| ---
|
| license: mit
|
| tags:
|
| - tensorrt
|
| - security-research
|
| - vulnerability-poc
|
| ---
|
|
|
| # VULN-011: Heap Buffer Overflow in TensorRT ONNX Parser via INT4 Tensor (CWE-122)
|
|
|
| ## Summary
|
|
|
| A crafted ONNX model with an INT4/UINT4 tensor where int32_data array exceeds the tensor shape causes a heap buffer overflow in TensorRT ONNX parser. The convertPackedInt32Data() function writes attacker-controlled data past the end of a heap buffer.
|
|
|
| - CWE: CWE-122 (Heap-based Buffer Overflow)
|
| - Severity: Critical (CVSS 8.8) - potentially exploitable for RCE
|
| - Affected: TensorRT 10.15.1.29
|
| - Crash: STATUS_HEAP_CORRUPTION (0xC0000374) - confirmed heap write corruption
|
| - Reproducibility: 100% (15/15)
|
|
|
| ## Files
|
|
|
| - vuln011_int4_heap_overflow.onnx (1,107 bytes) - INT4, 1KB overflow
|
| - vuln011_uint4_heap_overflow.onnx (10,090 bytes) - UINT4, 5KB overflow
|
| - vuln011_int4_extreme.onnx (100,091 bytes) - INT4, 100KB overflow
|
| - vuln011_int4_heap_overflow.py - Build/crash/verify script
|
|
|
| ## Reproduction
|
|
|
| python vuln011_int4_heap_overflow.py build
|
| python vuln011_int4_heap_overflow.py verify
|
| python vuln011_int4_heap_overflow.py crash
|
|
|
| ## Root Cause
|
|
|
| WeightsContext.cpp convertPackedInt32Data() writes nbytes=int32_data.size() bytes to a buffer allocated for (volume(shape)*4+4)/8 bytes. No bounds check. Attacker controls overflow length and content.
|
| |
