Instructions to use hacnho/tensorrt-rproi-spatialscale-negative-poc with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- TensorRT
How to use hacnho/tensorrt-rproi-spatialscale-negative-poc with TensorRT:
# No code snippets available yet for this library. # To use this model, check the repository files and the library's documentation. # Want to help? PRs adding snippets are welcome at: # https://github.com/huggingface/huggingface.js
- Notebooks
- Google Colab
- Kaggle
TensorRT RPROI_TRT spatialScale output manipulation proof of concept
This repository contains a bounded research PoC for TensorRT (.engine / .trt / .mytrtfile).
The security question is whether a TensorRT engine file can carry a legacy
RPROI_TRT plugin state with a malicious spatialScale value and still load
and execute normally while changing inference output.
Files
control-rproi.enginerproi-spatialscale-negative.enginereproduce.py
What the files demonstrate
Both engines load through:
trt.Runtime(...).deserialize_cuda_engine(...)
engine.create_execution_context()
ctx.execute_async_v3(0)
Both engines use the same minimal network:
scores FLOAT [1,2,2,2]
deltas FLOAT [1,4,2,2]
fmap FLOAT [1,1,2,2]
iinfo FLOAT [1,3,1,1]
RPROI_TRT -> rois FLOAT [1,1,300,4], pfmap FLOAT [1,300,1,7,7]
The control engine uses the normal serialized spatialScale = 1/16.
The malicious engine uses spatialScale = -1.0.
Observed output summary:
control pfmap: sum=147210.0, min=0.0, max=40.0
malicious pfmap: sum=147000.0, min=10.0, max=10.0
The ROI box output is unchanged in the minimal case, but the ROI pooled feature map is silently collapsed to a constant value while TensorRT reports successful inference.
Verify the public HF artifacts
Run on a machine with TensorRT 11.1.0.106, CUDA, and an NVIDIA GPU:
python3 reproduce.py --gpu 0
Expected result:
- both
.enginefiles load successfully - both
.enginefiles execute successfully cuda_sync_rcis0for both filesoutput_changedistrueexpected_observedistrue
Public scan note
This PoC is centered on trusted TensorRT load/inference behavior, not code execution. It demonstrates deterministic output manipulation embedded in a model file.
After upload, check the public scan API:
https://huggingface.co/api/models/hacnho/tensorrt-rproi-spatialscale-negative-poc/scan
The expected scanner-relevant signal is that the public malicious engine has no reported scanner issue.
Safety note
This is a bounded research PoC:
- no code execution claim
- no external callbacks
- only deterministic output manipulation after a trusted TensorRT engine load
- Downloads last month
- -