| # CoreML Span::Slice Integer Overflow PoC | |
| **CVE:** Pending | |
| **Severity:** High | |
| **Affected:** coremltools 9.0 (macOS / Linux) | |
| ## Vulnerability | |
| Integer overflow in `MILBlob::Util::Span::Slice` (`mlmodel/src/MILBlob/Util/Span.hpp:325`) bypasses bounds checks when loading a CoreML mlProgram model with a crafted `weight.bin`. Results in out-of-bounds memory access β **SIGSEGV (process crash)** on `ct.models.MLModel()`. | |
| ```cpp | |
| // Bounds check in Span::Slice β NO overflow protection: | |
| MILVerifyIsTrue(size > 0 && index < Size() && index + size <= Size(), ...) | |
| // βββββββββββββββββββββ | |
| // index=128, size=0xFFFFFFFFFFFFFF80 β 128 + 0xFFFFFFFFFFFFFF80 = 0 β PASSES | |
| ``` | |
| ## Files | |
| - `evil_crash.mlpackage/` β malicious CoreML model with crafted weight.bin | |
| - `poc.py` β standalone PoC that loads the model and captures the crash | |
| ## Reproduce | |
| ```bash | |
| pip install coremltools | |
| python3.12 poc.py | |
| ``` | |
| Expected: `Exit code: -11 (SIGSEGV β signal 11)` | |
| ## Reported By | |
| Security research β huntr.dev disclosure | |