| # GGML common-ggml.cpp — Stack Buffer Overflow (CWE-121) |
|
|
| A crafted 255-byte model file causes a stack buffer overflow in `gpt-2-quantize` / `gpt-j-quantize` with attacker-controlled data, enabling potential code execution. |
|
|
| ## Vulnerability |
|
|
| **File:** `examples/common-ggml.cpp:113-116` in `ggml_common_quantize_0()` |
| **Root Cause:** `n_dims` is read from the model file with no bounds check, then used to index `int32_t ne[4]`. Setting `n_dims > 4` writes attacker-controlled data past the 16-byte stack array. |
|
|
| ## Reproduction |
|
|
| ```bash |
| # Generate the malicious model file |
| python3 gen_stack_overflow_v2.py |
| |
| # Build ggml with AddressSanitizer |
| git clone https://github.com/ggerganov/ggml && cd ggml |
| mkdir build && cd build |
| cmake .. -DCMAKE_BUILD_TYPE=Debug \ |
| -DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer" \ |
| -DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer" \ |
| -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" \ |
| -DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address" |
| make -j4 gpt-2-quantize |
| |
| # Trigger crash |
| ./bin/gpt-2-quantize malicious_gpt2_v2.bin output.bin q4_0 |
| # Result: Segmentation fault (without ASan) / ASan: stack-buffer-overflow (with ASan) |
| ``` |
|
|
| ## Files |
|
|
| | File | Description | |
| |---|---| |
| | `malicious_gpt2_v2.bin` | 255-byte malicious GPT-2 model file (n_dims=32) | |
| | `gen_stack_overflow_v2.py` | Python generator script | |
|
|
| ## Impact |
|
|
| Stack buffer overflow with attacker-controlled data. Overwrites saved registers, return address, and adjacent stack variables in `ggml_common_quantize_0()`. Potential for arbitrary code execution when a user quantizes a malicious model file. |
|
|
| ## Tested Version |
|
|
| ggml 0.11.0 (commit ac6f7b44f60fde0091f0b3d99afde48f8c99b13a) |
|
|
