Hugging Face's logo

AM-Core
/
gguf-invalid-kv-type-ubsan-poc

GGUF
llama.cpp
model-format-vulnerability
security
ubsan
Model card Files
xet
 Community

llama.cpp GGUF invalid metadata type UBSan PoC

Summary

A malformed GGUF v3 file containing a key-value metadata entry with an invalid type value (0x7fffffff) triggers UndefinedBehaviorSanitizer in llama.cpp's GGUF parser.

The issue occurs in the core GGUF parsing path (gguf_init_from_file_ptr) before the invalid metadata type is rejected. The same input reaches the normal model loading path through llama-cli, not only the llama-gguf example utility.

Affected component

  • Project: llama.cpp
  • Format: GGUF
  • Parser path: gguf_init_from_file_ptr
  • File: ggml/src/gguf.cpp
  • Sanitizer finding: invalid enum value loaded as gguf_type

PoC file

  • invalid_kv_type_0x7fffffff.gguf
  • Size: 48 bytes
  • Behavior: GGUF v3 header, n_tensors=0, n_kv=1, key general.name, metadata type 0x7fffffff

Reproduction

Build llama.cpp with ASan/UBSan, then run:

ASAN_OPTIONS="abort_on_error=1:detect_leaks=0:symbolize=1" \
UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1" \
./build-asan/bin/llama-gguf invalid_kv_type_0x7fffffff.gguf r n

Also reproducible through the model loading path:

ASAN_OPTIONS="abort_on_error=1:detect_leaks=0:symbolize=1" \
UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1" \
./build-asan/bin/llama-cli -m invalid_kv_type_0x7fffffff.gguf -p test -n 1

Expected sanitizer signal:

runtime error: load of value 2147483647, which is not a valid value for type 'gguf_type'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ggml/src/gguf.cpp

Normal build behavior

A non-sanitized build rejects the file cleanly with:

key 'general.name' has invalid GGUF type 2147483647
failed to read key-value pairs

Impact

This demonstrates undefined behavior in the GGUF parser when reading an invalid metadata type value from an untrusted GGUF file. In sanitized builds, loading the crafted file aborts the process. The PoC is local-only and contains no executable payload.

Files included

  • invalid_kv_type_0x7fffffff.gguf β€” malformed GGUF PoC
  • generate_poc.py β€” script to recreate the PoC file
  • reproduce.sh β€” reproduction helper
  • reports/repro_llama_gguf_asan.txt β€” sanitizer output from llama-gguf
  • reports/repro_llama_cli_asan.txt β€” sanitizer output from llama-cli model-load path
  • reports/repro_llama_gguf_normal.txt β€” normal build behavior
  • reports/hexdump.txt β€” hex dump of PoC file
  • sha256.txt β€” file hash
  • llama_cpp_commit.txt β€” tested commit
  • git_status.txt β€” local worktree status
Downloads last month
27,259
GGUF
Hardware compatibility
Log In to add your hardware

We're not able to determine the quantization variants.

View all variants
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support