You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

TensorRT PillarScatterPlugin Serialized-Data Boundary PoC

This repository supports a private Huntr report for the TensorRT model-format target.

Summary

TensorRT's PillarScatterPluginCreator::deserializePlugin(...) passes serialData and serialLength into PillarScatterPlugin(void const* data, size_t length), but the constructor ignores length and reads two size_t values through plugin/common/templates.h::readFromBuffer<T>().

readFromBuffer<T>() advances a raw pointer and dereferences sizeof(T) bytes without receiving or checking remaining length. A truncated serialized plugin payload can therefore trigger an out-of-bounds read in the plugin deserializer.

Source Anchors

  • plugin/common/templates.h:41-48
  • plugin/pillarScatterPlugin/pillarScatter.cpp:35-40
  • plugin/pillarScatterPlugin/pillarScatter.cpp:266-273

Tested source commit:

82d1dca801c8318a5605399d5240780d0679e4e1

Included Files

Model / Engine Artifacts

  • models/pillar_scatter_plugin_engine.plan
    • Baseline TensorRT plan containing a PillarScatterPlugin layer.
  • models/pillar_scatter_plugin_engine_mut_size_t_0.plan
    • Same-length mutation of embedded plugin-state bytes. Reloads successfully and changes the loaded plugin output shape from (1, 4, 17, 29) to (1, 4, 1, 1048576).
  • models/pillar_scatter_plugin_engine_decl_len_8_second_huge.plan
    • Declared-length mutation candidate. TensorRT archive/typehash validation rejects it before plugin deserialization.

Payload / PoC

  • payloads/pillar_scatter_truncated_one_field_payload.bin
    • 8-byte payload containing one size_t field. The first size_t read fits; the second size_t read crosses the allocation.
  • poc/pillar_scatter_creator_file_payload_oob_harness.cpp
    • Source-backed harness that feeds the 8-byte payload to the real PillarScatterPluginCreator::deserializePlugin(...) path.
  • poc/pc_pillar_scatter_engine_mutation_probe.py
    • TensorRT Python probe used on Windows/RTX PC to build/load the plan and verify same-length mutation reachability.

Receipts

  • receipts/file_payload_creator_deserialize_receipt.md
  • receipts/pc_pillar_scatter_file_payload_deserialize_clang64_asan_receipt.txt
  • receipts/engine_mutation_load_receipt.md

Reproduction

Build and run the creator/file-payload proof with AddressSanitizer from a TensorRT checkout at the tested commit:

clang++ -std=c++17 -fsanitize=address -g -O0 -iquote . \
  poc_plugin_deserialize_length_boundary/pillar_scatter_creator_file_payload_oob_harness.cpp \
  poc_plugin_deserialize_length_boundary/pillar_scatter_deserialize_link_stubs.cpp \
  plugin/pillarScatterPlugin/pillarScatter.cpp \
  -o /tmp/pillar_scatter_creator_file_payload_oob_harness \
  && /tmp/pillar_scatter_creator_file_payload_oob_harness \
      payloads/pillar_scatter_truncated_one_field_payload.bin

Observed result:

  • AddressSanitizer reports heap-buffer-overflow.
  • Failing access: READ of size 8.
  • Stack path reaches:
    • plugin/common/templates.h:45:16
    • PillarScatterPlugin::PillarScatterPlugin(void const*, unsigned long long)
    • PillarScatterPluginCreator::deserializePlugin(...)

Engine Reachability Boundary

The included .plan artifacts show real TensorRT engine reachability:

  • trt.get_plugin_registry() contains PillarScatterPlugin version 1.
  • A real .plan containing the plugin loads through Runtime.deserialize_cuda_engine(...).
  • Same-length mutation of embedded plugin-state bytes reloads successfully and changes loaded output tensor shape.

The current evidence does not claim an AddressSanitizer crash directly through Runtime.deserialize_cuda_engine(...). Attempts to shorten the apparent plugin payload length inside the plan were blocked by TensorRT archive/typehash validation before the vulnerable plugin constructor was reached.

If Huntr/NVIDIA wants a deeper continuation, the next route is an ASan-instrumented plugin/runtime loader path or typehash-consistent TensorRT plan archive construction. The source-backed creator/file-payload proof already demonstrates the unsafe deserialization primitive and the engine artifacts demonstrate that the affected plugin state is present in real plan files.

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support