Conversation
Summary: num_externs counts the number of external values that xnnpack receives from the runtime, in the form of arguments. It's taken from the flatbuffer file and used to allocate an internal array. Attack vector: num_externs in flatbuffer is overwritten to a large number, causing large, oob allocations. The value of externs is per delegate blob - it's super unlikely to have 4096 allocs, probably expect single digits normally. Note: there's not a particularly good way to verify the value, as num_externs contains input, output and non-parameters (such as symbolic shapes). Input, output are consumed by the delegate, but symbolic shapes are not, but are passed in anyways. So the flatbuffer doesn't have information to calculate the real total. Reviewed By: GregoryComer Differential Revision: D100822659
🔗 Helpful Links🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/18909
Note: Links to docs will display an error until the docs builds have been completed. ✅ You can merge normally! (2 Unrelated Failures)As of commit 1a0aae0 with merge base f35fbb5 ( BROKEN TRUNK - The following jobs failed but were present on the merge base:👉 Rebase onto the `viable/strict` branch to avoid these failures
This comment was automatically generated by Dr. CI and updates every 15 minutes. |
meta-cla
bot
added
the
CLA Signed
|
@lucylq has exported this pull request. If you are a Meta employee, you can view the originating Diff in D100822659. |
This PR needs a
|
There was a problem hiding this comment.
Pull request overview
Adds a defensive validation in the XNNPACK runtime compiler to cap num_externs (read from the delegate flatbuffer) before creating the XNNPACK subgraph, mitigating corrupted/hostile blobs causing oversized allocations.
Changes:
- Read
num_externsonce from the flatbuffer and validate it does not exceed 4096. - Return
InvalidProgramwith a descriptive error whennum_externsis above the cap. - Pass the validated
num_externsintoxnn_create_subgraph.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "XNNPACK flatbuffer blob has num_externs (%u) which exceeds maximum (4096)." | ||
| " This likely indicates a corrupted or invalid serialized graph", | ||
| num_externs); |
| ET_CHECK_OR_RETURN_ERROR( | ||
| num_externs <= 4096, | ||
| InvalidProgram, | ||
| "XNNPACK flatbuffer blob has num_externs (%u) which exceeds maximum (4096)." | ||
| " This likely indicates a corrupted or invalid serialized graph", |
Summary:
num_externs counts the number of external values that xnnpack receives from the runtime, in the form of arguments. It's taken from the flatbuffer file and used to allocate an internal array.
Attack vector: num_externs in flatbuffer is overwritten to a large number, causing large, oob allocations.
The value of externs is per delegate blob - it's super unlikely to have 4096 allocs, probably expect single digits normally.
Note: there's not a particularly good way to verify the value, as num_externs contains input, output and non-parameters (such as symbolic shapes). Input, output are consumed by the delegate, but symbolic shapes are not, but are passed in anyways. So the flatbuffer doesn't have information to calculate the real total.
Reviewed By: GregoryComer
Differential Revision: D100822659