File size: 1,367 Bytes
4042a56
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# llama.cpp Jinja2 Template Parser Stack Overflow PoC

## Vulnerability
**Type:** Stack Overflow via Uncontrolled Recursion (CWE-674)
**Location:** `common/jinja/parser.cpp` — recursive descent parser with no depth limit
**Severity:** Medium (CVSS 5.5) — DoS via crafted GGUF model file
**Tested:** llama.cpp commit c5ce4bc (2026-04-08)

## Root Cause
The Jinja2 template parser uses recursive descent with NO recursion depth limit.
A GGUF file with ~5,500+ levels of nested `{% if %}` blocks in `tokenizer.chat_template`
causes SIGSEGV (stack overflow) when any llama.cpp application loads the model.

## Crash Output
```
Depth 5000: Parser completed (OK)
Depth 5500: core dumped (SIGSEGV!)
Depth 10000: core dumped (SIGSEGV!)
```

## Files
- `poc_parser_stackoverflow.gguf` — Crafted GGUF with 50,000 nested if-blocks (~1.2 MB)
- `poc_recursive_macro.gguf` — Recursive macro that crashes at runtime (244 bytes)
- `poc_range_oom.gguf` — Unbounded range() causing OOM (203 bytes)
- `create_poc_jinja.py` — Generator script for all PoC variants

## Reproduction
```bash
# Build llama.cpp, then:
llama-server -m poc_parser_stackoverflow.gguf
# Result: Segmentation fault (core dumped)
```

## Suggested Fix
Add `MAX_PARSE_DEPTH` counter to recursive descent functions in parser.cpp.

**License:** MIT | **Researcher:** neimasilk | **Disclosure:** huntr.com