YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
TensorRT ModulatedDeformConv2d Negative Stride PoC
This is a benign security research PoC for a Huntr Model File Vulnerability report.
Files
modulated-deformconv-negative-stride.engine: TensorRT engine with a patched legacyModulatedDeformConv2dv1 plugin state.control-modulated-deformconv.engine: matching control engine built through the public plugin creator.reproduce.py: loads both engines and runs the same inference input.
Trigger
The malicious behavior is triggered by loading the .engine file with TensorRT and running inference. The control engine returns the input tensor [1, 2, 3, 4, 5, 6, 7, 8, 9]. The patched engine loads and executes, but returns all zeros for the same input.
The patched field is the serialized legacy ModulatedDeformConv2d v1 plugin mStride.d[0] value. The public plugin creator rejects non-positive stride values, but the legacy deserialize path accepts the serialized value from the engine file.
Reproduction
Tested with TensorRT 11.1.0.106 on NVIDIA GPUs.
If TensorRT needs cuBLAS 13, make sure libcublas.so.13 is in LD_LIBRARY_PATH.
python3 reproduce.py \
--control control-modulated-deformconv.engine \
--malicious modulated-deformconv-negative-stride.engine \
--gpu 0
Expected result:
control_signature:[1.0, 2.0, 3.0, 4.0, 5.0, 6.0, 7.0, 8.0, 9.0]malicious_signature:[0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0]output_changed:true