TensorRT CropAndResizeDynamic crop-dim output manipulation PoC

This repository is a benign security research PoC for a Model File Vulnerability in TensorRT engine files.

Files:

  • control-crop-2x2.engine
  • crop-width1-height2.engine
  • crop-width2-height1.engine
  • reproduce.py

Public file URLs:

Tested runtime:

  • TensorRT 11.1.0.106
  • Trigger path: trt.Runtime(...).deserialize_cuda_engine(...), engine.create_execution_context(), then ctx.execute_async_v3(...)
  • GPU used for validation: NVIDIA RTX 4090

Expected behavior:

  • control-crop-2x2.engine embeds CropAndResizeDynamic with serialized crop_width=2 and crop_height=2.
  • crop-width1-height2.engine changes only the serialized crop dimension pair to crop_width=1, crop_height=2.
  • crop-width2-height1.engine changes only the serialized crop dimension pair to crop_width=2, crop_height=1.
  • All three engines deserialize and execute successfully. The malicious engines keep the same TensorRT output metadata shape [1, 1, 1, 2, 2], but silently reroute the ROI pooled feature values.

Reproduction:

python reproduce.py --gpu 0

If CUDA libraries are not on the default loader path, set LD_LIBRARY_PATH first. Example from the validation lab:

LD_LIBRARY_PATH=/home/hacnho/.venv-vllm/lib/python3.12/site-packages/nvidia/cu13/lib:$LD_LIBRARY_PATH python reproduce.py --gpu 0

Expected delta:

control_values:     [0.0, 3.0, 12.0, 15.0]
malicious_a_values: [1.5, 13.5, 0.0, 0.0]
malicious_b_values: [6.0, 9.0, 0.0, 0.0]
same_output_shape_a: true
same_output_shape_b: true

Scanner results recorded during validation:

  • Hugging Face repository scan: no files with issues when observable
  • modelscan 0.8.8: no issues found; .engine is not inspected as a malicious model graph
  • picklescan 1.0.4: infected files 0, dangerous globals 0
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support