Upload README.md with huggingface_hub
Browse files
README.md
ADDED
|
@@ -0,0 +1,34 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# TensorRT Plugin Deserialization OOB Read PoC
|
| 2 |
+
|
| 3 |
+
## Vulnerability
|
| 4 |
+
|
| 5 |
+
Out-of-bounds memory access in TensorRT plugin deserialization due to:
|
| 6 |
+
1. **`read<T>()` in `plugin.h:100-108`** — Zero bounds checking on the primary deserialization primitive used by 30+ plugins
|
| 7 |
+
2. **`serialize.hpp` assert-only checks** — `assert()` is compiled out in release builds (`NDEBUG`), leaving zero bounds checking in production
|
| 8 |
+
|
| 9 |
+
## Files
|
| 10 |
+
|
| 11 |
+
- `poc_tensorrt_serialize.cpp` — Standalone PoC extracting vulnerable code from TensorRT source
|
| 12 |
+
|
| 13 |
+
## Reproduction
|
| 14 |
+
|
| 15 |
+
```bash
|
| 16 |
+
# Build in release mode (NDEBUG — matching production TensorRT):
|
| 17 |
+
g++ -fsanitize=address -g -DNDEBUG -std=c++17 -o poc_release poc_tensorrt_serialize.cpp
|
| 18 |
+
|
| 19 |
+
# Run:
|
| 20 |
+
./poc_release
|
| 21 |
+
```
|
| 22 |
+
|
| 23 |
+
## Expected ASAN Output
|
| 24 |
+
|
| 25 |
+
```
|
| 26 |
+
==PID==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x...
|
| 27 |
+
READ of size 4 at 0x... thread T0
|
| 28 |
+
#0 in int read<int, char>(char const*&) poc_tensorrt_serialize.cpp:171
|
| 29 |
+
#1 in poc_read_oob() poc_tensorrt_serialize.cpp:213
|
| 30 |
+
```
|
| 31 |
+
|
| 32 |
+
## Tested On
|
| 33 |
+
|
| 34 |
+
TensorRT latest commit from default branch (2026-02-27)
|