Hugging Face's logo

treforbenbow
/
tensorrt-onnx-recursive-function-crash

TensorRT
ONNX
security-research
vulnerability-poc
Model card Files
xet
 Community

VULN-010: Uncontrolled Recursion in TensorRT ONNX Parser via Recursive FunctionProto

Summary

A 110-byte ONNX model with a self-referencing FunctionProto definition crashes TensorRT ONNX parser (nvonnxparser) with stack overflow (STATUS_STACK_OVERFLOW / 0xC00000FD) during parse(). The parser performs unbounded recursion when expanding the function body, which references itself, exhausting the call stack.

  • CWE: CWE-674 (Uncontrolled Recursion)
  • Severity: High (CVSS 7.5)
  • Affected: TensorRT 10.15.1.29 (and likely all TRT 10.x with ONNX parser)
  • Reproducibility: 100% (10/10)

Vulnerability Details

ONNX IR v8+ supports FunctionProto, which are inline function definitions within a model. TensorRT ONNX parser processes these via the LocalFunctionImporter in onnxOpCheckers.cpp. During the static checking phase (parseNodeStaticCheck), when the parser encounters a node that references a local function, it recursively processes that function body nodes.

The model import path (ModelImporter.cpp) has a recursion depth limit (kMAX_NESTED_SUBGRAPHS = 24), but the static checking phase runs first and has no recursion depth limit. A self-referencing FunctionProto causes infinite recursion in the static check path, exhausting the call stack before the depth-limited import phase is reached.

The model passes onnx.checker.check_model() and is structurally valid ONNX.

Files

  • vuln010_self_recursive.onnx (110 bytes) - Self-recursive function (R calls R)
  • vuln010_mutual_recursive.onnx (152 bytes) - Mutually recursive (A calls B, B calls A)
  • vuln010_standalone_poc.py - Build/crash/verify script

Reproduction

python vuln010_standalone_poc.py build # Build PoC models python vuln010_standalone_poc.py verify # Runs 5 trials per variant python vuln010_standalone_poc.py crash # Triggers crash (terminates process)

Impact

  • Denial of Service: Any application using TensorRT ONNX parser can be crashed
  • No recovery: Stack overflow is not catchable, process terminates unconditionally
  • Tiny payload: 110 bytes
  • Bypasses validation: Passes onnx.checker.check_model()
  • Supply chain risk: Malicious model on HuggingFace/model zoo crashes any TRT pipeline

Tested On

  • TensorRT 10.15.1.29
  • Windows 11, RTX 4080 Super, CUDA 12.x
  • Python 3.12
Downloads last month
26
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support