YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
PoC: CNTK ONNX Import Integer Overflow β Heap Buffer Overflow (CWE-190)
Vulnerability
CNTK's ONNX model import code in ONNXToCNTK.cpp casts tensor dimensions from size_t to int when computing weight allocation sizes for LSTM and GRU layers. The truncation causes undersized heap allocations followed by out-of-bounds writes.
// ONNXToCNTK.cpp:916 β size_t Γ size_t cast to int
size_t rows = valueProto.dims(1); // from ONNX protobuf
size_t cols = valueProto.dims(2); // from ONNX protobuf
int totalSizePerDirection = rows * cols; // OVERFLOW: size_tβint truncation
DType *data = new DType[totalSizePerDirection]; // undersized allocation
7+ instances of this pattern at lines: 916, 964, 1088, 1125, 1169, 1240, 1273.
- CWE-190: Integer Overflow or Wraparound
- CWE-122: Heap-based Buffer Overflow
- CVSS: 8.8 (High)
- Repository: https://github.com/microsoft/CNTK (archived)
Files
| File | Description |
|---|---|
poc_cntk_onnx_overflow.py |
Creates a malicious ONNX model with LSTM weight dims that overflow int32 |
Reproduction
pip install onnx numpy
python poc_cntk_onnx_overflow.py
# β Creates poc_cntk_lstm_overflow.onnx
# Load in CNTK (requires CNTK installation):
python -c "import cntk; cntk.Function.load('poc_cntk_lstm_overflow.onnx', format=cntk.ModelFormat.ONNX)"
Attack Scenario
- Attacker creates a malicious
.onnxmodel with LSTM node having crafted weight dimensions dims[1] * dims[2]overflows when cast tointat line 916new DType[overflowed_small_value]allocates a tiny buffer- Data copy loop writes beyond the buffer β heap buffer overflow
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support