Hugging Face's logo

ericblackgachara
/
openvino-integer-overflow-poc

Model card Files
xet
 Community

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

OpenVINO: Integer Overflow in IR Loader β†’ OOB Memory Access (CWE-789 / CWE-190)

Status: CONFIRMED β€” READY TO SUBMIT

Severity: High (P2) β€” OOB Read/Write via crafted .xml model file

Target

  • Repo: openvinotoolkit/openvino
  • Platform: huntr.com
  • Format: OpenVINO IR v11 (.xml + .bin)

Note on XXE

XXE is NOT possible. OpenVINO uses pugixml which architecturally cannot resolve external entities. Do not report XXE. This is the only finding.

Root Cause

set_constant_num_buffer() calls the unsafe ov::shape_size() overload (std::accumulate + std::multiplies, no overflow check) on attacker-controlled shape values. The safe shape_size_safe() (with mul_overflow per step) exists in the same codebase but is only used by allocate_buffer().

Vulnerable file: src/core/xml_util/src/xml_deserialize_util.cpp

// UNSAFE β€” no overflow check:
if (size < ((ov::shape_size(shape) * el_type.bitwidth() + 7) >> 3))
    throw ...;
// If shape_size() overflows to 0, check becomes: if (size < 0) β†’ false β†’ BYPASSED

Safe path (unused here):

// shape_util.cpp β€” shape_size_safe():
if (mul_overflow(size, *first, size)) return std::nullopt;

Attack

Shape [4611686018427387904, 4] (2^62 Γ— 4):

  • ov::shape_size() overflows signed int64 β†’ UB, typically wraps to 0
  • Check: 4 < (0 * 32 + 7) >> 3 β†’ 4 < 0 β†’ false β†’ check bypassed
  • Constant node created: shape claims 2^64 elements, buffer is 4 bytes
  • Any downstream use (inference, shape propagation) β†’ OOB read/write

Vulnerable Files

File Location Issue
src/core/xml_util/src/xml_deserialize_util.cpp set_constant_num_buffer() Calls unsafe ov::shape_size() on attacker shape
src/core/include/openvino/core/shape.hpp shape_size() std::accumulate + std::multiplies, no overflow check
src/core/src/shape_util.cpp shape_size_safe() Safe version β€” NOT called here

PoC Files

  • poc_openvino_int_overflow.py β€” builds crafted IR and triggers bypass + OOB
  • poc_overflow_patterns.py β€” tests multiple overflow shapes systematically

Reproduction 

pip install openvino
python poc_openvino_int_overflow.py

Fix

Replace in set_constant_num_buffer():

// Replace:
ov::shape_size(shape)
// With:
ov::shape_size_safe(shape).value_or(throw ov::Exception("Shape overflow"))
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support