TensorRT ONNX Parser β Slice Stack Buffer Overflow PoC
PoC artifacts for the huntr report on staticSliceImporter: stack-buffer-overflow via unchecked axes value in the INT32-weight fast path (importerUtils.cpp:1137).
Affected: TensorRT 10.16.1 β parsers/onnx submodule pointing to onnx/onnx-tensorrt @ 6bde659 (tag release/10.16-GA).
Files
repro_slice_oob.onnxβ minimal malicious model (271 bytes). Single Slice node with data shape[4,4]FLOAT,starts=[0],ends=[4],axes=[8],steps=[1]. All slice inputs are INT32 constant tensors, satisfying the fast-path gate.axes=8indexes past the 8-elementint64_t d[8]stack array.harness_l7.cppβ C++ harness that invokes the ONNX parser on the malicious model.
Usage
Build libnvonnxparser.so from TensorRT 10.16.1 with ASan:
cd tensorrt/parsers/onnx && mkdir build_asan && cd build_asan
cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g -O1 -fno-omit-frame-pointer"
make -j$(nproc) nvonnxparser
Compile harness:
g++ -fsanitize=address -g -O0 -std=c++17 \
-I<trt_include> -I<cuda_stub_include> \
harness_l7.cpp -o harness_l7 \
-L<build_asan_dir> -lnvonnxparser -Wl,-rpath,<build_asan_dir>
Run:
./harness_l7 repro_slice_oob.onnx
Expected: ASan stack-buffer-overflow at importerUtils.cpp:1137 β READ of size 8 past inputDims[416,488), with adjacent starts/sizes/steps arrays as overwrite targets.
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support