metadata
tags:
- security
- poc
- vulnerability-disclosure
ExecuTorch .pte model-file vulnerability PoC (huntr MFV disclosure)
Authorized security-research PoC for two model-file parsing bugs in pytorch/executorch
(<= 1.3.1, main @ c9688e9). Both are crafted .pte files that a victim loading the model
processes with no interaction / no auth.
malicious_xnnpack_scale_oob.pte— XNNPACK PerChannelQuant scale-buffer length not checked vs channel count (CWE-125 OOB read). Tensor declares 128 channels but supplies 1 scale; ExecuTorch accepts it (the sibling PerChannelGroupQuant path rejects the mismatch) and XNNPACK reads dims[channel_dim]=128 scales from a 1-element buffer at delegate init. Ref: backends/xnnpack/runtime/XNNCompiler.cpp:519-548 (sibling guard at :596).malicious_compute_numel.pte—compute_numelunchecked integer overflow (CWE-190). Tensor sizes [2147483647,2147483647,4]; nbytes() = 18446744004990074896 (int64 overflow) -> model load fails (DoS). Ref: runtime/core/portable_type/tensor_impl.cpp:42 (sibling safe_numel:64 uses c10::mul_overflows).
Repro: pip install executorch==1.3.1 torch==2.12.0 then load each file with
executorch.extension.pybindings.portable_lib._load_for_executorch_from_buffer.
For research/disclosure only.