TensorRT ONNX Refitter — Heap Buffer Overflow PoC

PoC artifacts for the huntr report on nvonnxparser::ModelRefitter::refitFromFile: heap-buffer-overflow via oversized ONNX initializer raw_data (root cause: WeightsContext::ownWeights).

Affected: TensorRT 10.16.1 — parsers/onnx submodule pointing to onnx/onnx-tensorrt @ 6bde659 (tag release/10.16-GA).

Files

poc.onnx — malicious model. Single Identity node with FLOAT initializer: dims=[1] (declares 4 bytes) + raw_data = 1024 bytes. Drives a 1020-byte heap-buffer-overflow write in WeightsContext::ownWeights.
harness_l9.cpp — minimal IRefitter stub that drives nvonnxparser::ModelRefitter::refitFromFile directly. No libnvinfer.so or GPU required.

Usage

Build libnvonnxparser.so from TensorRT 10.16.1 with ASan:

cd parsers/onnx && mkdir build_asan && cd build_asan
cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g -O0" \
         -DONNX_NAMESPACE=onnx2trt_onnx
make -j$(nproc) nvonnxparser

Compile harness:

g++ -fsanitize=address -g -O0 -std=c++17 \
    -I/path/to/tensorrt/include \
    harness_l9.cpp -o harness_l9 \
    -L/path/to/build_asan -lnvonnxparser \
    -Wl,-rpath,/path/to/build_asan

Run:

./harness_l9 poc.onnx

Expected: ASan heap-buffer-overflow at WeightsContext.cpp:19 — WRITE of size 1024 immediately past a 4-byte heap allocation made in WeightsContext::createTempWeights (line 519).

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support