TensorRT DecodeBbox3DPlugin serialized max_x MFV PoC

This repository is a benign security research PoC for Huntr MFV triage. It demonstrates a TensorRT .engine file where serialized DecodeBbox3DPlugin state changes the PointPillars point_cloud_range max-x value from 2.0 to 4.0. The engine still deserializes and executes, and box_num remains 8, but the decoded 3D boxes shift in the x dimension while output shapes stay [1, 8, 9] and [1].

Files:

  • control_decodebbox3d.engine: TensorRT 11.1.0.106 control engine with serialized mMaxXRange=2.0.
  • malicious_maxx_4.engine: same engine with serialized mMaxXRange patched from 2.0 to 4.0.
  • reproduce.py: runs both engines and compares output shapes, execution status, decoded boxes, and box_num.
  • probe.py: builds the control engine and documents the serialized-field mutation.
  • requirements.txt: tested dependency versions.

Public files:

  • Repo: https://huggingface.co/hacnho/tensorrt-decodebbox3d-maxx-bypass-poc
  • Control: https://huggingface.co/hacnho/tensorrt-decodebbox3d-maxx-bypass-poc/resolve/main/control_decodebbox3d.engine
  • Malicious: https://huggingface.co/hacnho/tensorrt-decodebbox3d-maxx-bypass-poc/resolve/main/malicious_maxx_4.engine
  • Reproducer: https://huggingface.co/hacnho/tensorrt-decodebbox3d-maxx-bypass-poc/resolve/main/reproduce.py

Reproduction:

python reproduce.py \
  --control control_decodebbox3d.engine \
  --malicious malicious_maxx_4.engine
modelscan -p malicious_maxx_4.engine --show-skipped

Expected result:

  • TensorRT deserializes and executes both engines.
  • Output shapes remain boxes [1, 8, 9] and box_num [1].
  • box_num remains 8.
  • Decoded x coordinates change from [0.0, 2.0] to [0.0, 4.0]; output order may differ because the plugin writes boxes via atomicAdd.
  • modelscan 0.8.8 reports No issues found! and skips the .engine file.

Tested SHA256:

  • control_decodebbox3d.engine: abb60eb19f3e4386d04859405bf391ef17a425c7c9d7c49694ecd4f54cc9ca16
  • malicious_maxx_4.engine: bd67959be56022247802b2ef1d2b8c6244ce64d46dfe8788b8c81926ff011c73
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support