Upload README.md with huggingface_hub

0d2c1d9 verified 16 days ago

3.96 kB

	# SEGV in faiss (id:000281,sig:11,src:000857,time:39901240,execs:567662,op:havoc,rep:3)

	Severity: medium
	CWE: CWE-119
	Target: faiss
	Generated: 2026-02-19

	## Summary

	SEGV in faiss (id:000281,sig:11,src:000857,time:39901240,execs:567662,op:havoc,rep:3). See ASAN output below for details.

	## Reproduction

	```bash
	chmod +x reproduce.sh
	./reproduce.sh
	```

	Or manually:
	```bash
	cmake -B build-asan -DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer" -DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer" -DFAISS_ENABLE_GPU=OFF && cmake --build build-asan -j$(nproc)
	ASAN_OPTIONS=detect_leaks=0 ./build-asan/fuzz_read_index ../poc.faiss
	```

	## PoC File

	- `poc.faiss` (507 bytes)

	## ASAN Output

	```
	AddressSanitizer:DEADLYSIGNAL
	=================================================================
	==2425791==ERROR: AddressSanitizer: SEGV on unknown address 0x505e800000a0 (pc 0x5ffc37d5419a bp 0x7ffd1b625ab0 sp 0x7ffd1b625a10 T0)
	==2425791==The signal is caused by a READ memory access.
	#0 0x5ffc37d5419a in faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>::reconstruct_component(unsigned char const*, unsigned long) const /home/lab/huntr/targets/faiss/faiss/impl/scalar_quantizer/quantizers.h:169:24
	#1 0x5ffc37d5419a in faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>::compute_distance(float const, unsigned char const) const /home/lab/huntr/targets/faiss/faiss/impl/scalar_quantizer/distance_computers.h:40:30
	#2 0x5ffc37d5419a in faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>::query_to_code(unsigned char const*) const /home/lab/huntr/targets/faiss/faiss/impl/scalar_quantizer/distance_computers.h:68:16
	#3 0x5ffc37d5419a in faiss::(anonymous namespace)::IVFSQScannerIP<faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>>::distance_to_code(unsigned char const*) const /home/lab/huntr/targets/faiss/faiss/impl/ScalarQuantizer.cpp:433:27
	#4 0x5ffc37d5419a in unsigned long faiss::(anonymous namespace)::run_scan_codes1<faiss::(anonymous namespace)::IVFSQScannerIP<faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>>, faiss::CMin<float, long>, false, false>(faiss::(anonymous namespace)::IVFSQScannerIP<faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>> const&, unsigned long, unsigned char const, long const, faiss::ResultHandlerUnordered<float, long>&) /home/lab/huntr/targets/faiss/faiss/impl/expanded_scanners.h:48:29
	#5 0x5ffc37d5419a in unsigned long faiss::(anonymous namespace)::run_scan_codes_fix_C<faiss::CMin<float, long>, faiss::(anonymous namespace)::IVFSQScannerIP<faiss::scalar_quantizer::DCTemplate<faiss::scalar_quantizer::QuantizerTemplate<faiss::scalar_quantizer::Codec6bit, (faiss::scalar_quantizer::QuantizerTemplateScaling)1, 1>, faiss::scalar_quantizer::SimilarityIP<1>, 1>>>(faiss::(anonymous namespace)::IVFSQScanne
	```

	## Impact

	Memory corruption vulnerability reachable by processing a malformed faiss file.
	An attacker could craft a malicious file and distribute it to cause denial of service
	or potentially leak sensitive heap data.