Skip to content

FIX Prevents segfault in SVC when internals are altered #21336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Oct 20, 2021
Merged

FIX Prevents segfault in SVC when internals are altered #21336

merged 9 commits into from
Oct 20, 2021

Conversation

thomasjpfan
Copy link
Member

@thomasjpfan thomasjpfan commented Oct 15, 2021
edited by ogrisel
Loading

Reference Issues/PRs

Fixes #18891

What does this implement/fix? Explain your changes.

As stated in #18891 (comment), as a CVE (CVE-2020-28975) it would be good to fix this.

We normally do not perform checks on internal attributes that was set during fit.

Any other comments?

The check can also be performed in __setstate__.

CC @rth

@thomasjpfan thomasjpfan marked this pull request as draft October 15, 2021 01:03
rth
rth reviewed Oct 15, 2021
View reviewed changes
rth
rth approved these changes Oct 15, 2021
View reviewed changes
Copy link
Member

@rth rth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an issue in building the docs, maybe the following suggestion would fix it. Ortherwise LGTM. Thanks @thomasjpfan !

@rth
Copy link
Member

rth commented Oct 15, 2021

The check can also be performed in setstate.

I think checking before calling the low level functions, as done currently, is better, since this is also an issue without pickling.

@ogrisel ogrisel mentioned this pull request Oct 19, 2021
Closed
@ogrisel ogrisel changed the title FIX Prevents segfaul in SVC when internals are altered FIX Prevents segfault in SVC when internals are altered Oct 19, 2021
@ogrisel ogrisel added this to the 1.0.1 milestone Oct 19, 2021
@jeremiedbb jeremiedbb self-requested a review October 19, 2021 16:19
@thomasjpfan thomasjpfan marked this pull request as ready for review October 19, 2021 20:32
ogrisel
ogrisel approved these changes Oct 20, 2021
View reviewed changes
Copy link
Member

@ogrisel ogrisel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think checking before calling the low level functions, as done currently, is better, since this is also an issue without pickling.

Or we could do it at the beginning of the native code function itself.

Anyways, I am fine the current fix if it allows to get rid of the CVE.

I find this CVE hypocrite because of course, if you write a program that mutates the internal datastructures of this same program using private API you will always be able to make it segfault.

You can even do that with the Python standard library (e.g. with the ctypes module for instance) without the need for the compiled code of scikit-learn if you wish...

ogrisel
ogrisel reviewed Oct 20, 2021
View reviewed changes
jeremiedbb
jeremiedbb approved these changes Oct 20, 2021
View reviewed changes
Copy link
Member

@jeremiedbb jeremiedbb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@glemaitre @jeremiedbb @ogrisel
Apply suggestions from code review
1a0a207 
Co-authored-by: Jérémie du Boisberranger <34657725+jeremiedbb@users.noreply.github.com>
Co-authored-by: Olivier Grisel <olivier.grisel@gmail.com>
@glemaitre glemaitre self-assigned this Oct 20, 2021
@glemaitre glemaitre removed their assignment Oct 20, 2021
@glemaitre glemaitre merged commit 1bf13d5 into scikit-learn:main Oct 20, 2021
@glemaitre
Copy link
Member

I moved the entry of the changelog in 1.0.1 and tag it for backport

@glemaitre glemaitre added the To backport PR merged in master that need a backport to a release branch defined based on the milestone. label Oct 20, 2021
@glemaitre glemaitre mentioned this pull request Oct 23, 2021
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ogrisel ogrisel ogrisel approved these changes

@rth rth rth approved these changes

@jeremiedbb jeremiedbb jeremiedbb approved these changes

Assignees
No one assigned
Labels
Blocker Bug module:svm To backport PR merged in master that need a backport to a release branch defined based on the milestone.
Projects
None yet
Milestone
1.0.1
Development

Successfully merging this pull request may close these issues.

Segmentation fault on SVMLIB
5 participants
@thomasjpfan @rth @glemaitre @ogrisel @jeremiedbb