Skip to content

Fix path traversal in xir_util dump_bin (CWE-22)#3

Draft
xingy16-amd wants to merge 1 commit into
amd:mainfrom
xingy16-amd:fix-path-traversal-github
Draft

Fix path traversal in xir_util dump_bin (CWE-22)#3
xingy16-amd wants to merge 1 commit into
amd:mainfrom
xingy16-amd:fix-path-traversal-github

Conversation

@xingy16-amd

Copy link
Copy Markdown

Summary

  • dump_subgraph1() in tools/cmd_dump_code.cpp built output filenames by
    concatenating dirname with the subgraph name (sg->get_name()) and
    reg_id_to_parameter_value keys taken directly from the deserialized
    .xmodel protobuf, with no sanitization.
  • A crafted .xmodel whose subgraph name / reg_id contains ../ sequences
    (or an absolute path) makes xir_util dump_bin evil.xmodel ./out/ write
    attacker-controlled bytes outside ./out/ — arbitrary file write/overwrite
    (CWE-22).
  • Fix sanitizes the file component in mk_file_name() with one unified rule
    on every platform: replace path separators (/, \), the NTFS stream
    separator (:) and the characters Windows forbids (<>"|?*) with _, so
    every dumped file stays inside dirname. On Windows, reserved device names
    (CON, NUL, COM1..9, LPT1..9, ...) are additionally prefixed.
  • Subgraph names derived from framework op names legitimately contain /, so
    flattening (rather than rejecting) keeps valid models working.

Test plan

  • Build the tools and run xir_util dump_bin on a normal .xmodel;
    confirm .mc / .ac / .bin files are still produced under the output dir.
  • Run with an .xmodel whose subgraph name contains ../../tmp/evil and
    confirm the dumped file stays inside the output dir (separators flattened
    to _) instead of escaping it.

Made with Cursor

dump_subgraph1() built output file names by concatenating dirname with
the subgraph name and reg_id keys taken directly from the deserialized
.xmodel protobuf, without sanitization. A crafted .xmodel whose name /
reg_id contains "../" sequences (or an absolute path) could make
xir_util dump_bin write attacker-controlled data outside the intended
output directory, allowing arbitrary file overwrite.

Sanitize the file component in mk_file_name() with one unified rule on
every platform: replace path separators ('/', '\'), the NTFS stream
separator (':') and the characters Windows forbids (<>"|?*) with '_', so
every dumped file stays inside dirname. On Windows, reserved device names
(CON, NUL, COM1..9, LPT1..9, ...) are additionally prefixed.

Co-authored-by: Cursor <[email protected]>
@xingy16-amd xingy16-amd marked this pull request as draft June 8, 2026 06:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant