pragnyanramtha/cambricon-magicmind-header-badalloc-poc

Cambricon MagicMind .magicmind Header bad_alloc Abort PoC

This repository contains benign .magicmind model artifacts that demonstrate a Cambricon MagicMind deserializer availability issue. The PoC does not execute code, persist state, access credentials, or make network calls; it only demonstrates an uncaught allocation failure / process abort in a local model parser.

Summary

truncated_80b_u32_028_255.magicmind is an 80-byte MagicMind model header artifact. It preserves the header magic and low 32 bits of the serialized protobuf-size field, but sets the high 32 bits of the 64-bit size field at header offset 0x18 to 255.

In MagicMind 1.8.0, DeserializeFromFile() reads the 80-byte model head, reads the artifact-controlled qword at offset 0x18 as the serialized protobuf size, and reaches operator new(proto_size). The malformed artifact causes an uncaught std::bad_alloc, aborting the process.

A 79-byte artifact with the same mutated qword fails cleanly with "Read model head failed", so the 80-byte file is the minimal observed boundary that reaches the allocation path.

Affected Format

• Format: Cambricon MagicMind serialized model (.magicmind)
• Tested target: Cambricon MagicMind 1.8.0
• Trigger path: magicmind::IModel::DeserializeFromFile(...)
• Impact class: native parser availability DoS / uncaught std::bad_alloc

Artifacts

• artifacts/truncated_80b_u32_028_255.magicmind
  • SHA256: d741473ca58d4554e061ac22bbe5b701e54a46610d09de78958049bdbeb9bd50
  • Size: 80 bytes
  • Primary abort artifact
• artifacts/truncated_79b_u32_028_255.magicmind
  • SHA256: c12814f313c3d5b9a342810db5563a7cbf45b2daf9275e6114608a91dc560990
  • Size: 79 bytes
  • Boundary control; fails cleanly before the allocation path
• artifacts/truncated_64b_u32_028_255.magicmind
  • SHA256: dd3a90b1a65941c76959d238ccc8f723b5cd68ee488b09dbb6f0795449f26c73
  • Size: 64 bytes
  • Short clean-failure control

Reproduction

Build or provide a small MagicMind deserialization harness equivalent to src/mm_deserialize_harness.cpp. Then run:

export MM_LIB=/path/to/magicmind_wheel/magicmind
export DEP_LIB=/path/to/neuware/lib64
export LD_LIBRARY_PATH="$MM_LIB:$DEP_LIB"

python verify_magicmind_header_badalloc.py --harness /path/to/mm_deserialize_harness

Expected high-level result:

• 64-byte and 79-byte controls exit cleanly with a MagicMind validation error.
• 80-byte primary artifact aborts with std::bad_alloc / SIGABRT.

Local Verification Notes

Local verification used:

• Cambricon MagicMind 1.8.0
• Wheel SHA256: 9542c7c0abe9c6fe2cc3a589fbf8d7d8ce9ffbef2dcd048db278d04059a80784
• ModelScan 0.8.8

Captured verifier output is in evidence/header_field_verification.tsv. ModelScan 0.8.8 reported zero issues, scanned zero files, and skipped the .magicmind artifact as unsupported.

Root-Cause Signal

The public libmagicmind_runtime.so.1 binary retains useful symbols. Local disassembly of magicmind::serializer::Deserializer::Deserialize(magicmind::ModelDef*) showed that the deserializer:

• reads exactly 0x50 bytes into magicmind::serializer::ModelHead;
• checks the magic qword at model-head offset 0x10;
• reads a qword from model-head offset 0x18;
• calls operator new(size) if that qword is non-zero;
• reads that many bytes into the allocation and passes it to protobuf parsing.

The seed model's qword at offset 0x18 was 0x0000000000043934. The primary PoC changes it to 0x000000ff00043934, causing the allocation failure after the full 80-byte head is read.

Limitation

This is a parser availability issue, not arbitrary code execution. The proof demonstrates a controlled process abort from a model artifact in a closed binary parser.