TensorRT EyeLike heap OOB write — proof-of-concept
PoC artifacts for a heap out-of-bounds write in NVIDIA nvonnxparser's
EyeLike ONNX op importer (onnx-tensorrt/parsers/onnx/onnxOpImporters.cpp:2359).
CVE class: CWE-190 (integer overflow) → CWE-787 (out-of-bounds write).
CVSS 3.1: 8.1 High (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).
Verified on: TensorRT 10.16.1 (Google Colab T4, CUDA 12.4).
Files
| File | Bytes | sha256 (head) | Purpose |
|---|---|---|---|
eyelike_oob_input.onnx |
136 | 03b2e56e… |
Crafted PoC: 1-node EyeLike op, input shape (65537, 65537) |
crash_python.log |
1480 | 442d9373… |
faulthandler SIGSEGV trace from nvonnxparser.OnnxParser.parse() |
crash_gdb.log |
55966 | 9bff57b3… |
gdb -batch SIGSEGV with full memory map |
crash_polygraphy.log |
48 | 31cd64bc… |
polygraphy run --trt SIGSEGV (third independent witness) |
crash_gdb_symbolicated.log |
10044 | fbf52f34… |
Offline symbolication via NVIDIA wheel — fault instruction located |
run_python_repro.py |
577 | 09dff394… |
Minimal Python script invoking the parser |
gdb_cmds.txt |
244 | c17d2dfa… |
gdb batch commands |
Reproduction (Colab T4)
pip install -q tensorrt==10.16.1 onnx polygraphy
python run_python_repro.py # SIGSEGV
gdb -batch -x gdb_cmds.txt python # SIGSEGV with frame dump
polygraphy run eyelike_oob_input.onnx --trt # SIGSEGV
Root cause (one line)
int totalWeights = dims.d[0] * dims.d[1]; — int64×int64 product narrowed to
int32 silently, vector sized to truncated value, write loop uses original
int64 dimensions → first OOB write at r=2, c=0 past vector end.
Disclosure
Submitted to huntr.com Model File Format Bounty Program (target=onnx). Coordinated disclosure: NVIDIA PSIRT will be notified through huntr platform.
- Downloads last month
- 8
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support