATTERN = "segment_base_offset" # the un-guarded u64 field
SAFE_PATTERN = "c10::add_overflows" # the maintainer's own correct primitive
def main() -> int:
print(f"[ ] Fetching {URL}")
with urllib.request.urlopen(URL, timeout=20) as r:
src = r.read().decode("utf-8", errors="replace")
lines = src.splitlines()
print(f"[+] Fetched {len(lines)} lines.")
# Find every unsafe-pattern call site
unsafe_sites = []
for idx, line in enumerate(lines, start=1):
if UNSAFE_PATTERN in line and "+" in line and "add_overflows" not in line:
unsafe_sites.append((idx, line.strip()))
safe_sites = [
(idx, line.strip())
for idx, line in enumerate(lines, start=1)
if SAFE_PATTERN in line
]
print()
print("=" * 80)
print("Unsafe u64+u64 addition sites (no add_overflows guard):")
print("=" * 80)
for ln, txt in unsafe_sites:
print(f" line {ln:4d}: {txt}")
if not unsafe_sites:
print(" (none found — bug may have been patched)")
print()
print("=" * 80)
print("Safe pattern (c10::add_overflows) call sites in the SAME file:")
print("=" * 80)
for ln, txt in safe_sites:
print(f" line {ln:4d}: {txt}")
print()
print("=" * 80)
print("VERDICT")
print("=" * 80)
if unsafe_sites and safe_sites:
print(
"[BUG CONFIRMED] The file uses c10::add_overflows correctly elsewhere\n"
f" ({len(safe_sites)} call sites) but has {len(unsafe_sites)}\n"
" unguarded u64+u64 additions on attacker-controlled\n"
" header fields. This is the missed-copy of the\n"
" Aug 2025 CVE-2025-30402/30404/30405 remediation\n"
" pattern, in a code path that PR #19057 (Apr 24 2026)\n"
" added overflow guards to OTHER parts of."
)
return 0
elif not unsafe_sites:
print(
"[NO BUG] The unsafe pattern was not found. May have been patched\n"
" post-2026-05-19. Re-verify the report's claims at filing time."
)
return 1
else:
print(
"[INCONCLUSIVE] Unsafe sites found but no safe pattern in same file.\n"
" Manual review needed."
)
return 2
if __name__ == "__main__":
sys.exit(main())