# TensorRT ONNX External Data Offset Crash PoC ## Vulnerability A crafted ONNX model with an `external_data` weight reference containing a negative offset value (`-1`) crashes TensorRT's engine builder with `STATUS_ACCESS_VIOLATION` (0xC0000005 on Windows / SIGSEGV on Linux). - **Model size**: 185 bytes (+ 64-byte weight file = 249 bytes total) - **Crash rate**: 100% (10/10 runs) - **Affected phase**: `build_serialized_network()` (parse succeeds with no error) - **Tested on**: TensorRT 10.15.1.29, Windows, CUDA 12.x ## Root Cause The ONNX `external_data` offset field is `int64` in the protobuf spec. TensorRT's `WeightsContext.cpp::parseExternalWeights()` does not validate the offset before passing it to `seekg()`. Negative values cause undefined behavior in file I/O, producing garbage weight data that crashes the builder during optimization. **All negative offsets crash. All offsets >= ~2^32 also crash.** ## Files | File | Description | |------|-------------| | `crash_offset_neg1.onnx` | Malicious ONNX model (offset=-1) - **CAUSES CRASH** | | `benign_offset_0.onnx` | Benign ONNX model (offset=0) - builds normally | | `weights.bin` | Weight file (64 bytes, required by both models) | | `reproduce.py` | Reproduction script | ## Reproduction ```bash pip install tensorrt onnx numpy torch python reproduce.py ``` ### Expected output: ``` [1] Benign model (offset=0): benign: rc=0 BUILD_OK size=... [2] Malicious model (offset=-1): malicious: CRASH (STATUS_ACCESS_VIOLATION 0xC0000005) [3] Reproducibility (5 runs): run 1: CRASH (STATUS_ACCESS_VIOLATION 0xC0000005) run 2: CRASH (STATUS_ACCESS_VIOLATION 0xC0000005) ... Crash rate: 5/5 ``` ## Impact Any TensorRT pipeline that accepts untrusted ONNX models and compiles them will crash: - NVIDIA Triton Inference Server - TensorRT-LLM ONNX compilation - MLOps platforms accepting user-submitted models - CI/CD pipelines compiling ONNX models ## Severity High (CVSS 3.1: 7.5 -- AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Potential for memory corruption escalation beyond DoS.