Upload README.md with huggingface_hub

e9c739b verified about 2 months ago

811 Bytes

license: mit

TensorRT Systemic Plugin Deserialization Overflow PoC

30+ TensorRT plugins use unsafe read<>() / readFromBuffer<>() primitives with ZERO bounds checking. Attacker-controlled values from .engine files drive vector resize, malloc, and cudaMemcpy without validation.

Affected Plugins (partial list)

FlattenConcat, Region, GridAnchor, DecodeBbox3D, BatchedNMS
DetectionOutput, EmbLayerNorm, PriorBox, Reorg, SpecialSlice
20+ more in plugin/common/ consumers

Root Cause

plugin/common/plugin.h read<>() and plugin/common/templates.h readFromBuffer<>() blindly memcpy from buffer with no remaining-size check.

Contrast

BERT plugins use serialize.hpp which DOES check remaining size. ONNX parser has multiplicationWillOverflow(). Safer code exists but is not used.