| license: mit | |
| # TensorRT Systemic Plugin Deserialization Overflow PoC | |
| 30+ TensorRT plugins use unsafe `read<>()` / `readFromBuffer<>()` primitives | |
| with ZERO bounds checking. Attacker-controlled values from .engine files | |
| drive vector resize, malloc, and cudaMemcpy without validation. | |
| ## Affected Plugins (partial list) | |
| - FlattenConcat, Region, GridAnchor, DecodeBbox3D, BatchedNMS | |
| - DetectionOutput, EmbLayerNorm, PriorBox, Reorg, SpecialSlice | |
| - 20+ more in plugin/common/ consumers | |
| ## Root Cause | |
| `plugin/common/plugin.h` read<>() and `plugin/common/templates.h` readFromBuffer<>() | |
| blindly memcpy from buffer with no remaining-size check. | |
| ## Contrast | |
| BERT plugins use `serialize.hpp` which DOES check remaining size. | |
| ONNX parser has `multiplicationWillOverflow()`. Safer code exists but is not used. | |