| |
| """ |
| ExecuTorch .pte Integer Overflow PoC |
| CWE-190: Integer Overflow in segment offset arithmetic |
| Target: executorch — pte_data_map.cpp, bundled_program.cpp, flatbuffer_program.cpp |
| """ |
|
|
| print(""" |
| == ExecuTorch .pte Integer Overflow PoC == |
| |
| FINDING 1: Integer Overflow in PteDataMap::get_data() |
| File: runtime/executor/pte_data_map.cpp:58 |
| Code: loader_->load(segment_offset + offset, ...) |
| No overflow check on segment_offset + offset addition |
| |
| FINDING 2: Integer Overflow in BundledProgram segment loading |
| File: devtools/bundled_program/bundled_program.cpp:79 |
| Code: segment_base_offset + offset (no overflow check) |
| |
| FINDING 3: Integer Overflow in FlatBufferProgram::load_segment() |
| File: extension/flat_tensor/flatbuffer_program.cpp:119 |
| Code: segment_base_offset + segment_offset (no overflow check) |
| |
| DEFENSE BYPASS: ET_ENABLE_PROGRAM_VERIFICATION=0 in Release builds |
| CMakeLists.txt:189 disables FlatBuffer verification |
| InternalConsistency silently falls back to Minimal |
| |
| The crafted .pte file overflow_poc.pte contains segment offsets designed to |
| wrap around on both 32-bit and 64-bit targets. When loaded: |
| 0xFFFFFFFFFFFFFF00 + 0x200 = 0x100 (wraps on 64-bit size_t) |
| This causes out-of-bounds read from a low memory address. |
| |
| All three findings are DISTINCT from CVE-2025-54952 which only patched |
| Program::LoadSegment() in program.cpp:593-600. |
| """) |
|
|
