[TRTLLM-11176][fix] Security Issue Fix cherry pick#11683
[TRTLLM-11176][fix] Security Issue Fix cherry pick#11683yibinl-nvidia merged 3 commits intoNVIDIA:release/1.2from
Conversation
yibinl-nvidia
changed the title
yibinl-nvidia
force-pushed
the
dev-yibinl-security-bug-cherry-pick
branch
from
960d317 to
324be83
Compare
|
/bot run |
📝 WalkthroughWalkthroughThe changes add HMAC key support to MPI communication sessions across executor and LLMAPI layers, implement secure deserialization of IPC weight handles using restricted unpickling with module whitelisting, add a runtime null-check to C++ memory allocation, and introduce test parametrization for serialized versus direct IPC handle modes. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes 🚥 Pre-merge checks | ❌ 3❌ Failed checks (2 warnings, 1 inconclusive)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
cpp/tensorrt_llm/runtime/utils/numpyUtils.cpp (1)
1-3:⚠️ Potential issue | 🟡 MinorUpdate copyright year to reflect the 2026 modification.
This file was modified in 2026, but the header still ends at 2024. Please update it to include 2026.
🔧 Suggested update
- * Copyright (c) 2022-2024, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2022-2026, NVIDIA CORPORATION. All rights reserved.As per coding guidelines: "All TensorRT-LLM source files should contain an NVIDIA copyright header with the year of the latest meaningful modification. The header should be an Apache 2.0 license block as specified."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@cpp/tensorrt_llm/runtime/utils/numpyUtils.cpp` around lines 1 - 3, Update the file header in cpp/tensorrt_llm/runtime/utils/numpyUtils.cpp to reflect the 2026 modification by changing the copyright year range to include 2026 (e.g., "2022-2026") and ensure the header remains the full NVIDIA Apache 2.0 license block used across the project; modify the top comment block (the existing file header) so it matches the canonical NVIDIA copyright/license format used in other TensorRT-LLM source files.
🧹 Nitpick comments (2)
tests/unittest/_torch/ray_orchestrator/single_gpu/test_llm_update_weights.py (1)
76-108: Deduplicate handle collection viaget_weight_ipc_handles.This keeps filtering/handle-building logic in one place and reduces drift between serialized and direct paths.
♻️ Suggested refactor
def get_weight_ipc_handles_serialized( self, cuda_device: Optional[List[int]] = None, weight_filter: Optional[Callable[[str], bool]] = None, ): """ Get base64-encoded serialized IPC handles for model weights. @@ - ret = {} - device_list = list(range(torch.cuda.device_count())) if cuda_device is None else cuda_device - - for device in device_list: - all_handles = [] - for item in self.all_weights[device]: - name, p = item - # Apply filter if provided - if weight_filter is not None and not weight_filter(name): - continue - handle = reduce_tensor(p) - all_handles.append((name, handle)) - - # Serialize with base64-encoded pickle - serialized = base64.b64encode(pickle.dumps(all_handles)).decode("utf-8") - ret[self.device_uuid[device]] = serialized + ret = {} + handles = self.get_weight_ipc_handles( + cuda_device=cuda_device, weight_filter=weight_filter + ) + for device_uuid, all_handles in handles.items(): + # Serialize with base64-encoded pickle + serialized = base64.b64encode(pickle.dumps(all_handles)).decode("utf-8") + ret[device_uuid] = serialized return ret🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@tests/unittest/_torch/ray_orchestrator/single_gpu/test_llm_update_weights.py` around lines 76 - 108, The current get_weight_ipc_handles_serialized duplicates the filtering and handle-building logic; replace the inner collection with a call to the existing get_weight_ipc_handles so all filtering/handle creation is centralized. Specifically, call self.get_weight_ipc_handles(cuda_device=cuda_device, weight_filter=weight_filter) to get the per-device mapping of (name, handle) pairs (instead of iterating self.all_weights and calling reduce_tensor directly), then for each device UUID serialize the returned list with pickle + base64 and assign to ret[self.device_uuid[device]]; remove the duplicated loop and direct reduce_tensor calls in get_weight_ipc_handles_serialized so it simply wraps get_weight_ipc_handles results into base64-encoded pickles.tensorrt_llm/serialization.py (1)
5-5: Avoid shared mutable defaults forapproved_imports.The regex-based module allowlist addition is a good step. One concern:
approved_imports={}inUnpickler.__init__,load, andloadscan leak mutations across calls. PreferNonedefaults and initialize to{}inside.Suggested update
class Unpickler(pickle.Unpickler): def __init__(self, *args, - approved_imports={}, + approved_imports=None, approved_module_patterns=None, **kwargs): super().__init__(*args, **kwargs) - self.approved_imports = approved_imports + if approved_imports is None: + approved_imports = {} + self.approved_imports = approved_imports self.approved_module_patterns = approved_module_patterns or [] @@ def load(file, *, fix_imports=True, encoding="ASCII", errors="strict", buffers=None, - approved_imports={}, + approved_imports=None, approved_module_patterns=None): + if approved_imports is None: + approved_imports = {} return Unpickler(file, fix_imports=fix_imports, buffers=buffers, encoding=encoding, errors=errors, approved_imports=approved_imports, approved_module_patterns=approved_module_patterns).load() @@ def loads(s, /, *, fix_imports=True, encoding="ASCII", errors="strict", buffers=None, - approved_imports={}, + approved_imports=None, approved_module_patterns=None): + if approved_imports is None: + approved_imports = {} if isinstance(s, str): raise TypeError("Can't load pickle from unicode string")Also applies to: 130-154, 172-180, 190-201
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@tensorrt_llm/serialization.py` at line 5, Change the mutable default for approved_imports in Unpickler.__init__, Unpickler.load, and Unpickler.loads from {} to None and initialize a fresh dict inside each method when None is passed (e.g., if approved_imports is None: approved_imports = {}), so mutations don't leak between calls; apply the same fix for any other functions in this module that accept approved_imports (e.g., the other methods around the noted ranges) to ensure each call gets its own dictionary.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@tensorrt_llm/executor/utils.py`:
- Around line 58-60: The singleton for RemoteMpiCommSessionClient currently keys
only by addr and can reuse an instance created with a different or None HMAC
key; update the creation/lookup logic that uses
get_spawn_proxy_process_ipc_addr_env() and
get_spawn_proxy_process_ipc_hmac_key_env() so the singleton identity includes
the hmac_key (or, if you prefer, assert the existing client's hmac_key matches
the requested one before reuse) and if it differs, recreate the
RemoteMpiCommSessionClient with the new key to ensure encryption state is
correct; modify the factory/cache in RemoteMpiCommSessionClient (or its calling
helper) to compare or combine addr+hmac_key when returning a cached instance.
In `@tensorrt_llm/llmapi/mgmn_leader_node.py`:
- Around line 12-14: The current file directly imports
get_spawn_proxy_process_ipc_addr_env and
get_spawn_proxy_process_ipc_hmac_key_env; change the import to import the module
tensorrt_llm.executor.utils and update all usages to qualify the functions
(e.g., utils.get_spawn_proxy_process_ipc_addr_env and
utils.get_spawn_proxy_process_ipc_hmac_key_env) so the namespace is preserved;
ensure any existing variable names or calls referencing those functions are
updated accordingly to avoid unresolved names.
In `@tests/unittest/llmapi/_run_mpi_comm_task.py`:
- Line 6: The test currently imports the function
get_spawn_proxy_process_ipc_hmac_key_env directly which breaks the project's
namespace convention; change the import to import the module
tensorrt_llm.executor.utils and update any usages to call
tensorrt_llm.executor.utils.get_spawn_proxy_process_ipc_hmac_key_env so the
namespace is preserved and follows the coding guideline.
In `@tests/unittest/llmapi/_run_multi_mpi_comm_tasks.py`:
- Around line 6-8: The test imports LlmLauncherEnvs and
get_spawn_proxy_process_ipc_hmac_key_env directly which breaks the namespace
guideline; change the import to "from tensorrt_llm.executor import utils" and
update all usages (e.g., LlmLauncherEnvs and
get_spawn_proxy_process_ipc_hmac_key_env calls between lines ~14-20) to
qualified names like utils.LlmLauncherEnvs and
utils.get_spawn_proxy_process_ipc_hmac_key_env(); keep the
RemoteMpiCommSessionClient import as-is or similarly qualify if needed.
---
Outside diff comments:
In `@cpp/tensorrt_llm/runtime/utils/numpyUtils.cpp`:
- Around line 1-3: Update the file header in
cpp/tensorrt_llm/runtime/utils/numpyUtils.cpp to reflect the 2026 modification
by changing the copyright year range to include 2026 (e.g., "2022-2026") and
ensure the header remains the full NVIDIA Apache 2.0 license block used across
the project; modify the top comment block (the existing file header) so it
matches the canonical NVIDIA copyright/license format used in other TensorRT-LLM
source files.
---
Nitpick comments:
In `@tensorrt_llm/serialization.py`:
- Line 5: Change the mutable default for approved_imports in Unpickler.__init__,
Unpickler.load, and Unpickler.loads from {} to None and initialize a fresh dict
inside each method when None is passed (e.g., if approved_imports is None:
approved_imports = {}), so mutations don't leak between calls; apply the same
fix for any other functions in this module that accept approved_imports (e.g.,
the other methods around the noted ranges) to ensure each call gets its own
dictionary.
In
`@tests/unittest/_torch/ray_orchestrator/single_gpu/test_llm_update_weights.py`:
- Around line 76-108: The current get_weight_ipc_handles_serialized duplicates
the filtering and handle-building logic; replace the inner collection with a
call to the existing get_weight_ipc_handles so all filtering/handle creation is
centralized. Specifically, call
self.get_weight_ipc_handles(cuda_device=cuda_device,
weight_filter=weight_filter) to get the per-device mapping of (name, handle)
pairs (instead of iterating self.all_weights and calling reduce_tensor
directly), then for each device UUID serialize the returned list with pickle +
base64 and assign to ret[self.device_uuid[device]]; remove the duplicated loop
and direct reduce_tensor calls in get_weight_ipc_handles_serialized so it simply
wraps get_weight_ipc_handles results into base64-encoded pickles.
ℹ️ Review info
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (8)
cpp/tensorrt_llm/runtime/utils/numpyUtils.cpptensorrt_llm/executor/utils.pytensorrt_llm/llmapi/mgmn_leader_node.pytensorrt_llm/llmapi/rlhf_utils.pytensorrt_llm/serialization.pytests/unittest/_torch/ray_orchestrator/single_gpu/test_llm_update_weights.pytests/unittest/llmapi/_run_mpi_comm_task.pytests/unittest/llmapi/_run_multi_mpi_comm_tasks.py
|
PR_Github #36664 [ run ] triggered by Bot. Commit: |
|
PR_Github #36664 [ run ] completed with state
|
|
/bot run |
|
PR_Github #36709 [ run ] triggered by Bot. Commit: |
|
PR_Github #36709 [ run ] completed with state
|
|
/bot run |
|
PR_Github #36799 [ run ] triggered by Bot. Commit: |
|
PR_Github #36799 [ run ] completed with state
|
yibinl-nvidia
force-pushed
the
dev-yibinl-security-bug-cherry-pick
branch
from
324be83 to
0425e52
Compare
|
/bot run |
|
PR_Github #36842 [ run ] triggered by Bot. Commit: |
|
PR_Github #36842 [ run ] completed with state
|
|
/bot run |
|
PR_Github #36921 [ run ] triggered by Bot. Commit: |
|
PR_Github #36921 [ run ] completed with state
|
svc-trtllm-gh-bot
added
the
Community want to contribute
yibinl-nvidia
removed
the
Community want to contribute
yibinl-nvidia
force-pushed
the
dev-yibinl-security-bug-cherry-pick
branch
from
0425e52 to
153d54d
Compare
|
/bot run |
|
PR_Github #36976 [ run ] triggered by Bot. Commit: |
yibinl-nvidia
changed the title
|
PR_Github #36976 [ run ] completed with state
|
|
pipeline blocked by PR #11775 to merge |
yibinl-nvidia
force-pushed
the
dev-yibinl-security-bug-cherry-pick
branch
from
153d54d to
f2fae36
Compare
|
/bot run |
|
PR_Github #37141 [ run ] triggered by Bot. Commit: |
|
/bot run |
|
PR_Github #37232 [ run ] triggered by Bot. Commit: |
|
PR_Github #37232 [ run ] completed with state
|
NVIDIA#10944) Signed-off-by: Yibin Li <109242046+yibinl-nvidia@users.noreply.github.com> This PR addresses known security issues. For the latest NVIDIA Vulnerability Disclosure Information visit https://www.nvidia.com/en-us/security/, for acknowledgement please reach out to the NVIDIA PSIRT team at PSIRT@nvidia.com Signed-off-by: Yibin Li <109242046+yibinl-nvidia@users.noreply.github.com>
Signed-off-by: Superjomn <328693+Superjomn@users.noreply.github.com> Signed-off-by: Yibin Li <109242046+yibinl-nvidia@users.noreply.github.com>
…pickler (NVIDIA#10622) Signed-off-by: Yibin Li <109242046+yibinl-nvidia@users.noreply.github.com>
yibinl-nvidia
force-pushed
the
dev-yibinl-security-bug-cherry-pick
branch
from
f2fae36 to
c67583d
Compare
|
/bot run |
|
PR_Github #37263 [ run ] triggered by Bot. Commit: |
|
PR_Github #37263 [ run ] completed with state
|
|
/bot run |
|
PR_Github #37327 [ run ] triggered by Bot. Commit: |
|
PR_Github #37327 [ run ] completed with state
|
|
/bot run --disable-fail-fast |
|
PR_Github #37494 [ run ] triggered by Bot. Commit: |
|
PR_Github #37494 [ run ] completed with state
|
|
/bot run |
|
PR_Github #37518 [ run ] triggered by Bot. Commit: |
|
PR_Github #37518 [ run ] completed with state |
5 participants
Summary by CodeRabbit
Bug Fixes
New Features
Tests
Description
These commits have been merged to main but not in 1.2 release.
Test Coverage
PR Checklist
Please review the following before submitting your PR:
PR description clearly explains what and why. If using CodeRabbit's summary, please make sure it makes sense.
PR Follows TRT-LLM CODING GUIDELINES to the best of your knowledge.
Test cases are provided for new code paths (see test instructions)
Any new dependencies have been scanned for license and vulnerabilities
CODEOWNERS updated if ownership changes
Documentation updated as needed
Update tava architecture diagram if there is a significant design change in PR.
The reviewers assigned automatically/manually are appropriate for the PR.
Please check this after reviewing the above items as appropriate for this PR.
GitHub Bot Help
/bot [-h] ['run', 'kill', 'skip', 'reuse-pipeline'] ...Provide a user friendly way for developers to interact with a Jenkins server.
Run
/bot [-h|--help]to print this help message.See details below for each supported subcommand.
Details
run [--reuse-test (optional)pipeline-id --disable-fail-fast --skip-test --stage-list "A10-PyTorch-1, xxx" --gpu-type "A30, H100_PCIe" --test-backend "pytorch, cpp" --add-multi-gpu-test --only-multi-gpu-test --disable-multi-gpu-test --post-merge --extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx" --detailed-log --debug(experimental)]Launch build/test pipelines. All previously running jobs will be killed.
--reuse-test (optional)pipeline-id(OPTIONAL) : Allow the new pipeline to reuse build artifacts and skip successful test stages from a specified pipeline or the last pipeline if no pipeline-id is indicated. If the Git commit ID has changed, this option will be always ignored. The DEFAULT behavior of the bot is to reuse build artifacts and successful test results from the last pipeline.--disable-reuse-test(OPTIONAL) : Explicitly prevent the pipeline from reusing build artifacts and skipping successful test stages from a previous pipeline. Ensure that all builds and tests are run regardless of previous successes.--disable-fail-fast(OPTIONAL) : Disable fail fast on build/tests/infra failures.--skip-test(OPTIONAL) : Skip all test stages, but still run build stages, package stages and sanity check stages. Note: Does NOT update GitHub check status.--stage-list "A10-PyTorch-1, xxx"(OPTIONAL) : Only run the specified test stages. Examples: "A10-PyTorch-1, xxx". Note: Does NOT update GitHub check status.--gpu-type "A30, H100_PCIe"(OPTIONAL) : Only run the test stages on the specified GPU types. Examples: "A30, H100_PCIe". Note: Does NOT update GitHub check status.--test-backend "pytorch, cpp"(OPTIONAL) : Skip test stages which don't match the specified backends. Only support [pytorch, cpp, tensorrt, triton]. Examples: "pytorch, cpp" (does not run test stages with tensorrt or triton backend). Note: Does NOT update GitHub pipeline status.--only-multi-gpu-test(OPTIONAL) : Only run the multi-GPU tests. Note: Does NOT update GitHub check status.--disable-multi-gpu-test(OPTIONAL) : Disable the multi-GPU tests. Note: Does NOT update GitHub check status.--add-multi-gpu-test(OPTIONAL) : Force run the multi-GPU tests in addition to running L0 pre-merge pipeline.--post-merge(OPTIONAL) : Run the L0 post-merge pipeline instead of the ordinary L0 pre-merge pipeline.--extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx"(OPTIONAL) : Run the ordinary L0 pre-merge pipeline and specified test stages. Examples: --extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx".--detailed-log(OPTIONAL) : Enable flushing out all logs to the Jenkins console. This will significantly increase the log volume and may slow down the job.--debug(OPTIONAL) : Experimental feature. Enable access to the CI container for debugging purpose. Note: Specify exactly one stage in thestage-listparameter to access the appropriate container environment. Note: Does NOT update GitHub check status.For guidance on mapping tests to stage names, see
docs/source/reference/ci-overview.mdand the
scripts/test_to_stage_mapping.pyhelper.kill
killKill all running builds associated with pull request.
skip
skip --comment COMMENTSkip testing for latest commit on pull request.
--comment "Reason for skipping build/test"is required. IMPORTANT NOTE: This is dangerous since lack of user care and validation can cause top of tree to break.reuse-pipeline
reuse-pipelineReuse a previous pipeline to validate current commit. This action will also kill all currently running builds associated with the pull request. IMPORTANT NOTE: This is dangerous since lack of user care and validation can cause top of tree to break.