How to use from the
Use from the
llama-cpp-python library
# Gated model: Login with a HF token with gated access permission
hf auth login
# !pip install llama-cpp-python

from llama_cpp import Llama

llm = Llama.from_pretrained(
	repo_id="Hironabe333/gguf-tensor-type-enum-abort-poc",
	filename="",
)
output = llm(
	"Once upon a time,",
	max_tokens=512,
	echo=True
)
print(output)

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

GGUF tensor info type field out-of-range SIGABRT β€” PoC

Finding: GGUF tensor info per-tensor type field (ggml_type enum) out-of-range causes C runtime SIGABRT while Python reader rejects safely
Round: ROUND_AI378/AI379
Target: GGUF (.gguf) β€” llama-cpp-python / llama.cpp (huntr MFV)
Affected version: llama-cpp-python 0.2.90 (llama.cpp commit 1d1ccce67613674c75c9c7e3fa4c1e24e428ba48)


1. Summary

A GGUF model file contains a tensor info section where each tensor entry includes a type field encoding a ggml_type enum value. In llama-cpp-python 0.2.90, the C runtime (gguf_init_from_file) reads and dispatches on this per-tensor type field without first validating that it falls within the valid enum range. Placing an out-of-range value (such as 255, 99, or 50) in the tensor type field causes the process to abort with SIGABRT (exit -6). The Python gguf library (v0.19.0) rejects the same files safely with a ValueError.

This finding is distinct from the previously submitted GGUF KV entry type enum issue (ROUND_AI377). That issue mutated the per-KV type field in the KV metadata body and crashed at gguf_init_from_file+0x3d8. This issue mutates the per-tensor type field in the tensor info section and crashes at gguf_init_from_file+0xfac.


2. Environment

Component Version
OS Linux aarch64 (Ubuntu 22.04)
Python 3.10.12
llama-cpp-python 0.2.90
llama.cpp commit 1d1ccce67613674c75c9c7e3fa4c1e24e428ba48
gguf (Python library) 0.19.0

3. Root Cause

The GGUF format's tensor info section contains one entry per tensor. Each entry has the structure:

name_len   (uint64_le)   β€” byte length of tensor name
name       (uint8[])     β€” tensor name bytes
n_dims     (uint32_le)   β€” number of dimensions
dims       (uint64_le Γ— n_dims) β€” dimension sizes
type       (uint32_le)   β€” ggml_type enum value  ← VULNERABLE FIELD
offset     (uint64_le)   β€” data offset

The type field encodes the tensor's quantization format as a ggml_type enum. Valid values are defined by GGMLQuantizationType in the Python library. In llama-cpp-python 0.2.90, the C runtime reads this field and uses it in a dispatch operation without checking whether the value is within the valid enum range. Out-of-range values cause abort() to be called, producing SIGABRT (exit -6).


4. Affected Field

Property Value
Field name tensor info type (per-tensor)
Field type uint32_le
Binary offset in PoC 457
Section Tensor info section (after KV metadata body)
Enum class ggml_type / GGMLQuantizationType
Crash offset gguf_init_from_file+0xfac

5. Binary Layout

In the PoC GGUF file (512 bytes):

Offset  Size  Field
0       4     magic (GGUF)
4       4     version (3)
8       8     tensor_count
16      8     kv_count
24      …     KV metadata entries (not mutated)
412     …     Tensor info section begins
412     8     name_len = 17
420     17    name = "token_embd.weight"
437     4     n_dims = 2
441     16    dims
457     4     type ← MUTATED FIELD (baseline=0, mutants=255/99/50)
461     8     offset

6. Reproduction Steps

pip install llama-cpp-python==0.2.90 gguf==0.19.0
python reproduce.py

To inspect binary layout and confirm mutation scope:

python inspect_artifacts.py

7. Expected Results

  • baseline.gguf (type=0): C runtime exits 0 or raises non-crash Python exception; Python gguf reader returns OK
  • tensor_type_0xff.gguf (type=255): Python gguf reader raises ValueError: GGMLQuantizationType; C runtime exits cleanly
  • tensor_type_99.gguf (type=99): Python gguf reader raises ValueError; C runtime exits cleanly
  • tensor_type_50.gguf (type=50): Python gguf reader raises ValueError; C runtime exits cleanly

8. Observed Results

File Python gguf 0.19.0 C runtime (3 runs)
baseline.gguf OK (type=0) exit 0, 0, 0
tensor_type_0xff.gguf ValueError: GGMLQuantizationType -6, -6, -6 (SIGABRT)
tensor_type_99.gguf ValueError: GGMLQuantizationType -6, -6, -6 (SIGABRT)
tensor_type_50.gguf ValueError: GGMLQuantizationType -6, -6, -6 (SIGABRT)

9/9 SIGABRT on mutant files.


9. Distinctness from Prior GGUF Findings

This finding is distinct from all prior GGUF submissions:

Dimension This finding ROUND_AI377 (KV type enum) ROUND_AI371 (kv_count)
Mutated field Per-tensor type in tensor info Per-KV type in KV body kv_count in header
Binary section Tensor info section KV metadata body GGUF header
Enum class GGMLQuantizationType GGUFValueType N/A (count field)
Crash offset +0xfac +0x3d8 ggml.c:366
Python exception ValueError: GGMLQuantizationType ValueError: GGUFValueType IndexError
Required fix Range-check tensor-info ggml_type Range-check KV-entry gguf_type Validate kv_count bounds

10. Non-Claims

  • This report does not claim arbitrary code execution (RCE/ACE)
  • This report does not claim memory corruption
  • This report does not claim data exfiltration
  • This report does not claim all GGUF consumers are affected
  • This report is version-scoped to llama-cpp-python 0.2.90 (tested behavior)
  • This report does not claim current/latest llama-cpp-python is affected
  • This report does not claim High, Critical, or specific CVSS scores

Impact is limited to deterministic process abort / denial of service on the confirmed version.


11. Recommendation

Add an explicit range check on the tensor info type field before dispatch:

if (info->type >= GGML_TYPE_COUNT) {
    GGML_LOG_ERROR("%s: invalid ggml_type %d for tensor '%s'\n",
                   __func__, info->type, info->name.data);
    ok = false;
    break;
}

This check is analogous to the fix recommended for the KV entry type field (ROUND_AI377) but applied to the tensor info section rather than the KV metadata body.


Files

File Description
baseline.gguf Baseline GGUF β€” tensor type=0 (valid)
tensor_type_0xff.gguf Mutant β€” tensor type=255 (out-of-range)
tensor_type_99.gguf Mutant β€” tensor type=99 (out-of-range)
tensor_type_50.gguf Mutant β€” tensor type=50 (out-of-range)
reproduce.py Demonstrates Python/C runtime differential
inspect_artifacts.py Verifies mutation scope and binary offsets
runtime_results.json Runtime evidence (9/9 SIGABRT)
hash_matrix.json SHA256 + mutation metadata
distinctness_matrix.json Distinctness vs 3 prior GGUF submissions
route_framing.json Route/reward/non-claims metadata
SHA256SUMS.txt File integrity checksums
Downloads last month
-
GGUF
Model size
4 params
Architecture
llama
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support