File size: 1,396 Bytes
0a4aae7
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/env python3
"""
ExecuTorch .pte Integer Overflow PoC
CWE-190: Integer Overflow in segment offset arithmetic
Target: executorch — pte_data_map.cpp, bundled_program.cpp, flatbuffer_program.cpp
"""

print("""
== ExecuTorch .pte Integer Overflow PoC ==

FINDING 1: Integer Overflow in PteDataMap::get_data()
  File: runtime/executor/pte_data_map.cpp:58
  Code: loader_->load(segment_offset + offset, ...)
  No overflow check on segment_offset + offset addition

FINDING 2: Integer Overflow in BundledProgram segment loading  
  File: devtools/bundled_program/bundled_program.cpp:79
  Code: segment_base_offset + offset (no overflow check)
  
FINDING 3: Integer Overflow in FlatBufferProgram::load_segment()
  File: extension/flat_tensor/flatbuffer_program.cpp:119
  Code: segment_base_offset + segment_offset (no overflow check)

DEFENSE BYPASS: ET_ENABLE_PROGRAM_VERIFICATION=0 in Release builds
  CMakeLists.txt:189 disables FlatBuffer verification
  InternalConsistency silently falls back to Minimal

The crafted .pte file overflow_poc.pte contains segment offsets designed to
wrap around on both 32-bit and 64-bit targets. When loaded:
  0xFFFFFFFFFFFFFF00 + 0x200 = 0x100 (wraps on 64-bit size_t)
  This causes out-of-bounds read from a low memory address.

All three findings are DISTINCT from CVE-2025-54952 which only patched
Program::LoadSegment() in program.cpp:593-600.
""")