metadata
license: mit
tags:
- security
- vulnerability
- gguf
- llama.cpp
- poc
GGUF Parser NULL Pointer Dereference -- PoC
Vulnerability: NULL Pointer Dereference via attacker-controlled
general.alignment field in gguf_init_from_file_impl()
Target: llama.cpp / ggml GGUF parser
Commit tested: b9da444 (latest main)
Severity: HIGH -- SEGV confirmed by AddressSanitizer
Submitted to: huntr.com bug bounty ($3,000-$4,000 tier)
Files
| File | Description |
|---|---|
poc1_huge_alignment.gguf |
518-byte malicious GGUF triggering SEGV crash |
generate_malicious.py |
Python 3 PoC generator (no dependencies) |
ASAN_output.txt |
Full AddressSanitizer + UBSan crash output |
Quick Reproduction
# Clone and build with ASAN
git clone --depth=1 https://github.com/ggerganov/llama.cpp
cd llama.cpp
cmake -B build-asan \
-DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -g" \
-DCMAKE_C_FLAGS="-fsanitize=address,undefined -g" \
-DGGML_NATIVE=OFF
cmake --build build-asan --target llama-gguf -j4
# Run PoC
export LD_LIBRARY_PATH=./build-asan/bin
./build-asan/bin/llama-gguf poc1_huge_alignment.gguf r
# Expected:
# AddressSanitizer: SEGV on unknown address 0x000000000000
# SUMMARY: AddressSanitizer: SEGV gguf.cpp:869 in gguf_get_version
Root Cause (gguf.cpp:559)
// VULNERABLE: only power-of-2 check, NO upper bound
if (ctx->alignment == 0 || (ctx->alignment & (ctx->alignment - 1)) != 0) {
return nullptr;
}
// With alignment=2^31, fseek jumps to 2GB offset in a 518-byte file
// fread() returns 0, parser returns nullptr, caller dereferences it -> SEGV
Fix
const size_t GGUF_MAX_ALIGNMENT = (1u << 20); // 1MB max
if (ctx->alignment == 0 ||
(ctx->alignment & (ctx->alignment - 1)) != 0 ||
ctx->alignment > GGUF_MAX_ALIGNMENT) { // ADD THIS
return nullptr;
}
This repo is gated -- access restricted to authorized security reviewers.