Fix heap-buffer-overflow in constant_pad_nd

[psiddh]

Summary:
Fix write-heap-buffer-overflow in set_all_to_value triggered via apply_padding_to_dim, reported by fuzzer (T258811544).

Root causes:

1. Negative padding values silently cast to huge size_t, causing massive out-of-bounds writes.
2. When out_data advances past out_data_end, the remaining computation (out_data_end - out_data) wraps around to a huge size_t, causing bounds checks to incorrectly pass.
3. No error propagation after recursive apply_padding_to_dim calls, allowing the loop to continue writing after a child call has failed.

Fixes:

• Validate all padding values are non-negative in check_constant_pad_args.
• Read padding as int64_t and explicitly check >= 0 before casting to size_t.
• Guard remaining computation with out_data <= out_data_end check at all three bounds-check sites to prevent size_t wraparound.
• Check ctx.failure_state() after recursive calls and bail out early.
• Remove dead pad_i >= 0 check (always true for size_t).

Differential Revision: D95762335

[pytorch-bot]

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/18018

• 📄 Preview Python docs built from this PR

Note: Links to docs will display an error until the docs builds have been completed.

❌ 2 New Failures, 1 Pending, 2 Unrelated Failures

As of commit 19b6aef with merge base 08c3a72 ():

NEW FAILURES - The following jobs have failed:

• pull / test-samsung-models-linux / linux-job (gh)
  RuntimeError: Command docker exec -t 9d23f442b61a9701897f0137babaf3e4366aa6742ee07d60ee9eeabd635191a0 /exec failed with exit code 1
• pull / test-samsung-quantmodels-linux / linux-job (gh)
  RuntimeError: Command docker exec -t a2e1bcde8e7be451ae450a5878155582a273a602589071110bde48ef1857ce36 /exec failed with exit code 1

FLAKY - The following jobs failed but were likely due to flakiness present on trunk:

• pull / test-models-linux (emformer_join, portable, linux.4xlarge.memory) / linux-job (gh) (detected as infra flaky with no log or failing log classifier)
• pull / unittest-arm-backend-with-no-deps (test_pytest_models_tosa) / linux-job (gh) (matched linux rule in flaky-rules.json)
  The runner has received a shutdown signal. This can happen when the runner service is stopped, or a manually started runner is canceled.

This comment was automatically generated by Dr. CI and updates every 15 minutes.

[meta-codesync]

@psiddh has exported this pull request. If you are a Meta employee, you can view the originating Diff in D95762335.

[github-actions]

This PR needs a release notes: label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.

[Copilot]

Pull request overview

Fixes a heap-buffer-overflow in the portable CPU implementation of aten.constant_pad_nd by hardening padding validation and preventing size/pointer arithmetic wraparound during padding application.

Changes:

• Validate that all padding values are non-negative in check_constant_pad_args.
• In the padding implementation, read padding as int64_t, validate before casting to size_t, and add out_data <= out_data_end guards before computing remaining space.
• Propagate failures from recursive padding calls by bailing out early when ctx enters a failure state.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
kernels/portable/cpu/util/kernel_ops_util.cpp	Adds argument validation rejecting negative padding values.
kernels/portable/cpu/op_constant_pad_nd.cpp	Hardens runtime padding application against wraparound and ensures failure propagation during recursion.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.