Hugging Face's logo

treforbenbow
/
tensorrt-onnx-recursive-function-crash

TensorRT
ONNX
security-research
vulnerability-poc
Model card Files
xet
 Community
tensorrt-onnx-recursive-function-crash
File size: 2,417 Bytes
9a68aa9
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
---

license: mit
tags:
- tensorrt
- security-research
- vulnerability-poc
---


# VULN-010: Uncontrolled Recursion in TensorRT ONNX Parser via Recursive FunctionProto

## Summary

A 110-byte ONNX model with a self-referencing FunctionProto definition crashes TensorRT ONNX parser (nvonnxparser) with stack overflow (STATUS_STACK_OVERFLOW / 0xC00000FD) during parse(). The parser performs unbounded recursion when expanding the function body, which references itself, exhausting the call stack.

- CWE: CWE-674 (Uncontrolled Recursion)
- Severity: High (CVSS 7.5)
- Affected: TensorRT 10.15.1.29 (and likely all TRT 10.x with ONNX parser)
- Reproducibility: 100% (10/10)

## Vulnerability Details

ONNX IR v8+ supports FunctionProto, which are inline function definitions within a model. TensorRT ONNX parser processes these via the LocalFunctionImporter in onnxOpCheckers.cpp. During the static checking phase (parseNodeStaticCheck), when the parser encounters a node that references a local function, it recursively processes that function body nodes.

The model import path (ModelImporter.cpp) has a recursion depth limit (kMAX_NESTED_SUBGRAPHS = 24), but the static checking phase runs first and has no recursion depth limit. A self-referencing FunctionProto causes infinite recursion in the static check path, exhausting the call stack before the depth-limited import phase is reached.

The model passes onnx.checker.check_model() and is structurally valid ONNX.



## Files



- vuln010_self_recursive.onnx (110 bytes) - Self-recursive function (R calls R)

- vuln010_mutual_recursive.onnx (152 bytes) - Mutually recursive (A calls B, B calls A)

- vuln010_standalone_poc.py - Build/crash/verify script



## Reproduction



python vuln010_standalone_poc.py build    # Build PoC models

python vuln010_standalone_poc.py verify   # Runs 5 trials per variant

python vuln010_standalone_poc.py crash    # Triggers crash (terminates process)



## Impact



- Denial of Service: Any application using TensorRT ONNX parser can be crashed

- No recovery: Stack overflow is not catchable, process terminates unconditionally

- Tiny payload: 110 bytes

- Bypasses validation: Passes onnx.checker.check_model()
- Supply chain risk: Malicious model on HuggingFace/model zoo crashes any TRT pipeline

## Tested On

- TensorRT 10.15.1.29
- Windows 11, RTX 4080 Super, CUDA 12.x
- Python 3.12