Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix heap-buffer-overflow in radix_sort_parallel #2075

Closed
wants to merge 1 commit into from
Closed

Fix heap-buffer-overflow in radix_sort_parallel #2075

wants to merge 1 commit into from

Conversation

malfet
Copy link
Contributor

@malfet malfet commented Oct 13, 2023
edited
Loading

Setting histogram_ps[RDX_HIST_SIZE * (nthreads - 1) + 127] = offset; in combine_prefix_sum_for_msb is guaranteed to result in heap-buffer-overflow if bucket is not empty during the scatter stage (as all values of histogram_ps should be strictly less than element_count

Factor out common code from RadixSortTest.cc into test_tempalte and add regression test for buffer overflow, which before the test will fail as follows:

[ RUN      ] cpuKernelTest.raidx_sort_heap_overflow
/home/nshulga/git/pytorch/FBGEMM/test/RadixSortTest.cc:36: Failure
Expected equality of these values:
  expected_keys
    Which is: { 2, 3, 5, -1, -1, 2147483647, 2147483647, 2147483647 }
  keys
    Which is: { -1, -1, -1, -1, -1, -1, -1, -1 }
/home/nshulga/git/pytorch/FBGEMM/test/RadixSortTest.cc:37: Failure
Expected equality of these values:
  expected_values
    Which is: { 1, 4, 6, 7, 8, 2, 3, 5 }
  values
    Which is: { 2147483647, 4, 6, 7, 8, 6, 7, 8 }
[  FAILED  ] cpuKernelTest.raidx_sort_heap_overflow (0 ms)

Will fix pytorch/pytorch#111189 once FBGEMM is updated to the correct version

@netlify
Copy link

netlify bot commented Oct 13, 2023
edited
Loading

Deploy Preview for pytorch-fbgemm-docs canceled.

Name Link
🔨 Latest commit 621d854
🔍 Latest deploy log https://app.netlify.com/sites/pytorch-fbgemm-docs/deploys/652dbafbd211810008883d4c

@facebook-github-bot
Copy link
Contributor

@malfet has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@facebook-github-bot
Copy link
Contributor

@malfet has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@malfet @facebook-github-bot
Fix heap-buffer-overflow in radix_sort_parallel (#2075)
621d854 
Summary:
Setting `histogram_ps[RDX_HIST_SIZE * (nthreads - 1) + 127] = offset;` in `combine_prefix_sum_for_msb` is guaranteed to result in `heap-buffer-overflow` if bucket is not empty during the scatter stage (as all values of `histogram_ps` should be strictly less than `element_count`

Factor out common code from `RadixSortTest.cc` into `test_tempalte` and add regression test for buffer overflow, which before the test will fail as follows:
```
[ RUN      ] cpuKernelTest.raidx_sort_heap_overflow
/home/nshulga/git/pytorch/FBGEMM/test/RadixSortTest.cc:36: Failure
Expected equality of these values:
  expected_keys
    Which is: { 2, 3, 5, -1, -1, 2147483647, 2147483647, 2147483647 }
  keys
    Which is: { -1, -1, -1, -1, -1, -1, -1, -1 }
/home/nshulga/git/pytorch/FBGEMM/test/RadixSortTest.cc:37: Failure
Expected equality of these values:
  expected_values
    Which is: { 1, 4, 6, 7, 8, 2, 3, 5 }
  values
    Which is: { 2147483647, 4, 6, 7, 8, 6, 7, 8 }
[  FAILED  ] cpuKernelTest.raidx_sort_heap_overflow (0 ms)
```

Will fix pytorch/pytorch#111189 once FBGEMM is updated to the correct version


Reviewed By: kit1980, jianyuh

Differential Revision: D50256504

Pulled By: malfet
@facebook-github-bot
Copy link
Contributor

This pull request was exported from Phabricator. Differential Revision: D50256504

@facebook-github-bot
Copy link
Contributor

@malfet merged this pull request in 70c6e83.

@malfet malfet deleted the malfet-patch-2 branch October 20, 2023 21:05
@mingfeima mingfeima mentioned this pull request Oct 23, 2023
Closed
malfet added a commit that referenced this pull request Nov 2, 2023
@malfet
Fix heap-buffer-overflow in radix_sort_parallel (#2075)
cdae5d9 
Summary:
Setting `histogram_ps[RDX_HIST_SIZE * (nthreads - 1) + 127] = offset;` in `combine_prefix_sum_for_msb` is guaranteed to result in `heap-buffer-overflow` if bucket is not empty during the scatter stage (as all values of `histogram_ps` should be strictly less than `element_count`

Factor out common code from `RadixSortTest.cc` into `test_tempalte` and add regression test for buffer overflow, which before the test will fail as follows:
```
[ RUN      ] cpuKernelTest.raidx_sort_heap_overflow
/home/nshulga/git/pytorch/FBGEMM/test/RadixSortTest.cc:36: Failure
Expected equality of these values:
  expected_keys
    Which is: { 2, 3, 5, -1, -1, 2147483647, 2147483647, 2147483647 }
  keys
    Which is: { -1, -1, -1, -1, -1, -1, -1, -1 }
/home/nshulga/git/pytorch/FBGEMM/test/RadixSortTest.cc:37: Failure
Expected equality of these values:
  expected_values
    Which is: { 1, 4, 6, 7, 8, 2, 3, 5 }
  values
    Which is: { 2147483647, 4, 6, 7, 8, 6, 7, 8 }
[  FAILED  ] cpuKernelTest.raidx_sort_heap_overflow (0 ms)
```

Will fix pytorch/pytorch#111189 once FBGEMM is updated to the correct version

Pull Request resolved: #2075

Reviewed By: kit1980, jianyuh

Differential Revision: D50256504

Pulled By: malfet

fbshipit-source-id: f805607595e324999cea07dcacdee8317a008221
(cherry picked from commit 70c6e83)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r-barnes r-barnes r-barnes approved these changes

Assignees
No one assigned
Labels
cla signed fb-exported Merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Running torch.sort can corrupt memory
3 participants
@malfet @facebook-github-bot @r-barnes