YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

TensorRT ModulatedDeformConv2d Negative Stride PoC

This is a benign security research PoC for a Huntr Model File Vulnerability report.

Files

  • modulated-deformconv-negative-stride.engine: TensorRT engine with a patched legacy ModulatedDeformConv2d v1 plugin state.
  • control-modulated-deformconv.engine: matching control engine built through the public plugin creator.
  • reproduce.py: loads both engines and runs the same inference input.

Trigger

The malicious behavior is triggered by loading the .engine file with TensorRT and running inference. The control engine returns the input tensor [1, 2, 3, 4, 5, 6, 7, 8, 9]. The patched engine loads and executes, but returns all zeros for the same input.

The patched field is the serialized legacy ModulatedDeformConv2d v1 plugin mStride.d[0] value. The public plugin creator rejects non-positive stride values, but the legacy deserialize path accepts the serialized value from the engine file.

Reproduction

Tested with TensorRT 11.1.0.106 on NVIDIA GPUs.

If TensorRT needs cuBLAS 13, make sure libcublas.so.13 is in LD_LIBRARY_PATH.

python3 reproduce.py \
  --control control-modulated-deformconv.engine \
  --malicious modulated-deformconv-negative-stride.engine \
  --gpu 0

Expected result:

  • control_signature: [1.0, 2.0, 3.0, 4.0, 5.0, 6.0, 7.0, 8.0, 9.0]
  • malicious_signature: [0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0]
  • output_changed: true
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support