Avro huge declared metadata length memory DoS PoC
Benign security PoC for a Model Format Vulnerability report.
The malicious Avro object-container file is 158 bytes. It is generated from a valid control Avro file, then the encoded byte length of the avro.schema metadata value is changed to 2147483647.
When loaded, both latest Python Avro readers tested allocate/read based on the attacker-controlled declared length before validating that the tiny file contains that many bytes:
fastavro==1.12.2avro==1.12.1
The reproducer runs each loader in a child process with a 512 MB address-space limit so the host is not exhausted.
Files
control.avro- valid 155-byte Avro object-container file.malicious-huge-avro-schema-length.avro- 158-byte mutated file.reproduce.py- self-contained generator and loader reproducer.reproduce-result.json- local run output.picklescan-malicious.txt- picklescan output.modelscan-malicious.txt- modelscan output.SHA256SUMS.txt- artifact hashes.
Reproduce
python3 -m venv /tmp/avro-mfvpoc
/tmp/avro-mfvpoc/bin/python -m pip install --upgrade pip fastavro==1.12.2 avro==1.12.1
/tmp/avro-mfvpoc/bin/python reproduce.py
Expected result:
control.avro + fastavro: loads successfully
control.avro + apache-avro: loads successfully
malicious-huge-avro-schema-length.avro + fastavro: MemoryError
malicious-huge-avro-schema-length.avro + apache-avro: MemoryError
The PoC does not execute code and does not write outside its temporary working directory.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support