| tags: [security, poc, vulnerability-disclosure] | |
| # ExecuTorch `.pte` model-file vulnerability PoC (huntr MFV disclosure) | |
| Authorized security-research PoC for two model-file parsing bugs in `pytorch/executorch` | |
| (<= 1.3.1, main @ c9688e9). Both are crafted `.pte` files that a victim loading the model | |
| processes with no interaction / no auth. | |
| - `malicious_xnnpack_scale_oob.pte` — XNNPACK PerChannelQuant scale-buffer length not | |
| checked vs channel count (CWE-125 OOB read). Tensor declares 128 channels but supplies 1 | |
| scale; ExecuTorch accepts it (the sibling PerChannelGroupQuant path rejects the mismatch) | |
| and XNNPACK reads dims[channel_dim]=128 scales from a 1-element buffer at delegate init. | |
| Ref: backends/xnnpack/runtime/XNNCompiler.cpp:519-548 (sibling guard at :596). | |
| - `malicious_compute_numel.pte` — `compute_numel` unchecked integer overflow (CWE-190). | |
| Tensor sizes [2147483647,2147483647,4]; nbytes() = 18446744004990074896 (int64 overflow) | |
| -> model load fails (DoS). Ref: runtime/core/portable_type/tensor_impl.cpp:42 | |
| (sibling safe_numel:64 uses c10::mul_overflows). | |
| Repro: `pip install executorch==1.3.1 torch==2.12.0` then load each file with | |
| `executorch.extension.pybindings.portable_lib._load_for_executorch_from_buffer`. | |
| For research/disclosure only. | |