Unsafe prebuilt boundary in MediaTek backend #6074
Labels
bug
Something isn't working
module: mediatek
Issues related to the Mediatek delegate
triaged
This issue has been looked at a team member, and triaged and prioritized into an appropriate module
🐛 Describe the bug
While making some changes to backends/mediatek, I noticed:
ET does not make any ABI compatibility promises. If the MT libraries really do contain a prebuilt version of a subclass of an ET type, ET could legally make changes to MemoryAllocator that would break that prebuilt code, possibly in subtle or dangerous ways.
For example, if we made a change that reordered the vtable, a call like this could end up calling a different method, which wouldn't expect the same parameters or register values:
In the best case this would immediately crash, but in the worst case it would silently corrupt memory or execute random code.
Things would also go bad if we added a new field to the base class, because it could alias to an offset used by a subclass field.
At a higher level, it is unsafe to have prebuilt code that refers to any ExecuTorch type, unless it's guaranteed that the prebuilt code will link against a very specific (i.e., a single git hash) version of the ET runtime.
Solution
The prebuilt code should not refer to any ExecuTorch types.
Mitigation/detection
There's no way to reliably check these sorts of things; it's just plain unsafe.
But as a first-order check, the backend could compare
sizeof(MemoryAllocator)
across the prebuilt and non-prebuilt boundaries. E.g., it could have a function likesize_t get_prebuilt_memory_allocator_size()
whose implementation is inside the prebuilt, and returnssizeof(MemoryAllocator)
(which will be determined at prebuild time). Then some code in a non-prebuilt .cpp file couldassert sizeof(MemoryAllocator) == get_prebuilt_memory_allocator_size()
before constructing aBufferAllocator
, and return an error if the sizes don't match.But this check could be defeated if the base class's fields were reordered in a way that did not affect the size of the type. It also wouldn't catch the re-ordering, addition, or removal of a virtual method, since the vtable isn't part of the size of the type.
Versions
Issue is present in main as of at least afb2664 on 2024-10-09
The text was updated successfully, but these errors were encountered: