Cambricon CNRT cnrtLoadModelFromMem() truncated .mef stack-overflow PoC
This repository contains a Cambricon .mef sample copied from Cambricon's
public Docker image plus a 512-byte truncated variant.
Observed behavior in CNRT 4.9.1:
- control sample:
cnrtLoadModel()succeedscnrtLoadModelFromMem()succeeds
- malicious truncated sample:
cnrtLoadModel()returns a handled errorcnrtLoadModelFromMem()terminates the process with a fatal stack overflow
Files:
control_mlp_mlu270.mef: control sample from the public imagemalicious_truncated_512.mef: crafted 512-byte truncationprobe_mem_vs_file.py: minimal loader probe executed inside the public Docker imagereproduce.py: control-vs-malicious host-side reproducer
Public repo:
- Repo:
https://huggingface.co/hacnho/cambricon-cnrt-loadmodelfrommem-truncated-mef-stackoverflow-poc - Control file:
https://huggingface.co/hacnho/cambricon-cnrt-loadmodelfrommem-truncated-mef-stackoverflow-poc/resolve/main/control_mlp_mlu270.mef - Malicious file:
https://huggingface.co/hacnho/cambricon-cnrt-loadmodelfrommem-truncated-mef-stackoverflow-poc/resolve/main/malicious_truncated_512.mef - Reproducer:
https://huggingface.co/hacnho/cambricon-cnrt-loadmodelfrommem-truncated-mef-stackoverflow-poc/resolve/main/reproduce.py - Probe:
https://huggingface.co/hacnho/cambricon-cnrt-loadmodelfrommem-truncated-mef-stackoverflow-poc/resolve/main/probe_mem_vs_file.py - Repo state at verification time:
private=false, commitd853eda36c8505583cb5d03b6ca0b3dba71c5c50
Reproduction:
python3 build_poc.py
python3 reproduce.py
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support