Hugging Face's logo

yibai777
/
onnx

ONNX
Model card Files
xet
 Community

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ONNX check_model Consistency Gaps (Validation Hardening Report)

Summary

In ONNX 1.21.0, onnx.checker.check_model() accepts multiple malformed tensor encodings that are internally inconsistent:

  1. raw_data byte length does not match dims * sizeof(dtype).
  2. External tensor data (data_location=EXTERNAL) can load bytes shorter than declared tensor size.
  3. Tensor element-count multiplication can overflow signed int64_t in checker logic.

These are validator consistency gaps: malformed models pass official checker validation and are only rejected/fail later in downstream processing.

Tested Context

  • Package: onnx==1.21.0
  • Python: 3.10
  • Date: 2026-05-08
  • PoC: C:\Users\yibai7\audit\submissions\onnx\poc_onnx_bypass.py

Confirmed Finding 1: raw_data Size Mismatch Passes Checker

Evidence

check_tensor computes nelem and enforces field presence, but does not compare tensor.raw_data().size() against expected byte size:

  • D:\python3\Lib\site-packages\onnx\checker.cc:129-132
  • D:\python3\Lib\site-packages\onnx\checker.cc:139-143

By contrast, helper API does enforce length:

  • D:\python3\Lib\site-packages\onnx\helper.py:453-456

Reproduced Behavior

  • Declared tensor: FLOAT[1000000] (expected 4,000,000 bytes)
  • Actual raw_data: 4 bytes
  • onnx.checker.check_model(...): passes

Confirmed Finding 2: External Data Length Mismatch Passes Checker + Loads

Evidence

For external tensors, checker validates location presence then returns, without size-consistency check against tensor dimensions:

  • D:\python3\Lib\site-packages\onnx\checker.cc:107-127

External loader validates file bounds (offset/length <= file size) but not tensor semantic size:

  • D:\python3\Lib\site-packages\onnx\external_data_helper.py:102-134
  • D:\python3\Lib\site-packages\onnx\external_data_helper.py:184-206

Reproduced Behavior

  • Declared tensor: FLOAT[1000000]
  • External file content: 4 bytes
  • onnx.checker.check_model(model_path): passes
  • onnx.load_model(..., load_external_data=True): loads with len(raw_data) == 4

Confirmed Finding 3: nelem Overflow Not Checked in Checker

Evidence

nelem multiplication has no overflow guard:

  • D:\python3\Lib\site-packages\onnx\checker.cc:129-132

Reproduced Behavior

  • Dims: [2**32, 2**31] (product exceeds INT64_MAX)
  • onnx.checker.check_model(...): passes

Security Impact (Conservative)

This report demonstrates a validation integrity gap, not a direct memory corruption exploit in ONNX itself:

  • Malformed models can pass the official checker.
  • Failure is deferred to later consumers (e.g., runtime loading / reshape paths), increasing operational risk and trust in invalid artifacts.

Recommended severity: Medium (hardening / integrity of validation pipeline).

Reproduction Command 

python C:\Users\yibai7\audit\submissions\onnx\poc_onnx_bypass.py

Observed: Confirmed: 3/3.

Recommended Fixes

  1. In check_tensor, when raw_data is present, enforce:
    • expected bytes from (dims, dtype) must equal raw_data.size().
  2. For external data tensors, enforce semantic size consistency after loading metadata.
  3. Add overflow checks when computing nelem (safe multiply with bounds).
  4. Add regression tests for:
    • undersized raw_data
    • undersized external_data
    • overflowed dims product

Scope Note

No claim is made here for direct RCE from ONNX checker.
The validated issue is that malformed models can pass official structural validation and fail later.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support