neimasilk's picture
Upload README.md with huggingface_hub
4042a56 verified
|
Raw
History Blame Contribute Delete
1.37 kB
# llama.cpp Jinja2 Template Parser Stack Overflow PoC
## Vulnerability
**Type:** Stack Overflow via Uncontrolled Recursion (CWE-674)
**Location:** `common/jinja/parser.cpp` β€” recursive descent parser with no depth limit
**Severity:** Medium (CVSS 5.5) β€” DoS via crafted GGUF model file
**Tested:** llama.cpp commit c5ce4bc (2026-04-08)
## Root Cause
The Jinja2 template parser uses recursive descent with NO recursion depth limit.
A GGUF file with ~5,500+ levels of nested `{% if %}` blocks in `tokenizer.chat_template`
causes SIGSEGV (stack overflow) when any llama.cpp application loads the model.
## Crash Output
```
Depth 5000: Parser completed (OK)
Depth 5500: core dumped (SIGSEGV!)
Depth 10000: core dumped (SIGSEGV!)
```
## Files
- `poc_parser_stackoverflow.gguf` β€” Crafted GGUF with 50,000 nested if-blocks (~1.2 MB)
- `poc_recursive_macro.gguf` β€” Recursive macro that crashes at runtime (244 bytes)
- `poc_range_oom.gguf` β€” Unbounded range() causing OOM (203 bytes)
- `create_poc_jinja.py` β€” Generator script for all PoC variants
## Reproduction
```bash
# Build llama.cpp, then:
llama-server -m poc_parser_stackoverflow.gguf
# Result: Segmentation fault (core dumped)
```
## Suggested Fix
Add `MAX_PARSE_DEPTH` counter to recursive descent functions in parser.cpp.
**License:** MIT | **Researcher:** neimasilk | **Disclosure:** huntr.com