Instructions to use hacnho/tensorrt-scatterelements-invalid-reduction-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- TensorRT
How to use hacnho/tensorrt-scatterelements-invalid-reduction-poc with TensorRT:
# No code snippets available yet for this library. # To use this model, check the repository files and the library's documentation. # Want to help? PRs adding snippets are welcome at: # https://github.com/huggingface/huggingface.js
- Notebooks
- Google Colab
- Kaggle
TensorRT ScatterElements Invalid Reduction PoC
This is a benign security research PoC for a Huntr Model File Vulnerability report.
Files
scatterelements-invalid-reduction.engine: TensorRT engine with a legacyScatterElementsv1 plugin payload whose serializedReductionTypeenum is99.control-scatterelements-add.engine: matching control engine withReductionType::kSUMandaxis=1.reproduce.py: loads both engines and runs the same inference input.
Public URLs:
- Repo: https://huggingface.co/hacnho/tensorrt-scatterelements-invalid-reduction-poc
- Malicious engine: https://huggingface.co/hacnho/tensorrt-scatterelements-invalid-reduction-poc/resolve/main/scatterelements-invalid-reduction.engine
- Control engine: https://huggingface.co/hacnho/tensorrt-scatterelements-invalid-reduction-poc/resolve/main/control-scatterelements-add.engine
SHA256:
scatterelements-invalid-reduction.engine:1dea8b3e87f274c8540d6521b5995df62ff89e0399397baa5c3a5e31bc4887e7control-scatterelements-add.engine:8d62826f8f17b05509c60f7cb9c000d859b7df67d603b50a9adb69ef86d808f2
Trigger
The malicious behavior is triggered by loading the .engine file with TensorRT and running inference.
Input:
data = [10, 20, 30, 40]
indices = [0, 2]
updates = [100, 200]
The control engine applies scatter-add and returns [110, 20, 230, 40].
The malicious engine loads and executes successfully, but because the serialized reduction enum is outside the valid 0..4 range, the reduction dispatch does not run. The output remains the original data: [10, 20, 30, 40].
Reproduction
Tested with TensorRT 11.1.0.106 on NVIDIA GPUs.
python3 reproduce.py \
--control control-scatterelements-add.engine \
--malicious scatterelements-invalid-reduction.engine \
--gpu 0
The public artifact can also be tested directly:
python3 reproduce.py \
--control https://huggingface.co/hacnho/tensorrt-scatterelements-invalid-reduction-poc/resolve/main/control-scatterelements-add.engine \
--malicious https://huggingface.co/hacnho/tensorrt-scatterelements-invalid-reduction-poc/resolve/main/scatterelements-invalid-reduction.engine \
--gpu 0
Expected result:
control_signature:[110.0, 20.0, 230.0, 40.0]malicious_signature:[10.0, 20.0, 30.0, 40.0]output_changed:true
Scanner posture for the public-downloaded malicious engine:
modelscan 0.8.8: summary saysNo issues found;.engineis skipped asModel Scan did not scan fileand the CLI exits3.picklescan: cannot parse the.engineas pickle, but reportsInfected files: 0andDangerous globals: 0.
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support