# MLX GGUF quantized-tensor out-of-bounds read (proof of concept)

This repository hosts a crafted GGUF model file that triggers an out-of-bounds read in
**Apple MLX** (`mlx` Python package) when the file is loaded with the standard
`mlx.core.load()` API. The repo is gated; it is a security proof of concept, not a usable model.

## Summary

`mlx.core.load("x.gguf")` parses GGUF tensors through MLX's C++ loader. For quantized
tensor types (`Q8_0`, `Q4_0`, `Q4_1`) it calls `gguf_load_quantized`, which dequantizes the
data in `extract_q8_0_data` / `extract_q4_0_data` / `extract_q4_1_data`
(`mlx/io/gguf_quants.cpp`). Those loops iterate over the block count derived from the tensor's
**file-declared shape** and read `bytes_per_block` (34 for Q8_0) from the memory-mapped file for
each block, with no check that the declared shape's data actually fits in the file. A GGUF whose
declared quantized dimension is large while the real tensor-data section is tiny makes the loop
read far past the end of the mapping.

## Affected

* `mlx` 0.31.2 (current latest on PyPI) and current `main`.
* Verified on Linux x86_64 (`mlx[cpu]`), Python 3.13.

## Files

* `evil.gguf` - one `Q8_0` tensor declaring `dim[0] = 32,000,000` but carrying only 34 data bytes.
* `baseline.gguf` - identical structure with a well-formed single block; loads fine (control).
* `verify.py` - rebuilds both files and loads each in a child process, showing the differential.

## Reproduce

```
pip install "mlx[cpu]"
python verify.py
```

Expected:

```
  load baseline.gguf -> exit 0
  load evil.gguf     -> SIGSEGV
```

Precise attribution (valgrind):

```
valgrind python -c "import mlx.core as mx; mx.load('evil.gguf')"
# Invalid read of size 16 / of size 2
#   at mlx::core::extract_q8_0_data(...)
#   by mlx::core::gguf_load_quantized(...)
#   by mlx::core::load_arrays(...)
#   by mlx::core::load_gguf(...)
```

## Impact

Loading an untrusted `.gguf` with `mlx.core.load()` reads out-of-bounds heap/mmap memory into the
dequantized output arrays. A large declared dimension walks off the mapping and crashes the process
(denial of service at model-load time); a smaller over-declared dimension reads adjacent heap bytes
into caller-visible arrays (information disclosure). No flags or non-default options are required.

## Fix

In `gguf_load_quantized` (or `gguf_get_tensor` in the vendored gguflib), validate that the tensor's
declared element/block count implies a byte size that fits within `offset .. file_size` before the
extractor loops run.