Instructions to use hacnho/tensorrt-customfc-outdim-bypass-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- TensorRT
How to use hacnho/tensorrt-customfc-outdim-bypass-poc with TensorRT:
# No code snippets available yet for this library. # To use this model, check the repository files and the library's documentation. # Want to help? PRs adding snippets are welcome at: # https://github.com/huggingface/huggingface.js
- Notebooks
- Google Colab
- Kaggle
TensorRT CustomFCPluginDynamic out_dim bypass PoC
This repository is a benign security research PoC for a Model File Vulnerability in TensorRT engine files.
Files:
control-customfc.enginecustomfc-outdim1.enginereproduce.py
Public file URLs:
- https://huggingface.co/hacnho/tensorrt-customfc-outdim-bypass-poc/resolve/main/control-customfc.engine
- https://huggingface.co/hacnho/tensorrt-customfc-outdim-bypass-poc/resolve/main/customfc-outdim1.engine
- https://huggingface.co/hacnho/tensorrt-customfc-outdim-bypass-poc/resolve/main/reproduce.py
Tested runtime:
- TensorRT
11.1.0.106 - Trigger path:
trt.Runtime(...).deserialize_cuda_engine(...),engine.create_execution_context(), thenctx.execute_async_v3(...) - GPU used for validation: NVIDIA RTX 4090
Expected behavior:
control-customfc.engineusesCustomFCPluginDynamicwith serializedmOutDim=4and produces eight non-zero values with sum110.0.customfc-outdim1.enginekeeps the same TensorRT engine tensor metadata shape[2, 1, 4, 1, 1], but the serialized plugin state is patched tomOutDim=1.- The malicious engine deserializes and executes successfully, then silently suppresses most output values: non-zero count drops from
8to2, and sum drops from110.0to11.0.
Reproduction:
python reproduce.py --gpu 0
If your CUDA libraries are not on the default loader path, set LD_LIBRARY_PATH first. Example from the validation lab:
LD_LIBRARY_PATH=/home/hacnho/.venv-vllm/lib/python3.12/site-packages/nvidia/cu13/lib:$LD_LIBRARY_PATH python reproduce.py --gpu 0
Expected delta:
control_sum: 110.0
malicious_sum: 11.0
control_nonzero_count: 8
malicious_nonzero_count: 2
output_changed: true
Scanner results recorded during validation:
- Hugging Face repository scan: no files with issues
modelscan 0.8.8: no issues found;.engineis not inspected as a malicious model graphpicklescan 1.0.4: infected files0, dangerous globals0
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support