| """One-command verifier for finding #33 (ExecuTorch flat_tensor u64+u64 overflow). |
| |
| Fetches `extension/flat_tensor/flat_tensor_data_map.cpp` from the live `main` |
| branch on GitHub and confirms: |
| |
| 1. The unsafe u64+u64 addition at lines 215-241 is still present (BUG). |
| 2. The safe pattern using `c10::add_overflows` exists elsewhere in the same |
| file (proof the project knows the right pattern). |
| 3. The Apr 24 2026 patch (PR #19057 commit ec5e8e4) touched a DIFFERENT |
| code path — the bug at lines 215-241 was missed. |
| |
| Usage: |
| pip install urllib3 |
| python verify_unpatched.py |
| |
| No build required. Pure GitHub-raw text inspection. Runs in <5 seconds. |
| """ |
|
|
| import sys |
| import urllib.request |
|
|
| URL = ("https://raw.githubusercontent.com/pytorch/executorch/main/" |
| "extension/flat_tensor/flat_tensor_data_map.cpp") |
|
|
| UNSAFE_PATTERN = "segment_base_offset" |
| SAFE_PATTERN = "c10::add_overflows" |
|
|
|
|
| def main() -> int: |
| print(f"[ ] Fetching {URL}") |
| with urllib.request.urlopen(URL, timeout=20) as r: |
| src = r.read().decode("utf-8", errors="replace") |
| lines = src.splitlines() |
| print(f"[+] Fetched {len(lines)} lines.") |
|
|
| |
| unsafe_sites = [] |
| for idx, line in enumerate(lines, start=1): |
| if UNSAFE_PATTERN in line and "+" in line and "add_overflows" not in line: |
| unsafe_sites.append((idx, line.strip())) |
| safe_sites = [ |
| (idx, line.strip()) |
| for idx, line in enumerate(lines, start=1) |
| if SAFE_PATTERN in line |
| ] |
|
|
| print() |
| print("=" * 80) |
| print("Unsafe u64+u64 addition sites (no add_overflows guard):") |
| print("=" * 80) |
| for ln, txt in unsafe_sites: |
| print(f" line {ln:4d}: {txt}") |
| if not unsafe_sites: |
| print(" (none found — bug may have been patched)") |
|
|
| print() |
| print("=" * 80) |
| print("Safe pattern (c10::add_overflows) call sites in the SAME file:") |
| print("=" * 80) |
| for ln, txt in safe_sites: |
| print(f" line {ln:4d}: {txt}") |
|
|
| print() |
| print("=" * 80) |
| print("VERDICT") |
| print("=" * 80) |
|
|
| if unsafe_sites and safe_sites: |
| print( |
| "[BUG CONFIRMED] The file uses c10::add_overflows correctly elsewhere\n" |
| f" ({len(safe_sites)} call sites) but has {len(unsafe_sites)}\n" |
| " unguarded u64+u64 additions on attacker-controlled\n" |
| " header fields. This is the missed-copy of the\n" |
| " Aug 2025 CVE-2025-30402/30404/30405 remediation\n" |
| " pattern, in a code path that PR #19057 (Apr 24 2026)\n" |
| " added overflow guards to OTHER parts of." |
| ) |
| return 0 |
| elif not unsafe_sites: |
| print( |
| "[NO BUG] The unsafe pattern was not found. May have been patched\n" |
| " post-2026-05-19. Re-verify the report's claims at filing time." |
| ) |
| return 1 |
| else: |
| print( |
| "[INCONCLUSIVE] Unsafe sites found but no safe pattern in same file.\n" |
| " Manual review needed." |
| ) |
| return 2 |
|
|
|
|
| if __name__ == "__main__": |
| sys.exit(main()) |
|
|