TensorRT GenerateDetection image_size PoC

This public repository contains a benign security research PoC for a TensorRT Model File Vulnerability report.

Files:

  • control_generatedetection.engine: control TensorRT engine with GenerateDetection_TRT serialized image_size=(3,224,224).
  • malicious_image_size_zero.engine: crafted TensorRT engine with GenerateDetection_TRT serialized image_size=(3,0,224).
  • reproduce.py: runs both engines through TensorRT inference and prints the output delta.

Tested environment:

  • TensorRT 11.1.0.106
  • modelscan 0.8.8
  • Entry point: trt.Runtime(logger).deserialize_cuda_engine(...), then ctx.execute_async_v3(0)

Reproduction:

python reproduce.py \
  --control control_generatedetection.engine \
  --malicious malicious_image_size_zero.engine

Expected result:

  • Control first detection: [0.10000002, 0.10000002, 0.39999998, 0.39999998, 1.0, 0.95000005]
  • Malicious first detection: [0.0, 0.10000002, 0.0, 0.39999998, 1.0, 0.95000005]

The malicious model file preserves the class and confidence but silently collapses the y coordinates during inference.

Scanner result:

modelscan 0.8.8: No issues found
Skipped: Model Scan did not scan file
Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support