| # TensorRT VULN-004: Input-Controlled DoS via While-Loop Models | |
| ## Vulnerability | |
| A structurally valid ONNX model (351 bytes) using a condition-dependent Loop | |
| operator hangs indefinitely during TensorRT inference when given a malicious | |
| input value. The model works correctly with normal inputs but hangs permanently | |
| with extreme inputs. | |
| ## Distinct from VULN-003 | |
| - VULN-003: Malicious MODEL with static INT64_MAX trip count | |
| - VULN-004: Normal MODEL + malicious INPUT data | |
| - VULN-003 fix (validate max_trip_count) does NOT prevent this | |
| - Requires runtime protection: inference timeout / iteration budget | |
| ## Impact | |
| - Input-controlled DoS for any TRT model using while-loops | |
| - Attacker only needs to send a single malicious float value | |
| - Affects Triton, TensorRT-LLM, any TRT-based pipeline | |
| - Model is structurally valid -- cannot be detected by static analysis | |
| ## Files | |
| | File | Description | | |
| |------|-------------| | |
| | vuln004_input_dos.py | Main PoC script | | |
| | while_loop.onnx | While-loop ONNX model (351 bytes) | | |
| | while_loop.engine | Compiled TRT engine (11,124 bytes) | | |
| ## Reproduction | |
| ```bash | |
| pip install tensorrt onnx torch numpy | |
| python vuln004_input_dos.py | |
| ``` | |
| ## Results | |
| - counter=10: completes in 0.001s | |
| - counter=1000: completes in 0.055s | |
| - counter=1e6: HANGS indefinitely | |
| - counter=1e30: HANGS indefinitely | |
| - counter=FLT_MAX: HANGS indefinitely | |
| - No timeout, no warning, no error | |