Skip to content

Commit 1308bc5

Browse files
authored
cuda.core: validate IPC descriptor lengths before import (#2223)
Reject truncated buffer and event IPC descriptors before memcpy or deviceptr_import_ipc can read past the peer-supplied payload (Glasswing V2.1 / V7.1, NVBugs 6268888 / 6268898).
1 parent 3d78ffb commit 1308bc5

4 files changed

Lines changed: 32 additions & 0 deletions

File tree

cuda_core/cuda/core/_event.pyx

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
from __future__ import annotations
66

77
cimport cpython
8+
from libc.stddef cimport size_t
89
from libc.string cimport memcpy
910
from cuda.bindings cimport cydriver
1011
from cuda.core._context cimport Context
@@ -232,6 +233,13 @@ cdef class Event:
232233
A new event backed by the imported IPC handle.
233234

234235
"""
236+
cdef size_t reserved_size = len(ipc_descriptor._reserved)
237+
cdef size_t expected_size = sizeof(cydriver.CUipcEventHandle)
238+
if reserved_size < expected_size:
239+
raise ValueError(
240+
f"IPC event descriptor reserved field is {reserved_size} bytes; "
241+
f"expected at least {expected_size}"
242+
)
235243
cdef cydriver.CUipcEventHandle data
236244
memcpy(data.reserved, <const void*><const char*>(ipc_descriptor._reserved), sizeof(data.reserved))
237245
cdef Event self = Event.__new__(cls)

cuda_core/cuda/core/_memory/_ipc.pyx

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44

55
cimport cpython
66

7+
from libc.stddef cimport size_t
78
from cuda.bindings cimport cydriver
89
from cuda.core._memory._buffer cimport Buffer, Buffer_from_deviceptr_handle
910
from cuda.core._memory._memory_pool cimport _MemPool
@@ -171,6 +172,13 @@ cdef Buffer Buffer_from_ipc_descriptor(
171172
"""Import a buffer that was exported from another process."""
172173
if not mr.is_ipc_enabled:
173174
raise RuntimeError("Memory resource is not IPC-enabled")
175+
cdef size_t payload_size = len(ipc_descriptor._payload)
176+
cdef size_t expected_size = sizeof(cydriver.CUmemPoolPtrExportData)
177+
if payload_size < expected_size:
178+
raise ValueError(
179+
f"IPC buffer descriptor payload is {payload_size} bytes; "
180+
f"expected at least {expected_size}"
181+
)
174182
cdef Stream s = Stream_accept(stream)
175183
cdef DevicePtrHandle h_ptr = deviceptr_import_ipc(
176184
mr._h_pool,

cuda_core/tests/memory_ipc/test_errors.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,13 @@ def test_outer_timeout_marker_is_applied(request):
3232
assert marker.args == (expected,), f"unexpected timeout value: {marker.args!r}"
3333

3434

35+
def test_import_truncated_buffer_descriptor(ipc_device, ipc_memory_resource):
36+
"""Truncated IPC buffer descriptor payload is rejected before driver import."""
37+
desc = IPCBufferDescriptor._init(b"\x00" * 8, NBYTES)
38+
with pytest.raises(ValueError, match=r"payload is 8 bytes; expected at least 64"):
39+
Buffer.from_ipc_descriptor(ipc_memory_resource, desc, stream=ipc_device.default_stream)
40+
41+
3542
def test_ipc_allocation_handle_rejects_negative_fd():
3643
"""Negative fds are rejected even when CPython runs with -O (Glasswing V3.2)."""
3744
from cuda.core._memory._ipc import IPCAllocationHandle

cuda_core/tests/test_event.py

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -235,6 +235,15 @@ def test_event_is_done_false(init_cuda):
235235
event.sync()
236236

237237

238+
def test_import_truncated_event_descriptor():
239+
"""Truncated IPC event descriptor reserved field is rejected before memcpy."""
240+
import cuda.core._event as _event_module
241+
242+
desc = _event_module.IPCEventDescriptor._init(b"\x00" * 8, True)
243+
with pytest.raises(ValueError, match=r"reserved field is 8 bytes; expected at least 64"):
244+
Event.from_ipc_descriptor(desc)
245+
246+
238247
def test_ipc_event_descriptor_direct_init():
239248
"""IPCEventDescriptor cannot be instantiated directly."""
240249
import cuda.core._event as _event_module

0 commit comments

Comments
 (0)