Cambricon CNRT cnrtLoadModelFromMem() truncated .mef stack-overflow PoC

This repository contains a Cambricon .mef sample copied from Cambricon's public Docker image plus a 512-byte truncated variant.

Observed behavior in CNRT 4.9.1:

  • control sample:
    • cnrtLoadModel() succeeds
    • cnrtLoadModelFromMem() succeeds
  • malicious truncated sample:
    • cnrtLoadModel() returns a handled error
    • cnrtLoadModelFromMem() terminates the process with a fatal stack overflow

Files:

  • control_mlp_mlu270.mef: control sample from the public image
  • malicious_truncated_512.mef: crafted 512-byte truncation
  • probe_mem_vs_file.py: minimal loader probe executed inside the public Docker image
  • reproduce.py: control-vs-malicious host-side reproducer

Public repo:

  • Repo: https://huggingface.co/hacnho/cambricon-cnrt-loadmodelfrommem-truncated-mef-stackoverflow-poc
  • Control file: https://huggingface.co/hacnho/cambricon-cnrt-loadmodelfrommem-truncated-mef-stackoverflow-poc/resolve/main/control_mlp_mlu270.mef
  • Malicious file: https://huggingface.co/hacnho/cambricon-cnrt-loadmodelfrommem-truncated-mef-stackoverflow-poc/resolve/main/malicious_truncated_512.mef
  • Reproducer: https://huggingface.co/hacnho/cambricon-cnrt-loadmodelfrommem-truncated-mef-stackoverflow-poc/resolve/main/reproduce.py
  • Probe: https://huggingface.co/hacnho/cambricon-cnrt-loadmodelfrommem-truncated-mef-stackoverflow-poc/resolve/main/probe_mem_vs_file.py
  • Repo state at verification time: private=false, commit d853eda36c8505583cb5d03b6ca0b3dba71c5c50

Reproduction:

python3 build_poc.py
python3 reproduce.py
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support