YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

PoC: mllm ParameterFile V2 β€” Heap OOB WRITE β†’ vtable Corruption β†’ RIP Redirect

Vulnerability

In ParameterFile.cpp V2 non-mmap path, file.read(ptr, parameter_size) reads parameter_size bytes into a buffer sized by tensor.bytes(). These are independent file-controlled values. The check parameter_size >= tensor.bytes() is AFTER the read AND has the wrong direction (passes when overflow occurs).

Exploitation Chain (strongest ACE candidate)

In the real code loop, each iteration allocates:

  1. TensorStorage (has vtable pointer at offset 0)
  2. Data buffer (overflow target)
  3. file.read(data_buffer, parameter_size) β†’ OVERFLOW

The next iteration's TensorStorage (with vtable) is a credible heap neighbor. Overflow corrupts the vtable pointer β†’ virtual destructor call β†’ RIP redirect.

Proof

next_storage vtable: 0x12dc0030 ← OVERWRITTEN (points into attacker's data!)
Calling next_storage->~TensorStorage() through corrupted vtable...
Signal: 11, Faulting address: 0x12dc0030
[ACE CONFIRMED] RIP redirected into attacker's data buffer!
[ACE CONFIRMED] vtable was corrupted by heap OOB WRITE.

Reproduction

clang++ -g -O0 -std=c++17 -o poc poc_mllm_ace.cpp && ./poc

Suggested Fix

// ParameterFile.cpp, before file.read:
if (param_desc.parameter_size > tensor.bytes()) {
    throw std::runtime_error("parameter_size exceeds tensor allocation");
}
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support