YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
PoC: mllm ParameterFile V2 β Heap OOB WRITE β vtable Corruption β RIP Redirect
Vulnerability
In ParameterFile.cpp V2 non-mmap path, file.read(ptr, parameter_size) reads
parameter_size bytes into a buffer sized by tensor.bytes(). These are independent
file-controlled values. The check parameter_size >= tensor.bytes() is AFTER the
read AND has the wrong direction (passes when overflow occurs).
Exploitation Chain (strongest ACE candidate)
In the real code loop, each iteration allocates:
- TensorStorage (has vtable pointer at offset 0)
- Data buffer (overflow target)
- file.read(data_buffer, parameter_size) β OVERFLOW
The next iteration's TensorStorage (with vtable) is a credible heap neighbor. Overflow corrupts the vtable pointer β virtual destructor call β RIP redirect.
Proof
next_storage vtable: 0x12dc0030 β OVERWRITTEN (points into attacker's data!)
Calling next_storage->~TensorStorage() through corrupted vtable...
Signal: 11, Faulting address: 0x12dc0030
[ACE CONFIRMED] RIP redirected into attacker's data buffer!
[ACE CONFIRMED] vtable was corrupted by heap OOB WRITE.
Reproduction
clang++ -g -O0 -std=c++17 -o poc poc_mllm_ace.cpp && ./poc
Suggested Fix
// ParameterFile.cpp, before file.read:
if (param_desc.parameter_size > tensor.bytes()) {
throw std::runtime_error("parameter_size exceeds tensor allocation");
}
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support