ASAN: fix heap-buffer-overflow (pytorch#101970)

AlekseiNikiforovIBM · pytorchmergebot · commit 5fa273c87051 · 2023-05-30T17:09:52.000Z
Pass size argument. <details> <summary>ASAN report</summary> ``` ==1640574==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x609000022160 at pc 0x03ff31a04b42 bp 0x03ff69885dc0 sp 0x03ff69885db0 READ of size 16 at 0x609000022160 thread T1 #0 0x3ff31a04b41 in at::vec::ZVECTOR::Vectorized<unsigned char, void>::loadu(void const*, int) /home/user/pytorch/aten/src/ATen/cpu/vec/vec256/zarch/vec256_zarch.h:397 #1 0x3ff31a04b41 in at::vec::ZVECTOR::Vectorized<c10::quint8, void>::loadu(void const*, int) /home/user/pytorch/aten/src/ATen/cpu/vec/vec256/zarch/vec256_zarch.h:1574 #2 0x3ff31a04b41 in operator() /home/user/pytorch/aten/src/ATen/native/quantized/cpu/kernels/QuantizedOpKernels.cpp:2668 #3 0x3ff31cefa5d in void at::internal::invoke_parallel<at::native::(anonymous namespace)::quantized_normalize_kernel(at::Tensor const&, at::Tensor const&, at::Tensor const&, bool, int, int, long, long , double, at::Tensor*)::{lambda()#1}::operator()() const::{lambda()#2}::operator()() const::{lambda(long, long)#1}>(long, long, long, at::native::(anonymous namespace)::quantized_normalize_kernel(at::Tens or const&, at::Tensor const&, at::Tensor const&, bool, int, int, long, long, double, at::Tensor*)::{lambda()#1}::operator()() const::{lambda()#2}::operator()() const::{lambda(long, long)#1} const&) [clone ._omp_fn.0] /home/user/pytorch/aten/src/ATen/ParallelOpenMP.h:42 #4 0x3ff6f31f52d in gomp_thread_start /var/tmp/portage/sys-devel/gcc-12.2.1_p20230304/work/gcc-12-20230304/libgomp/team.c:129 #5 0x3ff82218381 in start_thread /usr/src/debug/sys-libs/glibc-2.37-r1/glibc-2.37/nptl/pthread_create.c:444 pytorch#6 0x3ff822943f1 (/lib64/libc.so.6+0x1143f1) 0x609000022160 is located 0 bytes to the right of 32-byte region [0x609000022140,0x609000022160) allocated by thread T0 here: #0 0x3ff82a3663f in __interceptor_posix_memalign /usr/src/debug/sys-devel/gcc-11.3.1_p20230303/gcc-11-20230303/libsanitizer/asan/asan_malloc_linux.cpp:226 #1 0x3ff6f53ad95 in c10::alloc_cpu(unsigned long) /home/user/pytorch/c10/core/impl/alloc_cpu.cpp:74 Thread T1 created by T0 here: #0 0x3ff829dc263 in __interceptor_pthread_create /usr/src/debug/sys-devel/gcc-11.3.1_p20230303/gcc-11-20230303/libsanitizer/asan/asan_interceptors.cpp:216 #1 0x3ff6f31fad5 in gomp_team_start /var/tmp/portage/sys-devel/gcc-12.2.1_p20230304/work/gcc-12-20230304/libgomp/team.c:858 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/pytorch/aten/src/ATen/cpu/vec/vec256/zarch/vec256_zarch.h:397 in at::vec::ZVECTOR::Vectorized<unsigned char, void>::loadu(void const*, int) Shadow bytes around the buggy address: 0x100c12000043d0: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x100c12000043e0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x100c12000043f0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x100c1200004400: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x100c1200004410: fa fa fa fa fa fa fa fa fd fa fa fa fa fa fa fa =>0x100c1200004420: fa fa fa fa fa fa fa fa 00 00 00 00[fa]fa fa fa 0x100c1200004430: fa fa fa fa fa fa fa fa fd fd fa fa fa fa fa fa 0x100c1200004440: fa fa fa fa fa fa fa fa fd fd fa fa fa fa fa fa 0x100c1200004450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x100c1200004460: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x100c1200004470: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1640574==ABORTING ``` </details> Pull Request resolved: pytorch#101970 Approved by: https://github.com/Skylion007, https://github.com/jgong5
diff --git a/aten/src/ATen/cpu/vec/vec256/zarch/vec256_zarch.h b/aten/src/ATen/cpu/vec/vec256/zarch/vec256_zarch.h
@@ -1554,11 +1554,11 @@ struct Vectorized<T, std::enable_if_t<is_zarch_implemented_quant<T>()>> {
 
   static Vectorized<T> C10_ALWAYS_INLINE
   loadu(const void* ptr, int count = size()) {
-    return Vectorized<T>{vinner_type::loadu(ptr)};
+    return Vectorized<T>{vinner_type::loadu(ptr, count)};
   }
 
   void C10_ALWAYS_INLINE store(void* ptr, int count = size()) const {
-    _vec.store(ptr);
+    _vec.store(ptr, count);
   }
 
   Vectorized<T> relu(Vectorized<T> zero_point) const {

Original file line number	Diff line number	Diff line change
`@@ -1554,11 +1554,11 @@ struct Vectorized<T, std::enable_if_t<is_zarch_implemented_quant<T>()>> {`
`1554`	`1554`
`1555`	`1555`	`static Vectorized<T> C10_ALWAYS_INLINE`
`1556`	`1556`	`loadu(const void* ptr, int count = size()) {`
`1557`		`- return Vectorized<T>{vinner_type::loadu(ptr)};`
	`1557`	`+ return Vectorized<T>{vinner_type::loadu(ptr, count)};`
`1558`	`1558`	`}`
`1559`	`1559`
`1560`	`1560`	`void C10_ALWAYS_INLINE store(void* ptr, int count = size()) const {`
`1561`		`- _vec.store(ptr);`
	`1561`	`+ _vec.store(ptr, count);`
`1562`	`1562`	`}`
`1563`	`1563`
`1564`	`1564`	`Vectorized<T> relu(Vectorized<T> zero_point) const {`