| # TensorRT `.engine` PoC: inference-time crash via serialized `BatchedNMSDynamic_TRT` state |
| |
| ## Summary |
| |
| This repository contains a proof-of-concept TensorRT `.engine` file that crashes during normal inference after successful model loading. |
| |
| - `baseline.engine` loads and executes successfully. |
| - `poc.engine` also loads successfully and creates an execution context, but crashes the process during inference because the serialized plugin field `topK` was patched to `0`. |
| |
| The model interface, input tensors, and host-side API usage are identical in both cases. |
| |
| ## Files |
| |
| - `baseline.engine`: clean reference engine |
| - `poc.engine`: malicious PoC engine |
| - `manifest.json`: SHA-256 hashes for both engines |
| - `verification-rerun.json`: verification output from a fresh rerun |
| - `verify_bounty_poc.py`: reproduction script |
| |
| ## Reproduction |
| |
| ```bash |
| python verify_bounty_poc.py \ |
| --baseline baseline.engine \ |
| --candidate poc.engine \ |
| --mode crash \ |
| --output-json verification-local.json |
| ``` |
| |
| ## Expected Result |
| |
| - `baseline.engine`: success |
| - `poc.engine`: process exits with `SIGSEGV` / return code `-11` |
| |
| ## Impact |
| |
| A malicious TensorRT `.engine` file can embed crafted built-in plugin metadata that passes deserialization but crashes the host process during inference. |
| |
