--- license: mit tags: - tensorrt - security-research - vulnerability-poc --- # VULN-010: Uncontrolled Recursion in TensorRT ONNX Parser via Recursive FunctionProto ## Summary A 110-byte ONNX model with a self-referencing FunctionProto definition crashes TensorRT ONNX parser (nvonnxparser) with stack overflow (STATUS_STACK_OVERFLOW / 0xC00000FD) during parse(). The parser performs unbounded recursion when expanding the function body, which references itself, exhausting the call stack. - CWE: CWE-674 (Uncontrolled Recursion) - Severity: High (CVSS 7.5) - Affected: TensorRT 10.15.1.29 (and likely all TRT 10.x with ONNX parser) - Reproducibility: 100% (10/10) ## Vulnerability Details ONNX IR v8+ supports FunctionProto, which are inline function definitions within a model. TensorRT ONNX parser processes these via the LocalFunctionImporter in onnxOpCheckers.cpp. During the static checking phase (parseNodeStaticCheck), when the parser encounters a node that references a local function, it recursively processes that function body nodes. The model import path (ModelImporter.cpp) has a recursion depth limit (kMAX_NESTED_SUBGRAPHS = 24), but the static checking phase runs first and has no recursion depth limit. A self-referencing FunctionProto causes infinite recursion in the static check path, exhausting the call stack before the depth-limited import phase is reached. The model passes onnx.checker.check_model() and is structurally valid ONNX. ## Files - vuln010_self_recursive.onnx (110 bytes) - Self-recursive function (R calls R) - vuln010_mutual_recursive.onnx (152 bytes) - Mutually recursive (A calls B, B calls A) - vuln010_standalone_poc.py - Build/crash/verify script ## Reproduction python vuln010_standalone_poc.py build # Build PoC models python vuln010_standalone_poc.py verify # Runs 5 trials per variant python vuln010_standalone_poc.py crash # Triggers crash (terminates process) ## Impact - Denial of Service: Any application using TensorRT ONNX parser can be crashed - No recovery: Stack overflow is not catchable, process terminates unconditionally - Tiny payload: 110 bytes - Bypasses validation: Passes onnx.checker.check_model() - Supply chain risk: Malicious model on HuggingFace/model zoo crashes any TRT pipeline ## Tested On - TensorRT 10.15.1.29 - Windows 11, RTX 4080 Super, CUDA 12.x - Python 3.12