Security PoC β llama.cpp GGUF array element-type confusion (heap OOB read)
This repository does NOT contain a usable model. The
.gguffiles here are tiny, deliberately-malformed GGUF files that serve as a security proof-of-concept for a memory-safety bug inggml-org/llama.cpp's tokenizer/vocab loader. They are uploaded here solely to support a coordinated vulnerability disclosure via huntr. They trigger a heap out-of-bounds read at model-load time.
What the bug is
gguf_get_arr_data() returns the raw backing buffer of a GGUF array and asserts only that
the element type is not STRING. Several consumers in llama.cpp cast that buffer to a
4-byte element type (float / int32) after validating only the array count, never the
element type. A crafted GGUF that declares a tokenizer array (e.g. tokenizer.ggml.scores)
with a 1-byte element type (INT8) backs only count Γ 1 bytes, but the consumer reads
count Γ 4 bytes β heap out-of-bounds read (CWE-125) at model load. The over-read
magnitude is attacker-controlled (a large declared token count forces a hundreds-of-KB
over-read β reliable DoS). Observed impact is an out-of-bounds read (DoS); no write
primitive observed, no RCE claimed.
- Downloads last month
- -
We're not able to determine the quantization variants.