PyTorch Denial-of-Service Vulnerability in CTC Loss Function

A denial-of-service vulnerability has been identified in PyTorch version 2.6.0. The issue arises in the CTC (Connectionist Temporal Classification) loss function when it is called with empty tensors on a CUDA device. This situation leads to a floating-point exception, causing a core dump. In contrast, the same operation on a CPU correctly raises an error without crashing. The vulnerability can be exploited locally by invoking the CTC loss function with specific parameters that include empty tensors for the 'targets', 'input_lengths', and 'target_lengths' arguments, while 'log_probs' is an empty tensor as well.

Impact

Exploiting this vulnerability causes a floating-point exception, which can lead to a denial-of-service condition by crashing the application or process.

Reproduction

The vulnerability can be reproduced by calling the 'torch.nn.functional.ctc_loss' function on a CUDA device with empty tensors for the 'log_probs', 'targets', 'input_lengths', and 'target_lengths' parameters. This can be done using a PyTorch script that sets up these conditions.

Remediation

Users can upgrade to PyTorch versions 2.6.1 or 2.7.1, where this vulnerability has been fixed.