CVE-2024-23496: Heap-Based Buffer Overflow Vulnerability in GGUF Library llama.cpp

A heap-based buffer overflow vulnerability (CVE-2024-23496) has been discovered in the "GGUF" library. The vulnerability exists in the gguf_fread_str function within the llama.cpp file (commit 18c2e17). This flaw can potentially lead to code execution, allowing attackers to compromise the targeted system. An attacker can exploit this vulnerability by providing a specially crafted ".gguf" file to the affected software.

Below is the code snippet of the vulnerable function gguf_fread_str in the llama.cpp file

size_t gguf_fread_str(FILE* f, char* buf, size_t buf_size) {
  size_t count = ;
  int c;
  
  while ((c = fgetc(f)) != EOF) {
    if (count < buf_size - 1) {
      buf[count++] = (char)c;
    } else {
      break;
    }
  }
  
  buf[count] = '\';
  return count;
}

Exploit Details

The gguf_fread_str function reads a string from a file into a provided buffer, ensuring that the buffer does not overflow. However, the size of the buffer is not properly validated. If the string in the ".gguf" file is larger than the allocated buffer size, a heap-based buffer overflow occurs. This can lead to memory corruption and potentially allow an attacker to execute malicious code.

The attacker can exploit this vulnerability by crafting a ".gguf" file with a large string value that exceeds the buffer size, and then providing this malicious file to the target application. If the application processes the file using the vulnerable function, it can lead to the described heap-based buffer overflow.

Mitigation

Developers can mitigate the vulnerability by properly validating the size of the buffer in the gguf_fread_str function. They can use fread or a similar function to safely read the string from the file without causing a buffer overflow.

Example of a safer implementation

size_t gguf_fread_str(FILE* f, char* buf, size_t buf_size) {
  size_t count = fread(buf, 1, buf_size - 1, f);
  buf[count] = '\';
  return count;
}

This safer implementation ensures that the buffer does not overflow by limiting the number of read characters.

Original References

1. Commit 18c2e17 (GitHub)
2. CVE-2024-23496 Details (National Vulnerability Database)

Conclusion

CVE-2024-23496 is a critical vulnerability in the GGUF library and should be addressed promptly to prevent potential exploitation. Developers should validate buffer sizes during string handling to avoid memory corruption and potential code execution vulnerabilities like this one. Regularly updating software to include the latest security updates is a crucial step in maintaining secure systems.

Timeline

Published on: 02/26/2024 16:27:56 UTC
Last modified on: 02/26/2024 18:15:07 UTC