ExecuTorch .pte model-file vulnerability PoC (huntr MFV disclosure)

Authorized security-research PoC for two model-file parsing bugs in pytorch/executorch (<= 1.3.1, main @ c9688e9). Both are crafted .pte files that a victim loading the model processes with no interaction / no auth.

  • malicious_xnnpack_scale_oob.pte โ€” XNNPACK PerChannelQuant scale-buffer length not checked vs channel count (CWE-125 OOB read). Tensor declares 128 channels but supplies 1 scale; ExecuTorch accepts it (the sibling PerChannelGroupQuant path rejects the mismatch) and XNNPACK reads dims[channel_dim]=128 scales from a 1-element buffer at delegate init. Ref: backends/xnnpack/runtime/XNNCompiler.cpp:519-548 (sibling guard at :596).
  • malicious_compute_numel.pte โ€” compute_numel unchecked integer overflow (CWE-190). Tensor sizes [2147483647,2147483647,4]; nbytes() = 18446744004990074896 (int64 overflow) -> model load fails (DoS). Ref: runtime/core/portable_type/tensor_impl.cpp:42 (sibling safe_numel:64 uses c10::mul_overflows).

Repro: pip install executorch==1.3.1 torch==2.12.0 then load each file with executorch.extension.pybindings.portable_lib._load_for_executorch_from_buffer. For research/disclosure only.

Downloads last month
8
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support