SECURITY RESEARCH POC -- ExecuTorch .ptd integer overflow
This repository contains a proof-of-concept malicious .ptd payload for a responsible-disclosure bug bounty submission filed at huntr.com under the Model File Formats program.
The PoC demonstrates an integer-overflow primitive in FlatTensorDataMap::load():
extension/flat_tensor/flat_tensor_data_map.cpp:224-- uncheckedu64 + u64 -> size_ttruncation on attacker-controlled header fieldsextension/flat_tensor/flat_tensor_data_map.cpp:236-- same primitive used as the LOAD LENGTH, never bounds-checked- Sibling code in
runtime/executor/program.cpp:104-109usesc10::add_overflowscorrectly -- proof the project knows the right pattern and missed copies in the extension
PR #19057 ("Fix overflows in et", Apr 24 2026, commit ec5e8e4) hardened the get_named_data path of the same file but did NOT touch lines 224/236. Static missed-copy with confirmed-attention bug-surface anchor.
Files
| File | Purpose |
|---|---|
malicious.ptd |
256-byte byte-exact PoC. Two header fields are crafted to wrap on u64 + u64 -> size_t. Inspect with xxd malicious.ptd. |
craft_malicious_ptd.py |
Static crafter -- reproduces malicious.ptd from scratch. No ExecuTorch build needed. |
verify_unpatched.py |
One-command reviewer-side verifier. Fetches the live extension/flat_tensor/flat_tensor_data_map.cpp from pytorch/executorch main HEAD and confirms 7 unguarded u64+u64 sites still present alongside 1 correctly-guarded c10::add_overflows. Runs in <5 seconds. |
Verification (no ExecuTorch build required)
pip install urllib3
python verify_unpatched.py
Expected output (verbatim):
[BUG CONFIRMED] The file uses c10::add_overflows correctly elsewhere
(1 call sites) but has 7 unguarded u64+u64 additions
on attacker-controlled header fields. This is the
missed-copy of the Aug 2025 CVE-2025-30402/30404/30405
remediation pattern, in a code path that PR #19057
(Apr 24 2026) added overflow guards to OTHER parts of.
Inspect the malicious file:
xxd malicious.ptd | head -5
Shows the wraparound-mate header values:
00000000: 0000 0000 0000 0000 4648 3031 2800 0000 ........FH01(...
00000010: 4000 0000 0000 0000 00ff ffff ffff ffff @...............
00000020: ffff ffff 0000 0000 4100 0000 0100 0000 ........A.......
(Note: bytes shown are little-endian; flatbuffer_size = 0xFFFF_FFFF_FFFF_FF00 and segment_data_size = 0x0000_0001_0000_0041.)
Runtime PoC (ExecuTorch build required)
To trigger the OOB read at runtime:
git clone https://github.com/pytorch/executorch.git
cd executorch && ./install_executorch.sh
# Build the runtime + ASan, then point any FlatTensorDataMap::load() consumer at this file.
Under ASan, the load produces a clean heap-buffer-overflow report. Without ASan, the result depends on the data loader:
BufferDataLoader-> OOB read into adjacent heap allocationsMmapDataLoader-> OOB read into adjacent VMA pages
On 32-bit ARM (ExecuTorch's primary deployment target -- mobile / embedded / Cortex-M), size_t is 32-bit and both header arithmetic sites overflow silently -- direct heap-corruption-grade primitive.
Affected component
- ExecuTorch (
pytorch/executorch) -- currentmainHEAD, post-commit1c9c115. Pre-patch. - File:
extension/flat_tensor/flat_tensor_data_map.cpplines 224 and 236. - Same bug class also unhardened:
runtime/executor/pte_data_map.cpp:57-60(out of scope for this report).
Disclosure status
This PoC is part of a responsible-disclosure submission filed via huntr's Model File Formats bug bounty program. After triage and remediation, this repository will be marked private or deleted.
Disclaimer
This repository is intended for security research and responsible disclosure only. Do not use the techniques shown here on systems you do not own or have permission to test.
Contact
Security researcher: kais113 (amakais.sales@gmail.com)