YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

BUG11 โ€” ExecuTorch allocateList nullptr write (null deref crash)

Missing nullptr check after allocateList<EValue*>() in Method::parse_values (runtime/executor/method.cpp:514-532) causes SIGSEGV when loading a crafted .pte model with a large IntList that exhausts the method allocator.

  • Repo: https://github.com/pytorch/executorch
  • Latest commit tested: 968fff9821f9cf8ebe9dc547ee454f2bb2c51a87 (origin/main)
  • Pinned comparison: f3b66dccdef22d6c6d35bbfe76a3afaf433dddb2 (code identical)
  • Vulnerable code: runtime/executor/method.cpp:514-532
  • Severity: Medium (null pointer write / DoS, CWE-476)

Reproduce

python3 generate_poc_bug11.py    # writes poc_bug11.pte (~400KB, 50K IntList)
# build executorch_core, compile bug11_harness with 32KB method allocator
./bug11_harness poc_bug11.pte    # -> SIGSEGV (exit 139)

Result

SIGSEGV at method.cpp:532: evalp_list[j] = &values_[...]; (evalp_list = 0x0)

PoC SHA256: fbca918f2e4b7c297840c93ca0c29ddb9db2a712f9af1447218ffa0f09b0be7f

Downloads last month
5
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support