cuda.core: warn on unpickling IPC buffers from untrusted pickle (V13.1)

Document the pickle-to-IPC-import trust boundary and emit a one-time UserWarning
when unpickling a Buffer reconstructs via from_ipc_descriptor (Glasswing V13.1).

Author: Andy-Jost

SECURITY.md

@@ -29,6 +29,17 @@ disclosure policy. Please visit our [Product Security Incident Response Team
 (PSIRT)](https://www.nvidia.com/en-us/security/psirt-policies/) policies page for more
 information.
 
+## CUDA IPC and Python serialization
+
+`cuda.core.Buffer` objects allocated from IPC-enabled memory resources can be
+pickled for transfer between same-host processes. Unpickling performs an IPC
+memory import using the embedded `IPCBufferDescriptor`. Only unpickle buffers
+(and call `Buffer.from_ipc_descriptor`) with descriptors from trusted peers;
+malicious descriptors can trigger invalid memory operations.
+
+When sharing CUDA objects across processes, use `multiprocessing` with the
+`spawn` start method.
+
 ## NVIDIA Product Security
 
 For all security-related concerns, please visit NVIDIA's Product Security portal at

cuda_core/cuda/core/_memory/_buffer.pyi

@@ -19,6 +19,13 @@ class Buffer:
     allocations.
 
     Support for data interchange mechanisms are provided by DLPack.
+
+    Note
+    ----
+    Pickling an IPC-enabled :class:`Buffer` embeds an
+    :class:`~_memory.IPCBufferDescriptor`. Unpickling reconstructs the buffer
+    by calling :meth:`from_ipc_descriptor` and therefore performs an IPC
+    import. Do not unpickle buffers from untrusted sources.
     """
 
     def __cinit__(self) -> None:
@@ -85,6 +92,12 @@ class Buffer:
         stream : :obj:`~_stream.Stream`
             Keyword-only. The stream used for asynchronous deallocation when
             the buffer is closed or garbage collected.
+
+        Note
+        ----
+        The descriptor payload and ``size`` are supplied by the exporting peer
+        and must be treated as untrusted input unless the peer is known to be
+        cooperating.
         """
 
     @property

cuda_core/cuda/core/_memory/_buffer.pyx

@@ -26,6 +26,7 @@ from cuda.core.typing import DevicePointerType
 
 from cuda.core._stream cimport Stream, Stream_accept, default_stream
 from cuda.core._utils.cuda_utils cimport HANDLE_RETURN, _parse_fill_value
+from cuda.core._utils.cuda_utils import warn_ipc_buffer_unpickle
 
 import sys
 from typing import TYPE_CHECKING
@@ -86,6 +87,13 @@ cdef class Buffer:
     allocations.
 
     Support for data interchange mechanisms are provided by DLPack.
+
+    Note
+    ----
+    Pickling an IPC-enabled :class:`Buffer` embeds an
+    :class:`~_memory.IPCBufferDescriptor`. Unpickling reconstructs the buffer
+    by calling :meth:`from_ipc_descriptor` and therefore performs an IPC
+    import. Do not unpickle buffers from untrusted sources.
     """
     def __cinit__(self) -> None:
         self._clear()
@@ -135,6 +143,7 @@ cdef class Buffer:
         # pickle path cannot thread an explicit stream through. Seed the
         # imported buffer's deallocation with the current context's default
         # stream; the receiver can override via buffer.close(stream).
+        warn_ipc_buffer_unpickle()
         return Buffer.from_ipc_descriptor(mr, ipc_descriptor, stream=default_stream())
 
     def __reduce__(self) -> tuple[object, ...]:
@@ -187,6 +196,12 @@ cdef class Buffer:
         stream : :obj:`~_stream.Stream`
             Keyword-only. The stream used for asynchronous deallocation when
             the buffer is closed or garbage collected.
+
+        Note
+        ----
+        The descriptor payload and ``size`` are supplied by the exporting peer
+        and must be treated as untrusted input unless the peer is known to be
+        cooperating.
         """
         return _ipc.Buffer_from_ipc_descriptor(cls, mr, ipc_descriptor, stream)
 

cuda_core/cuda/core/_memory/_device_memory_resource.pyi

@@ -105,7 +105,16 @@ class DeviceMemoryResource(_MemPool):
     an MMR is created and registered in the receiving process. Subsequently,
     buffers may be serialized and transferred using ordinary :mod:`pickle`
     methods.  The reconstruction procedure uses the registry to find the
-    associated MMR.
+    associated MMR. Unpickling a :class:`Buffer` performs an IPC import from
+    the embedded descriptor; only unpickle buffers received from trusted peers.
+
+    Warning
+    -------
+    IPC descriptors and pickled buffers cross a trust boundary between
+    cooperating same-host processes. A malicious peer can supply crafted
+    descriptor fields. Use :meth:`Buffer.from_ipc_descriptor` only with
+    descriptors from trusted peers, and do not unpickle buffers from
+    untrusted sources.
     """
 
     def __cinit__(self, *args, **kwargs) -> None:

cuda_core/cuda/core/_memory/_device_memory_resource.pyx

@@ -130,7 +130,16 @@ cdef class DeviceMemoryResource(_MemPool):
     an MMR is created and registered in the receiving process. Subsequently,
     buffers may be serialized and transferred using ordinary :mod:`pickle`
     methods.  The reconstruction procedure uses the registry to find the
-    associated MMR.
+    associated MMR. Unpickling a :class:`Buffer` performs an IPC import from
+    the embedded descriptor; only unpickle buffers received from trusted peers.
+
+    Warning
+    -------
+    IPC descriptors and pickled buffers cross a trust boundary between
+    cooperating same-host processes. A malicious peer can supply crafted
+    descriptor fields. Use :meth:`Buffer.from_ipc_descriptor` only with
+    descriptors from trusted peers, and do not unpickle buffers from
+    untrusted sources.
     """
 
     def __cinit__(self, *args, **kwargs) -> None:

cuda_core/cuda/core/_memory/_ipc.pyi

@@ -38,7 +38,14 @@ class IPCDataForMR:
         ...
 
 class IPCBufferDescriptor:
-    """Serializable object describing a buffer that can be shared between processes."""
+    """Serializable object describing a buffer that can be shared between processes.
+
+    Note
+    ----
+    The payload and ``size`` fields are controlled by the exporting peer.
+    Receivers must treat them as untrusted and import only through
+    :meth:`Buffer.from_ipc_descriptor`.
+    """
 
     def __init__(self, *arg, **kwargs) -> None:
         ...

cuda_core/cuda/core/_memory/_ipc.pyx

@@ -78,7 +78,14 @@ cdef class IPCDataForMR:
 
 
 cdef class IPCBufferDescriptor:
-    """Serializable object describing a buffer that can be shared between processes."""
+    """Serializable object describing a buffer that can be shared between processes.
+
+    Note
+    ----
+    The payload and ``size`` fields are controlled by the exporting peer.
+    Receivers must treat them as untrusted and import only through
+    :meth:`Buffer.from_ipc_descriptor`.
+    """
 
     def __init__(self, *arg, **kwargs) -> None:
         raise RuntimeError("IPCBufferDescriptor objects cannot be instantiated directly. Please use MemoryResource APIs.")

cuda_core/cuda/core/_utils/cuda_utils.pyi

@@ -60,6 +60,7 @@ _keep_nvrtc_in_stub: 'nvrtc.nvrtcResult'
 _keep_runtime_in_stub: 'runtime.cudaError_t'
 ComputeCapability = namedtuple('ComputeCapability', ('major', 'minor'))
 _fork_warning_checked = False
+_ipc_pickle_warning_checked = False
 
 def _check_driver_error(error: cydriver.CUresult) -> int:
     ...
@@ -140,5 +141,11 @@ def reset_fork_warning() -> None:
     to check the warning behavior.
     """
 
+def reset_ipc_pickle_warning() -> None:
+    """Reset the IPC buffer unpickle warning flag for testing purposes."""
+
+def warn_ipc_buffer_unpickle() -> None:
+    """Warn that unpickling a Buffer performs an IPC import from embedded data."""
+
 def check_multiprocessing_start_method() -> None:
     """Check if multiprocessing start method is 'fork' and warn if so."""

cuda_core/cuda/core/_utils/cuda_utils.pyx

@@ -348,6 +348,9 @@ class Transaction:
 # Track whether we've already warned about fork method
 _fork_warning_checked = False
 
+# Track whether we've already warned about unpickling IPC buffers
+_ipc_pickle_warning_checked = False
+
 
 def reset_fork_warning() -> None:
     """Reset the fork warning check flag for testing purposes.
@@ -359,6 +362,28 @@ def reset_fork_warning() -> None:
     _fork_warning_checked = False
 
 
+def reset_ipc_pickle_warning() -> None:
+    """Reset the IPC buffer unpickle warning flag for testing purposes."""
+    global _ipc_pickle_warning_checked
+    _ipc_pickle_warning_checked = False
+
+
+def warn_ipc_buffer_unpickle() -> None:
+    """Warn that unpickling a Buffer performs an IPC import from embedded data."""
+    global _ipc_pickle_warning_checked
+    if _ipc_pickle_warning_checked:
+        return
+    _ipc_pickle_warning_checked = True
+    message = (
+        "Unpickling a cuda.core.Buffer imports GPU memory via the embedded "
+        "IPCBufferDescriptor. Only unpickle Buffer objects received from a "
+        "trusted same-host peer process; malicious pickle payloads can supply "
+        "crafted descriptors. Prefer explicit Buffer.from_ipc_descriptor only "
+        "with descriptors from cooperating peers."
+    )
+    warnings.warn(message, UserWarning, stacklevel=4)
+
+
 cdef inline tuple _read_fill_ptr(const char* ptr, Py_ssize_t width):
     """Extract (value, element_size) from a raw pointer of known width."""
     cdef unsigned int val

cuda_core/tests/test_ipc_pickle_warning.py

@@ -0,0 +1,46 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+"""Test warnings when unpickling IPC-enabled Buffer objects."""
+
+import warnings
+
+from cuda.core import Buffer
+from cuda.core._utils.cuda_utils import reset_ipc_pickle_warning, warn_ipc_buffer_unpickle
+
+NBYTES = 64
+
+
+def test_warn_on_buffer_unpickle(ipc_device, ipc_memory_resource):
+    """Unpickling an IPC buffer warns about the trust boundary."""
+    mr = ipc_memory_resource
+    buf = mr.allocate(NBYTES, stream=ipc_device.default_stream)
+
+    with warnings.catch_warnings(record=True) as w:
+        warnings.simplefilter("always")
+        reset_ipc_pickle_warning()
+        Buffer._reduce_helper(mr, buf.ipc_descriptor)
+
+        assert len(w) == 1, f"Expected 1 warning, got {len(w)}: {[str(x.message) for x in w]}"
+        warning = w[0]
+        assert warning.category is UserWarning
+        assert "unpickl" in str(warning.message).lower()
+        assert "ipc" in str(warning.message).lower()
+        assert "trusted" in str(warning.message).lower()
+
+
+def test_ipc_pickle_warning_emitted_only_once(ipc_device, ipc_memory_resource):
+    """The unpickle trust-boundary warning is emitted at most once per process."""
+    mr = ipc_memory_resource
+    buf1 = mr.allocate(NBYTES, stream=ipc_device.default_stream)
+    buf2 = mr.allocate(NBYTES, stream=ipc_device.default_stream)
+
+    with warnings.catch_warnings(record=True) as w:
+        warnings.simplefilter("always")
+        reset_ipc_pickle_warning()
+        Buffer._reduce_helper(mr, buf1.ipc_descriptor)
+        Buffer._reduce_helper(mr, buf2.ipc_descriptor)
+        warn_ipc_buffer_unpickle()
+
+        ipc_warnings = [x for x in w if "unpickl" in str(x.message).lower()]
+        assert len(ipc_warnings) == 1