wonbrand's picture
Upload README.md with huggingface_hub
9c6abe5 verified
|
Raw
History Blame Contribute Delete
1.3 kB
---
tags: [security, poc, vulnerability-disclosure]
---
# ExecuTorch `.pte` model-file vulnerability PoC (huntr MFV disclosure)
Authorized security-research PoC for two model-file parsing bugs in `pytorch/executorch`
(<= 1.3.1, main @ c9688e9). Both are crafted `.pte` files that a victim loading the model
processes with no interaction / no auth.
- `malicious_xnnpack_scale_oob.pte` — XNNPACK PerChannelQuant scale-buffer length not
checked vs channel count (CWE-125 OOB read). Tensor declares 128 channels but supplies 1
scale; ExecuTorch accepts it (the sibling PerChannelGroupQuant path rejects the mismatch)
and XNNPACK reads dims[channel_dim]=128 scales from a 1-element buffer at delegate init.
Ref: backends/xnnpack/runtime/XNNCompiler.cpp:519-548 (sibling guard at :596).
- `malicious_compute_numel.pte` — `compute_numel` unchecked integer overflow (CWE-190).
Tensor sizes [2147483647,2147483647,4]; nbytes() = 18446744004990074896 (int64 overflow)
-> model load fails (DoS). Ref: runtime/core/portable_type/tensor_impl.cpp:42
(sibling safe_numel:64 uses c10::mul_overflows).
Repro: `pip install executorch==1.3.1 torch==2.12.0` then load each file with
`executorch.extension.pybindings.portable_lib._load_for_executorch_from_buffer`.
For research/disclosure only.