Add ACE PoC
Browse files- README.md +14 -0
- custom_checkpoint_0.pkl +3 -0
README.md
ADDED
|
@@ -0,0 +1,14 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# accelerate load_custom_state() ACE PoC
|
| 2 |
+
|
| 3 |
+
This checkpoint demonstrates arbitrary code execution via accelerate's
|
| 4 |
+
`load_custom_state()` function which explicitly uses `weights_only=False`.
|
| 5 |
+
|
| 6 |
+
When loaded via `accelerator.load_state()`, the pickle payload executes
|
| 7 |
+
arbitrary code before any validation.
|
| 8 |
+
|
| 9 |
+
Vulnerable code in accelerate/checkpointing.py:
|
| 10 |
+
```python
|
| 11 |
+
def load_custom_state(obj, path, index: int = 0):
|
| 12 |
+
load_location = f"{path}/custom_checkpoint_{index}.pkl"
|
| 13 |
+
obj.load_state_dict(load(load_location, map_location="cpu", weights_only=False))
|
| 14 |
+
```
|
custom_checkpoint_0.pkl
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:b5979a70adcbf2f88fe53da9c20cb8d0a196efe18530103088fadaf2bc0fdb75
|
| 3 |
+
size 1789
|