|
|
--- |
|
|
library_name: llama.cpp |
|
|
tags: |
|
|
- security |
|
|
- model-file-vulnerability |
|
|
- mfv |
|
|
- poc |
|
|
license: mit |
|
|
model_format: gguf |
|
|
security_scan: intentionally-malformed |
|
|
--- |
|
|
|
|
|
## Overview |
|
|
|
|
|
This repository contains an intentionally malformed GGUF file created to demonstrate unsafe behavior in GGUF metadata parsing within `llama.cpp`. |
|
|
|
|
|
This file is **not** a machine learning model. It is malformed by design and must not be used for inference or production. |
|
|
|
|
|
The artifact exists solely for responsible security research, reproducibility, and validation by maintainers and Huntr’s Model File Vulnerability (MFV) triage team. |
|
|
|
|
|
--- |
|
|
|
|
|
## Reproducer File |
|
|
|
|
|
- **poc_array_overflow.gguf** |
|
|
|
|
|
A minimized GGUF payload (~64 bytes) that triggers load-time undefined behavior during GGUF metadata parsing. |
|
|
|
|
|
The file was minimized using AFL++ (`afl-tmin`) to produce a stable, deterministic reproducer. |
|
|
|
|
|
--- |
|
|
|
|
|
## Technical Summary |
|
|
|
|
|
- **Format:** GGUF (binary) |
|
|
- **Model:** Not a model (intentionally malformed) |
|
|
- **Attack surface:** GGUF metadata parsing |
|
|
- **Trigger phase:** Model load (prior to tensor processing) |
|
|
|
|
|
Malformed, attacker-controlled metadata values are propagated into GGUF parsing logic, resulting in unsafe arithmetic and undefined behavior during model loading. |
|
|
|
|
|
--- |
|
|
|
|
|
## Security Impact |
|
|
|
|
|
This PoC demonstrates: |
|
|
|
|
|
- Unsafe handling of attacker-controlled GGUF metadata |
|
|
- Load-time undefined behavior in `gguf.cpp` |
|
|
- Behavior not detected by automated model scanners |
|
|
|
|
|
The demonstrated impact is load-time undefined behavior / denial of service. No claims of memory corruption beyond this are made. |
|
|
|
|
|
--- |
|
|
|
|
|
## Scanner Behavior |
|
|
|
|
|
When scanned using ProtectAI **modelscan**, the file reports no issues, despite reliably triggering load-time undefined behavior when parsed by `llama.cpp`. |
|
|
|
|
|
Scanner evidence is provided in the associated Huntr submission comments. |
|
|
|
|
|
--- |
|
|
|
|
|
## Intended Use |
|
|
|
|
|
This artifact is intended only for: |
|
|
|
|
|
- Maintainer debugging |
|
|
- MFV vulnerability validation |
|
|
- Reproduction of unsafe GGUF parsing behavior |
|
|
- Security hardening against malformed GGUF metadata |
|
|
|
|
|
--- |
|
|
|
|
|
## Misuse Warning |
|
|
|
|
|
This file must not be: |
|
|
|
|
|
- Used for inference |
|
|
- Loaded in production systems |
|
|
- Distributed as a model |
|
|
- Used outside controlled security testing environments |
|
|
|
|
|
--- |
|
|
|
|
|
## Disclosure Context |
|
|
|
|
|
This repository is part of a Huntr Model File Vulnerability (MFV) disclosure. |
|
|
|
|
|
It does not correspond to a research model, dataset, or paper. |
|
|
|
|
|
--- |
|
|
|
|
|
## Author |
|
|
|
|
|
- **aTmHnTR** |
|
|
Security researcher (MFV submission) |
|
|
|
|
|
--- |
|
|
|
|
|
## Contact |
|
|
|
|
|
All vulnerability coordination must occur through Huntr’s MFV reporting system. Public discussion should avoid vulnerability details. |
|
|
|
|
|
|
