TorchScript v1.4 JIT Unpickler Native DoS PoC
This is a benign proof of concept for a TorchScript v1.4 load-time native denial of service.
The artifact artifacts/underflow_appends.pt is a minimal TorchScript ZIP archive with a malformed constants.pkl payload:
80 02 5d 65 2e
PROTO 2, EMPTY_LIST, APPENDS, STOP
In PyTorch 1.4.0, torch.jit.load() reaches the JIT unpickler and crashes natively on this malformed pickle opcode sequence. Current PyTorch versions tested locally return clean parser errors instead, so this report is specifically scoped to TorchScript v1.4.
Reproduction
Use a Python environment with PyTorch 1.4.0 installed:
python verify_torchscript_v14_dos.py --python /path/to/python-with-torch-1.4.0
Expected output includes a native-crash return code:
{
"returncode": -11,
"native_crash": true
}
Depending on the shell/platform, SIGSEGV may also appear as exit code 139; SIGABRT variants appear as 134.
Impact
An attacker-controlled TorchScript v1.4 model file can crash a process that calls torch.jit.load() on the artifact. This is a model-file-carried denial of service. It is not arbitrary code execution and no controlled memory-corruption primitive is claimed.
Severity estimate: Medium, if TorchScript v1.4 is in scope. This is weaker if only current PyTorch versions are accepted.
Evidence
Included evidence:
evidence/torch_1_4_matrix.txt: PyTorch1.4.0crash matrix for malformedconstants.pklvariants.evidence/current_torch_2_8_matrix_nomemlimit.txt: current-version comparison showing clean parser errors.evidence/modelscan_0_8_8_underflow_appends.json: ModelScan 0.8.8 output, zero issues while scanningts/constants.pkl.
Hashes
bd34cabfd35feb96ced8a63489c5899aa9b17c000ce552406519998d5d3855f1 artifacts/underflow_appends.pt
Limitation
This is intentionally version-scoped. It should be submitted only to programs that accept TorchScript v1.4 or old-version model-format DoS findings.