TensorRT EyeLike heap OOB write — proof-of-concept

PoC artifacts for a heap out-of-bounds write in NVIDIA nvonnxparser's EyeLike ONNX op importer (onnx-tensorrt/parsers/onnx/onnxOpImporters.cpp:2359).

CVE class: CWE-190 (integer overflow) → CWE-787 (out-of-bounds write). CVSS 3.1: 8.1 High (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H). Verified on: TensorRT 10.16.1 (Google Colab T4, CUDA 12.4).

Files

File	Bytes	sha256 (head)	Purpose
`eyelike_oob_input.onnx`	136	`03b2e56e…`	Crafted PoC: 1-node EyeLike op, input shape (65537, 65537)
`crash_python.log`	1480	`442d9373…`	`faulthandler` SIGSEGV trace from `nvonnxparser.OnnxParser.parse()`
`crash_gdb.log`	55966	`9bff57b3…`	`gdb -batch` SIGSEGV with full memory map
`crash_polygraphy.log`	48	`31cd64bc…`	`polygraphy run --trt` SIGSEGV (third independent witness)
`crash_gdb_symbolicated.log`	10044	`fbf52f34…`	Offline symbolication via NVIDIA wheel — fault instruction located
`run_python_repro.py`	577	`09dff394…`	Minimal Python script invoking the parser
`gdb_cmds.txt`	244	`c17d2dfa…`	gdb batch commands

Reproduction (Colab T4)

pip install -q tensorrt==10.16.1 onnx polygraphy
python run_python_repro.py        # SIGSEGV
gdb -batch -x gdb_cmds.txt python  # SIGSEGV with frame dump
polygraphy run eyelike_oob_input.onnx --trt  # SIGSEGV

Root cause (one line)

int totalWeights = dims.d[0] * dims.d[1]; — int64×int64 product narrowed to int32 silently, vector sized to truncated value, write loop uses original int64 dimensions → first OOB write at r=2, c=0 past vector end.

Disclosure

Submitted to huntr.com Model File Format Bounty Program (target=onnx). Coordinated disclosure: NVIDIA PSIRT will be notified through huntr platform.

Downloads last month: 5

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support