Hugging Face's logo

01data-ai
/
gguf_py_f004_tensor_offset_aliasing

GGUF
llama-cpp
security
proof-of-concept
parser-divergence
model-integrity
huntr
protectai
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

GGUF-PY-F004 Tensor Offset Aliasing

Payload repository for Huntr / ProtectAI triage.

Finding

Parser Divergence: Python GGUFReader accepts non-sequential tensor offsets causing silent tensor data aliasing while native llama.cpp rejects the same GGUF.

Primary PoC Model

poc_GGUF-PY-F004_alias.gguf

Primary PoC SHA256

484eb1c0a3583b7af469d977d33fd4e39d6ae3b92897d1f6382454b9a7daf9de

Proof Script

prove_f004_live_repo.py

Confirmed Behavior

The crafted GGUF file contains two tensors:

  • tensor_a
  • tensor_b

Both tensors declare the same tensor data offset:

tensor_a: data_offset = 0
tensor_b: data_offset = 0

Python GGUFReader accepts the file and loads both tensor names, but both tensors read from the same underlying bytes.

Observed Python result:

tensor_a_actual = [1.100000023841858, 2.200000047683716, 3.299999952316284, 4.400000095367432]
tensor_b_actual = [1.100000023841858, 2.200000047683716, 3.299999952316284, 4.400000095367432]
tensor_b_expected = [5.5, 6.6, 7.7, 8.8]
alias_confirmed = True
tensor_b_wrong_data = True
MARKER_GGUF_PY_F004_ALIAS_CONFIRMED_LIVE_REPO

Native llama-gguf rejects the same file:

gguf_init_from_file_ptr: tensor 'tensor_b' has offset 0, expected 32
gguf_init_from_file_ptr: failed to read tensor data
EXIT_CODE=134
Impact

This demonstrates a parser divergence and model-file data integrity failure.

A Python-based GGUF scanner, converter, validator, or ingestion pipeline using GGUFReader can accept a malformed GGUF file that native llama.cpp rejects, while silently mapping one tensor name to another tensor's data.

This is not a code execution claim. The confirmed impact is silent tensor data aliasing / model integrity failure in Python GGUF processing.

Key Evidence Files
PYTHON/PYTHON_LIVE_REPO_OUTPUT.txt
NATIVE/NATIVE_LIVE_REPO_OUTPUT.txt
RAW_OUTPUT/final_repro_output.txt
RAW_OUTPUT/key_markers.txt
SOURCE/gguf_reader_tensor_offset_excerpt.txt
SOURCE/gguf_cpp_tensor_offset_validation_excerpt.txt
SOURCE/live_repo_status_and_diff_check.txt
ENVIRONMENT/ENVIRONMENT.txt
ENVIRONMENT/ENVIRONMENT_LIVE_REPO_CONFIRMED.txt
SHA256SUMS.txt
Scope

Confirmed against:

Repository: ggerganov/llama.cpp
Commit: a290ce626663dae1d54f70bce3ca6d8f67aab62f
Native version: 9046 (a290ce626)
Python component: gguf-py/gguf/gguf_reader.py
Affected function: GGUFReader._build_tensors()
Downloads last month
-
GGUF
Model size
8 params
Architecture
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

View all variants
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support