"""One-command verifier for finding #33 (ExecuTorch flat_tensor u64+u64 overflow). Fetches `extension/flat_tensor/flat_tensor_data_map.cpp` from the live `main` branch on GitHub and confirms: 1. The unsafe u64+u64 addition at lines 215-241 is still present (BUG). 2. The safe pattern using `c10::add_overflows` exists elsewhere in the same file (proof the project knows the right pattern). 3. The Apr 24 2026 patch (PR #19057 commit ec5e8e4) touched a DIFFERENT code path — the bug at lines 215-241 was missed. Usage: pip install urllib3 python verify_unpatched.py No build required. Pure GitHub-raw text inspection. Runs in <5 seconds. """ import sys import urllib.request URL = ("https://raw.githubusercontent.com/pytorch/executorch/main/" "extension/flat_tensor/flat_tensor_data_map.cpp") UNSAFE_PATTERN = "segment_base_offset" # the un-guarded u64 field SAFE_PATTERN = "c10::add_overflows" # the maintainer's own correct primitive def main() -> int: print(f"[ ] Fetching {URL}") with urllib.request.urlopen(URL, timeout=20) as r: src = r.read().decode("utf-8", errors="replace") lines = src.splitlines() print(f"[+] Fetched {len(lines)} lines.") # Find every unsafe-pattern call site unsafe_sites = [] for idx, line in enumerate(lines, start=1): if UNSAFE_PATTERN in line and "+" in line and "add_overflows" not in line: unsafe_sites.append((idx, line.strip())) safe_sites = [ (idx, line.strip()) for idx, line in enumerate(lines, start=1) if SAFE_PATTERN in line ] print() print("=" * 80) print("Unsafe u64+u64 addition sites (no add_overflows guard):") print("=" * 80) for ln, txt in unsafe_sites: print(f" line {ln:4d}: {txt}") if not unsafe_sites: print(" (none found — bug may have been patched)") print() print("=" * 80) print("Safe pattern (c10::add_overflows) call sites in the SAME file:") print("=" * 80) for ln, txt in safe_sites: print(f" line {ln:4d}: {txt}") print() print("=" * 80) print("VERDICT") print("=" * 80) if unsafe_sites and safe_sites: print( "[BUG CONFIRMED] The file uses c10::add_overflows correctly elsewhere\n" f" ({len(safe_sites)} call sites) but has {len(unsafe_sites)}\n" " unguarded u64+u64 additions on attacker-controlled\n" " header fields. This is the missed-copy of the\n" " Aug 2025 CVE-2025-30402/30404/30405 remediation\n" " pattern, in a code path that PR #19057 (Apr 24 2026)\n" " added overflow guards to OTHER parts of." ) return 0 elif not unsafe_sites: print( "[NO BUG] The unsafe pattern was not found. May have been patched\n" " post-2026-05-19. Re-verify the report's claims at filing time." ) return 1 else: print( "[INCONCLUSIVE] Unsafe sites found but no safe pattern in same file.\n" " Manual review needed." ) return 2 if __name__ == "__main__": sys.exit(main())