TensorRT CustomFCPluginDynamic out_dim bypass PoC

This repository is a benign security research PoC for a Model File Vulnerability in TensorRT engine files.

Files:

  • control-customfc.engine
  • customfc-outdim1.engine
  • reproduce.py

Public file URLs:

Tested runtime:

  • TensorRT 11.1.0.106
  • Trigger path: trt.Runtime(...).deserialize_cuda_engine(...), engine.create_execution_context(), then ctx.execute_async_v3(...)
  • GPU used for validation: NVIDIA RTX 4090

Expected behavior:

  • control-customfc.engine uses CustomFCPluginDynamic with serialized mOutDim=4 and produces eight non-zero values with sum 110.0.
  • customfc-outdim1.engine keeps the same TensorRT engine tensor metadata shape [2, 1, 4, 1, 1], but the serialized plugin state is patched to mOutDim=1.
  • The malicious engine deserializes and executes successfully, then silently suppresses most output values: non-zero count drops from 8 to 2, and sum drops from 110.0 to 11.0.

Reproduction:

python reproduce.py --gpu 0

If your CUDA libraries are not on the default loader path, set LD_LIBRARY_PATH first. Example from the validation lab:

LD_LIBRARY_PATH=/home/hacnho/.venv-vllm/lib/python3.12/site-packages/nvidia/cu13/lib:$LD_LIBRARY_PATH python reproduce.py --gpu 0

Expected delta:

control_sum: 110.0
malicious_sum: 11.0
control_nonzero_count: 8
malicious_nonzero_count: 2
output_changed: true

Scanner results recorded during validation:

  • Hugging Face repository scan: no files with issues
  • modelscan 0.8.8: no issues found; .engine is not inspected as a malicious model graph
  • picklescan 1.0.4: infected files 0, dangerous globals 0
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support