Instructions to use renaissancefieldlite/tensorrt-pillar-scatter-boundary-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- TensorRT
How to use renaissancefieldlite/tensorrt-pillar-scatter-boundary-poc with TensorRT:
# No code snippets available yet for this library. # To use this model, check the repository files and the library's documentation. # Want to help? PRs adding snippets are welcome at: # https://github.com/huggingface/huggingface.js
- Notebooks
- Google Colab
- Kaggle
TensorRT PillarScatterPlugin Serialized-Data Boundary PoC
This repository supports a private Huntr report for the TensorRT model-format target.
Summary
TensorRT's PillarScatterPluginCreator::deserializePlugin(...) passes serialData and serialLength into PillarScatterPlugin(void const* data, size_t length), but the constructor ignores length and reads two size_t values through plugin/common/templates.h::readFromBuffer<T>().
readFromBuffer<T>() advances a raw pointer and dereferences sizeof(T) bytes without receiving or checking remaining length. A truncated serialized plugin payload can therefore trigger an out-of-bounds read in the plugin deserializer.
Source Anchors
plugin/common/templates.h:41-48plugin/pillarScatterPlugin/pillarScatter.cpp:35-40plugin/pillarScatterPlugin/pillarScatter.cpp:266-273
Tested source commit:
82d1dca801c8318a5605399d5240780d0679e4e1
Included Files
Model / Engine Artifacts
models/pillar_scatter_plugin_engine.plan- Baseline TensorRT plan containing a
PillarScatterPluginlayer.
- Baseline TensorRT plan containing a
models/pillar_scatter_plugin_engine_mut_size_t_0.plan- Same-length mutation of embedded plugin-state bytes. Reloads successfully and changes the loaded plugin output shape from
(1, 4, 17, 29)to(1, 4, 1, 1048576).
- Same-length mutation of embedded plugin-state bytes. Reloads successfully and changes the loaded plugin output shape from
models/pillar_scatter_plugin_engine_decl_len_8_second_huge.plan- Declared-length mutation candidate. TensorRT archive/typehash validation rejects it before plugin deserialization.
Payload / PoC
payloads/pillar_scatter_truncated_one_field_payload.bin- 8-byte payload containing one
size_tfield. The firstsize_tread fits; the secondsize_tread crosses the allocation.
- 8-byte payload containing one
poc/pillar_scatter_creator_file_payload_oob_harness.cpp- Source-backed harness that feeds the 8-byte payload to the real
PillarScatterPluginCreator::deserializePlugin(...)path.
- Source-backed harness that feeds the 8-byte payload to the real
poc/pc_pillar_scatter_engine_mutation_probe.py- TensorRT Python probe used on Windows/RTX PC to build/load the plan and verify same-length mutation reachability.
Receipts
receipts/file_payload_creator_deserialize_receipt.mdreceipts/pc_pillar_scatter_file_payload_deserialize_clang64_asan_receipt.txtreceipts/engine_mutation_load_receipt.md
Reproduction
Build and run the creator/file-payload proof with AddressSanitizer from a TensorRT checkout at the tested commit:
clang++ -std=c++17 -fsanitize=address -g -O0 -iquote . \
poc_plugin_deserialize_length_boundary/pillar_scatter_creator_file_payload_oob_harness.cpp \
poc_plugin_deserialize_length_boundary/pillar_scatter_deserialize_link_stubs.cpp \
plugin/pillarScatterPlugin/pillarScatter.cpp \
-o /tmp/pillar_scatter_creator_file_payload_oob_harness \
&& /tmp/pillar_scatter_creator_file_payload_oob_harness \
payloads/pillar_scatter_truncated_one_field_payload.bin
Observed result:
- AddressSanitizer reports
heap-buffer-overflow. - Failing access:
READ of size 8. - Stack path reaches:
plugin/common/templates.h:45:16PillarScatterPlugin::PillarScatterPlugin(void const*, unsigned long long)PillarScatterPluginCreator::deserializePlugin(...)
Engine Reachability Boundary
The included .plan artifacts show real TensorRT engine reachability:
trt.get_plugin_registry()containsPillarScatterPluginversion1.- A real
.plancontaining the plugin loads throughRuntime.deserialize_cuda_engine(...). - Same-length mutation of embedded plugin-state bytes reloads successfully and changes loaded output tensor shape.
The current evidence does not claim an AddressSanitizer crash directly through Runtime.deserialize_cuda_engine(...). Attempts to shorten the apparent plugin payload length inside the plan were blocked by TensorRT archive/typehash validation before the vulnerable plugin constructor was reached.
If Huntr/NVIDIA wants a deeper continuation, the next route is an ASan-instrumented plugin/runtime loader path or typehash-consistent TensorRT plan archive construction. The source-backed creator/file-payload proof already demonstrates the unsafe deserialization primitive and the engine artifacts demonstrate that the affected plugin state is present in real plan files.
- Downloads last month
- -