[AutoPR- Security] Patch pytorch for CVE-2026-34446, CVE-2026-34445 [HIGH] (#16538)

azurelinux-security · aninda-al · jslobodzian · web-flow · commit 2ed2bc5dd43c · 2026-04-16T17:40:19.000-04:00
Co-authored-by: Aninda &lt;v-anipradhan@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/pytorch/CVE-2025-55560.patch b/SPECS/pytorch/CVE-2025-55560.patch
@@ -13,10 +13,14 @@ Approved by: https://github.com/jansel
 
 Modified to apply to Azure Linux
 Upstream Patch Reference: https://github.com/pytorch/pytorch/commit/225742838bcbf4656a90010257062188f7fcae82.patch
+
+Note: The original patch authored by Zhiyi Zhang was modified by Microsoft to apply to version 2.2.2 of PyTorch on Azure Linux.
+
 ---
  test/dynamo/test_compile.py        | 13 +++++++++++++
  torch/_dynamo/variables/builtin.py | 11 +++++++++++
- 2 files changed, 24 insertions(+)
+ torch/_subclasses/meta_utils.py    | 17 +++++++++++++++++
+ 3 files changed, 41 insertions(+)
 
 diff --git a/test/dynamo/test_compile.py b/test/dynamo/test_compile.py
 index 5b2de2b7..a38c1d3e 100644
@@ -71,6 +75,34 @@ index 2a2e9893..beababef 100644
              try:
                  return obj.var_getattr(tx, name).clone(source=source)
              except NotImplementedError:
+diff --git a/torch/_subclasses/meta_utils.py b/torch/_subclasses/meta_utils.py
+index 8db8f94b..e27a0493 100644
+--- a/torch/_subclasses/meta_utils.py
++++ b/torch/_subclasses/meta_utils.py
+@@ -79,6 +79,23 @@ def assert_metadata_eq(assert_eq, m1, m2, *, skip_symbolic=False):
+     return go(m1, m2)
+ 
+ 
++def is_sparse_coo(t):
++    return isinstance(t, torch.Tensor) and t.layout is torch.sparse_coo
++
++
++def is_sparse_compressed(t):
++    return isinstance(t, torch.Tensor) and t.layout in {
++        torch.sparse_csr,
++        torch.sparse_csc,
++        torch.sparse_bsr,
++        torch.sparse_bsc,
++    }
++
++
++def is_sparse_any(t):
++    return is_sparse_coo(t) or is_sparse_compressed(t)
++
++
+ # This is a class for converting multiple tensors into meta tensors which
+ # share the same view/storage structure.  The operation model is you allocate
+ # one of these, and then call it repeatedly on all the tensors you want to
 -- 
-2.43.0
+2.34.1
 
diff --git a/SPECS/pytorch/CVE-2026-34445.patch b/SPECS/pytorch/CVE-2026-34445.patch
@@ -0,0 +1,152 @@
+From a3ac7f97a0dacdbc4df51322541cb4b1d063fe12 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 9 Apr 2026 09:13:59 +0000
+Subject: [PATCH] Security hardening for external_data: whitelist keys,
+ parse-time bounds, file-size validation; warnings; export constants
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/onnx/onnx/commit/e30c6935d67cc3eca2fa284e37248e7c0036c46b.patch
+---
+ third_party/onnx/onnx/external_data_helper.py | 102 ++++++++++++++++--
+ 1 file changed, 91 insertions(+), 11 deletions(-)
+
+diff --git a/third_party/onnx/onnx/external_data_helper.py b/third_party/onnx/onnx/external_data_helper.py
+index 05c486c..8f7d42f 100644
+--- a/third_party/onnx/onnx/external_data_helper.py
++++ b/third_party/onnx/onnx/external_data_helper.py
+@@ -5,12 +5,65 @@ import os
+ import re
+ import sys
+ import uuid
++import warnings
+ from itertools import chain
+-from typing import Callable, Iterable, Optional
++from typing import Callable, Iterable, Optional, IO
+ 
+ import onnx.onnx_cpp2py_export.checker as c_checker
+ from onnx.onnx_pb import AttributeProto, GraphProto, ModelProto, TensorProto
+ 
++# Security: 3-layer defense against malicious external_data entries (GHSA-538c-55jv-c5g9)
++#
++# Layer 1 (here) — Attribute whitelist: Only spec-defined keys are accepted.
++#   Unknown keys are warned and ignored, preventing arbitrary attribute injection (CWE-915).
++#
++# Layer 2 (ExternalDataInfo.__init__) — Bounds validation: offset and length must be
++#   non-negative integers. Catches invalid values at parse time (CWE-400).
++#
++# Layer 3 (load_external_data_for_tensor) — File-size validation: offset and length are
++#   checked against actual file size before reading. This is the critical safety net that
++#   prevents memory exhaustion regardless of how the model was constructed (CWE-400).
++#
++# 'basepath' is included because set_external_data() writes it to protobuf entries;
++# it must survive save/load round-trips.
++_ALLOWED_EXTERNAL_DATA_KEYS = frozenset({"location", "offset", "length", "checksum", "basepath"})
++_SORTED_ALLOWED_KEYS = sorted(_ALLOWED_EXTERNAL_DATA_KEYS)
++_MAX_UNKNOWN_KEYS_IN_WARNING = 10
++
++
++def _validate_external_data_file_bounds(
++    data_file: IO[bytes],
++    info: ExternalDataInfo,
++    tensor_name: str,
++) -> bytes:
++    """Validate offset/length against actual file size and read data.
++
++    Layer 3 defense-in-depth (CWE-400): prevents memory exhaustion even if the
++    model was crafted via direct protobuf APIs that bypass Python parsing.
++
++    Returns the raw bytes read from the file.
++    """
++    file_size = os.fstat(data_file.fileno()).st_size
++
++    if info.offset is not None:
++        if info.offset > file_size:
++            raise ValueError(
++                f"External data offset ({info.offset}) exceeds file size ({file_size}) for tensor {tensor_name!r}"
++            )
++        data_file.seek(info.offset)
++
++    if info.length is not None:
++        read_start = info.offset if info.offset is not None else 0
++        available = file_size - read_start
++        if info.length > available:
++            raise ValueError(
++                f"External data length ({info.length}) exceeds available data ({available} bytes from offset {read_start}) for tensor {tensor_name!r}"
++            )
++        return data_file.read(info.length)
++    return data_file.read()
++
++_MAX_KEY_DISPLAY_LENGTH = 100
++
+ 
+ class ExternalDataInfo:
+     def __init__(self, tensor: TensorProto) -> None:
+@@ -20,14 +73,45 @@ class ExternalDataInfo:
+         self.checksum = None
+         self.basepath = ""
+ 
++        unknown_keys: set[str] = set()
++        unknown_key_count = 0
+         for entry in tensor.external_data:
+-            setattr(self, entry.key, entry.value)
++            # Layer 1: reject unknown keys (CWE-915 defense-in-depth)
++            if entry.key in _ALLOWED_EXTERNAL_DATA_KEYS:
++                setattr(self, entry.key, entry.value)
++            else:
++                unknown_key_count += 1
++                if len(unknown_keys) < _MAX_UNKNOWN_KEYS_IN_WARNING:
++                    truncated = entry.key[:_MAX_KEY_DISPLAY_LENGTH]
++                    if len(entry.key) > _MAX_KEY_DISPLAY_LENGTH:
++                        truncated += "..."
++                    unknown_keys.add(truncated)
++
++        if unknown_keys:
++            shown = sorted(unknown_keys)
++            extra = unknown_key_count - len(shown)
++            key_list = repr(shown)
++            if extra > 0:
++                key_list += f" and {extra} more"
++            warnings.warn(
++                f"Ignoring unknown external data key(s) {key_list} for tensor {tensor.name!r}. "
++                f"Allowed keys: {_SORTED_ALLOWED_KEYS}",
++                stacklevel=2,
++            )
+ 
+-        if self.offset:
++        if self.offset is not None:
+             self.offset = int(self.offset)
++            if self.offset < 0:
++                raise ValueError(
++                    f"External data offset must be non-negative, got {self.offset} for tensor {tensor.name!r}"
++                )
+ 
+-        if self.length:
++        if self.length is not None:
+             self.length = int(self.length)
++            if self.length < 0:
++                raise ValueError(
++                    f"External data length must be non-negative, got {self.length} for tensor {tensor.name!r}"
++                )
+ 
+ 
+ def load_external_data_for_tensor(tensor: TensorProto, base_dir: str) -> None:
+@@ -44,13 +128,9 @@ def load_external_data_for_tensor(tensor: TensorProto, base_dir: str) -> None:
+         base_dir, info.location, tensor.name
+     )
+     with open(external_data_file_path, "rb") as data_file:
+-        if info.offset:
+-            data_file.seek(info.offset)
+-
+-        if info.length:
+-            tensor.raw_data = data_file.read(info.length)
+-        else:
+-            tensor.raw_data = data_file.read()
++        tensor.raw_data = _validate_external_data_file_bounds(
++            data_file, info, tensor.name
++        )
+ 
+ 
+ def load_external_data_for_model(model: ModelProto, base_dir: str) -> None:
+-- 
+2.45.4
+
diff --git a/SPECS/pytorch/CVE-2026-34446.patch b/SPECS/pytorch/CVE-2026-34446.patch
@@ -0,0 +1,192 @@
+From 3667d980becce3b499b5e2fee4a3d94694fb7d3a Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 9 Apr 2026 09:28:45 +0000
+Subject: [PATCH] Backport security improvements for ONNX external data
+ handling: canonical containment, symlink rejection, O_NOFOLLOW usage, and
+ hardlink checks in C++ and Python paths; update tests accordingly.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb.patch
+Note: The original patch authored by AllSpark was backported by AI and corrected by Aninda <v-anipradhan@microsoft.com> to apply to version 2.2.2 of PyTorch on Azure Linux.
+
+---
+ third_party/onnx/onnx/checker.cc              | 41 ++++++++++
+ third_party/onnx/onnx/external_data_helper.py | 81 ++++++++++++++++++-
+ 2 files changed, 121 insertions(+), 1 deletion(-)
+
+diff --git a/third_party/onnx/onnx/checker.cc b/third_party/onnx/onnx/checker.cc
+index 66716e97..be1f06a6 100644
+--- a/third_party/onnx/onnx/checker.cc
++++ b/third_party/onnx/onnx/checker.cc
+@@ -26,6 +26,7 @@
+ 
+ #else // POSIX
+ #include <sys/stat.h>
++#include <filesystem>
+ #endif
+ 
+ namespace ONNX_NAMESPACE {
+@@ -1033,7 +1034,47 @@ std::string resolve_external_data_location(
+         location,
+         "' points outside the directory");
+   }
++  // Verify the resolved path stays within the base directory to prevent
++  // path traversal via symlinks in parent directory components.
++  // is_symlink() only checks the final component; a path like
++  // "symlink_subdir/real_file.data" would bypass it.
+   std::string data_path = path_join(base_dir, relative_path);
++  if (!data_path.empty() && data_path[0] != '#') {
++    std::error_code ec;
++    auto canonical_base = std::filesystem::weakly_canonical(std::filesystem::path(base_dir), ec);
++    if (ec) {
++      fail_check(
++          "Data of TensorProto ( tensor name: ",
++          tensor_name,
++          ") references external data at ",
++          location,
++          ", but the model directory path could not be resolved.");
++    }
++    auto canonical_data = std::filesystem::weakly_canonical(std::filesystem::path(data_path), ec);
++    if (ec) {
++      fail_check(
++          "Data of TensorProto ( tensor name: ",
++          tensor_name,
++          ") references external data at ",
++          location,
++          ", but the data path could not be resolved.");
++    }
++    auto canonical_base_native = canonical_base.native();
++    auto canonical_data_native = canonical_data.native();
++    if (!canonical_base_native.empty() && canonical_base_native.back() != std::filesystem::path::preferred_separator) {
++      canonical_base_native += std::filesystem::path::preferred_separator;
++    }
++    if (canonical_data_native.find(canonical_base_native) != 0) {
++      fail_check(
++          "Data of TensorProto ( tensor name: ",
++          tensor_name,
++          ") at ",
++          location,
++          " resolves to a location outside the model directory, "
++          "indicating a potential path traversal attack via symbolic links in directory components.");
++    }
++  }
++
+   // use stat64 to check whether the file exists
+ #if defined(__APPLE__) || defined(__wasm__) || !defined(__GLIBC__)
+   struct stat buffer; // APPLE, wasm and non-glic stdlibs do not have stat64
+diff --git a/third_party/onnx/onnx/external_data_helper.py b/third_party/onnx/onnx/external_data_helper.py
+index 8f7d42ff..2b5ea70a 100644
+--- a/third_party/onnx/onnx/external_data_helper.py
++++ b/third_party/onnx/onnx/external_data_helper.py
+@@ -10,6 +10,7 @@ from itertools import chain
+ from typing import Callable, Iterable, Optional, IO
+ 
+ import onnx.onnx_cpp2py_export.checker as c_checker
++import onnx.checker as onnx_checker
+ from onnx.onnx_pb import AttributeProto, GraphProto, ModelProto, TensorProto
+ 
+ # Security: 3-layer defense against malicious external_data entries (GHSA-538c-55jv-c5g9)
+@@ -123,6 +124,73 @@ def load_external_data_for_tensor(tensor: TensorProto, base_dir: str) -> None:
+         tensor: a TensorProto object.
+         base_dir: directory that contains the external data.
+     """
++    info = ExternalDataInfo(tensor)
++    external_data_file_path = c_checker._resolve_external_data_location(  # type: ignore[attr-defined]
++        base_dir, info.location, tensor.name
++    )
++    # Security checks (symlink, containment, hardlink) already performed
++    # by C++ _resolve_external_data_location() above.
++    # Use O_NOFOLLOW where available as defense-in-depth for symlink protection
++    open_flags = os.O_RDONLY
++    if hasattr(os, "O_NOFOLLOW"):
++        open_flags |= os.O_NOFOLLOW
++    fd = os.open(external_data_file_path, open_flags)
++    with os.fdopen(fd, "rb") as data_file:
++        if info.offset:
++            data_file.seek(info.offset)
++
++        if info.length:
++            tensor.raw_data = data_file.read(info.length)
++        else:
++            tensor.raw_data = data_file.read()
++
++
++def _validate_external_data_path(
++    base_dir: str,
++    data_path: str,
++    tensor_name: str,
++    *,
++    check_exists: bool = True,
++) -> str:
++    """Validate that an external data path is safe to open.
++
++    Performs three security checks:
++    1. Canonical path containment — resolved path must stay within base_dir.
++    2. Symlink rejection — final-component symlinks are not allowed.
++    3. Hardlink count — files with multiple hard links are rejected.
++
++    Args:
++        base_dir: The model base directory that data_path must be contained in.
++        data_path: The external data file path to validate.
++        tensor_name: Tensor name for error messages.
++        check_exists: If True (default), check hardlink count. Set to False
++            for save-side paths where the file may not exist yet.
++
++    Returns:
++        The validated data_path (unchanged).
++
++    Raises:
++        onnx.checker.ValidationError: If any security check fails.
++    """
++    real_base = os.path.realpath(base_dir)
++    real_path = os.path.realpath(data_path)
++    if not real_path.startswith(real_base + os.sep) and real_path != real_base:
++        raise onnx_checker.ValidationError(
++            f"Tensor {tensor_name!r} external data path resolves to "
++            f"{real_path!r} which is outside the model directory {real_base!r}."
++        )
++    if os.path.islink(data_path):
++        raise onnx_checker.ValidationError(
++            f"Tensor {tensor_name!r} external data path {data_path!r} "
++            f"is a symbolic link, which is not allowed for security reasons."
++        )
++    if check_exists and os.path.exists(data_path) and os.stat(data_path).st_nlink > 1:
++        raise onnx_checker.ValidationError(
++            f"Tensor {tensor_name!r} external data path {data_path!r} "
++            f"has multiple hard links, which is not allowed for security reasons."
++        )
++    return data_path
++
+     info = ExternalDataInfo(tensor)
+     external_data_file_path = c_checker._resolve_external_data_location(  # type: ignore[attr-defined]
+         base_dir, info.location, tensor.name
+@@ -261,6 +329,12 @@ def save_external_data(tensor: TensorProto, base_path: str) -> None:
+     info = ExternalDataInfo(tensor)
+     external_data_file_path = os.path.join(base_path, info.location)
+ 
++    # C++ _resolve_external_data_location() cannot be used on save path
++    # (file may not exist yet), so Python performs its own security validation.
++    _validate_external_data_path(
++        base_path, external_data_file_path, tensor.name, check_exists=True
++    )
++
+     # Retrieve the tensor's data from raw_data or load external file
+     if not tensor.HasField("raw_data"):
+         raise ValueError("raw_data field doesn't exist.")
+@@ -271,7 +345,12 @@ def save_external_data(tensor: TensorProto, base_path: str) -> None:
+             pass
+ 
+     # Open file for reading and writing at random locations ('r+b')
+-    with open(external_data_file_path, "r+b") as data_file:
++    # Use O_NOFOLLOW for symlink protection when opening
++    open_flags = os.O_RDWR
++    if hasattr(os, "O_NOFOLLOW"):
++        open_flags |= os.O_NOFOLLOW
++    fd = os.open(external_data_file_path, open_flags)
++    with os.fdopen(fd, "r+b") as data_file:
+         data_file.seek(0, 2)
+         if info.offset is not None:
+             # Pad file to required offset if needed
+-- 
+2.34.1
+
diff --git a/SPECS/pytorch/pytorch.spec b/SPECS/pytorch/pytorch.spec
