Avro huge declared metadata length memory DoS PoC

Benign security PoC for a Model Format Vulnerability report.

The malicious Avro object-container file is 158 bytes. It is generated from a valid control Avro file, then the encoded byte length of the avro.schema metadata value is changed to 2147483647.

When loaded, both latest Python Avro readers tested allocate/read based on the attacker-controlled declared length before validating that the tiny file contains that many bytes:

  • fastavro==1.12.2
  • avro==1.12.1

The reproducer runs each loader in a child process with a 512 MB address-space limit so the host is not exhausted.

Files

  • control.avro - valid 155-byte Avro object-container file.
  • malicious-huge-avro-schema-length.avro - 158-byte mutated file.
  • reproduce.py - self-contained generator and loader reproducer.
  • reproduce-result.json - local run output.
  • picklescan-malicious.txt - picklescan output.
  • modelscan-malicious.txt - modelscan output.
  • SHA256SUMS.txt - artifact hashes.

Reproduce

python3 -m venv /tmp/avro-mfvpoc
/tmp/avro-mfvpoc/bin/python -m pip install --upgrade pip fastavro==1.12.2 avro==1.12.1
/tmp/avro-mfvpoc/bin/python reproduce.py

Expected result:

control.avro + fastavro: loads successfully
control.avro + apache-avro: loads successfully
malicious-huge-avro-schema-length.avro + fastavro: MemoryError
malicious-huge-avro-schema-length.avro + apache-avro: MemoryError

The PoC does not execute code and does not write outside its temporary working directory.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support