YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

PoC: MegEngine β€” load_tensor_layout Stack OOB WRITE β†’ RIP Redirect

Vulnerability

In serializer_oss.cpp, load_tensor_layout() copies shape dimensions from a flatbuffer model into a stack-allocated TensorLayout with fixed shape[MAX_NDIM=7]. The number of dimensions n comes from the file with NO check against MAX_NDIM.

Stack Layout (overflow path)

shape[0..6]  β†’ valid (56 bytes)
shape[7]     β†’ overwrites ndim (controlled)
shape[8..14] β†’ overwrites stride[] (controlled)
shape[15]    β†’ overwrites dtype (DTypeTrait* pointer β†’ controlled!)
shape[16]    β†’ overwrites format (ImplBase* pointer β†’ controlled!)
shape[17+]   β†’ overwrites stack canary, saved RBP, return address

Proof

callback = 0xe920030 ← OVERFLOW-WRITTEN
canary1  = 0xe920030 ← OVERFLOW-WRITTEN
[EXPLOITED] Victim corrupted by MegEngine overflow!
Calling victim->callback() with OVERFLOW-WRITTEN pointer...
[ACE CONFIRMED] RIP redirected into attacker-controlled data!

Note: Real exploitation must bypass stack canary. Corrupted dtype/format pointers are dereferenced before function return, providing a potential canary-bypass path.

Reproduction

clang++ -g -O0 -std=c++17 -o poc poc_megengine_ace.cpp && ./poc

Suggested Fix

// serializer_oss.cpp, before line 619:
if (n > MAX_NDIM) throw MegBrainError("shape ndim exceeds MAX_NDIM");
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support