| # llamafile GPU Source Injection PoC |
|
|
| Proof-of-concept for a remote code execution vulnerability in the llamafile format. |
|
|
| ## Vulnerability |
|
|
| A malicious `.llamafile` can embed a modified `ggml-metal-device.m` (Objective-C Metal GPU |
| backend source file) that is compiled and executed at inference time on any macOS machine |
| with Metal GPU support (Apple Silicon / AMD / Intel GPUs). |
|
|
| The injected `__attribute__((constructor))` function runs before any model inference, |
| giving the attacker arbitrary code execution upon GPU-accelerated model loading. |
|
|
| ## Technical Details |
|
|
| - **Format**: `.llamafile` is a ZIP archive (APE polyglot) containing source files |
| - **Target file**: `llama.cpp/ggml/src/ggml-metal/ggml-metal-device.m` |
| - **Vector**: `metal.c:BuildMetal()` extracts and compiles Metal sources via system `cc` |
| - **Trigger**: Running `./model.llamafile` on any macOS machine with a GPU |
| - **Impact**: Arbitrary code execution as the user running llamafile |
|
|
| ## Reproduction |
|
|
| ```bash |
| chmod +x poc_gpu_inject_final_v2.llamafile |
| rm -rf ~/.llamafile/ # clear cache to force re-extraction |
| ./poc_gpu_inject_final_v2.llamafile |
| # Observe: /tmp/llamafile_gpu_poc is created |
| ls /tmp/llamafile_gpu_poc |
| ``` |
|
|
| ## Files |
|
|
| - `poc_gpu_inject_final_v2.llamafile` - Self-contained malicious llamafile (tested on macOS, Apple M1 Pro) |
| - `poc_gpu_inject_builder.py` - Script showing how the PoC was constructed |
|
|
| ## Notes |
|
|
| The embedded `ggml-metal-device.m` prepends a constructor to the original Metal source. |
| The full original source is preserved so the dylib links and the model runs normally. |
| No user interaction beyond running the file is required. |
|
|
