security: replace dill.load() with SafeUnpickler allowlist in mmv/utils/checkpoint.py#716
Open
brodmart wants to merge 1 commit into
Open
Conversation
dill.load() is equivalent to pickle.load() and executes arbitrary Python code in any loaded checkpoint file. A malicious or compromised checkpoint at --checkpoint_path will achieve full RCE on the loading host. Replace with _SafeUnpickler, a stdlib-pickle subclass that restricts find_class() to only the types present in MMV params/state dicts (nested dicts of numpy arrays). No dill dependency needed.
|
Dooray! 메일 발송 실패 안내
메일 발송
실패 안내
***@***.***)
님께
보낸
메일이
전송되지
못하였습니다.
실패 사유를 확인해보세요.
* 받는 사람 :
***@***.***)
* 발송 시간 :
2026-05-01T02:47:04
* 메일 제목 :
[google-deepmind/deepmind-research] security: replace dill.load() with SafeUnpickler allowlist in mmv/utils/checkpoint.py (PR #716)
* 실패 사유 :
받는 사람이 현재 메일 수신을 제한하고 있습니다.
이 설정은 개인 또는 조직의 메일 수신 정책에 의해 적용되었습니다.
이 메일은 발신전용으로 회신되지 않습니다.
더 궁금하신 사항은
***@***.***
으로 문의해 주시기 바랍니다.
© Dooray!.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
mmv/utils/checkpoint.py:24callsdill.load()on an attacker-controlled file path (--checkpoint_pathflag).dillis a superset ofpickleand executes arbitrary Python bytecode during deserialization — a malicious checkpoint achieves full RCE on the loading host with no further prerequisites.Fix
Replace
dill.load()with_SafeUnpickler, a stdlibpickle.Unpicklersubclass that overridesfind_class()with an explicit allowlist. Only types actually present in MMV parameter/state dicts are permitted:numpy.ndarray,numpy.dtype, numpy scalar/reconstruct helpersbuiltins:dict,list,tuple,str,int,float,bool,bytesAny type outside the allowlist raises
pickle.UnpicklingErrorbefore instantiation.This also removes the
dilldependency from themmvmodule entirely.Impact
CVSS 3.1: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H — 7.8 HIGH
A user who runs
eval_ucf101.py --checkpoint_path <attacker-controlled-path>loads and executes the malicious payload. Typical in shared compute environments (university clusters, cloud notebooks) where checkpoint files are shared between users.Testing
The allowlist covers all types written by the original MMV checkpoint-saving code. If any additional numpy or JAX types are encountered, extend
_SafeUnpickler._ALLOWEDaccordingly — the error message names the blockedmodule.classfor easy diagnosis.