Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ggml: handle ggml_init failure to fix NULL pointer deref #8692

Merged
merged 1 commit into from
Jul 25, 2024
Merged

ggml: handle ggml_init failure to fix NULL pointer deref #8692

merged 1 commit into from
Jul 25, 2024
+6 −0

Conversation

DavidKorczynski
Copy link
Contributor

ggml_init can fail if no unused context is found. In that case, a NULL-pointer deref will happen later in the code during a call to ggml_set_on_alloc.

This fixes it by bailing out if no context is found.

This was found during development of the harness in google/oss-fuzz#12274

Stacktrace for issue:

=================================================================
==18==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x55d3c1406ab9 bp 0x7ffdd0f0e1d0 sp 0x7ffdd0f0e080 T0)
==18==The signal is caused by a WRITE memory access.
==18==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x55d3c1406ab9 in ggml_set_no_alloc /src/llama.cpp/ggml/src/ggml.c:3535:19
    #1 0x55d3c1406ab9 in gguf_init_from_file /src/llama.cpp/ggml/src/ggml.c:21123:9
    #2 0x55d3c14e89cd in llama_model_loader::llama_model_loader(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, bool, bool, llama_model_kv_override const*) /src/llama.cpp/src/llama.cpp:3636:16
    #3 0x55d3c1483d85 in llama_model_load /src/llama.cpp/src/llama.cpp:7635:28
    #4 0x55d3c1483d85 in llama_load_model_from_file /src/llama.cpp/src/llama.cpp:16387:18
    #5 0x55d3c199b2c6 in LLVMFuzzerTestOneInput /src/llama.cpp/fuzzers/fuzz_load_model.cpp:44:19

@DavidKorczynski
ggml: handle ggml_init failure to fix NULL pointer deref
0f9868e 
`ggml_init` can fail if no unused context is found. In that case, a NULL-pointer deref will happen later in the code during a call to `ggml_set_on_alloc`.

This fixes it by bailing out if no context is found.
@github-actions github-actions bot added the ggml changes relating to the ggml tensor library for machine learning label Jul 25, 2024
@slaren slaren merged commit 49ce0ab into ggerganov:master Jul 25, 2024
52 checks passed
arthw pushed a commit to arthw/llama.cpp that referenced this pull request Jul 27, 2024
@DavidKorczynski @arthw
ggml: handle ggml_init failure to fix NULL pointer deref (ggerganov#8692
df106e9 
)

`ggml_init` can fail if no unused context is found. In that case, a NULL-pointer deref will happen later in the code during a call to `ggml_set_on_alloc`.

This fixes it by bailing out if no context is found.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slaren slaren slaren approved these changes

Assignees
No one assigned
Labels
ggml changes relating to the ggml tensor library for machine learning
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DavidKorczynski @slaren