Describe the issue
ORT uses special markers on TensorProtos to indicate that an existing memory buffer contains the TensorProto external data:
|
/** |
|
Special marker used to indicate an existing memory buffer contains the TensorProto external data. |
|
If the 'location' field of the external data info is set to this marker, the 'offset' field should contain the |
|
address of the memory containing the data. |
|
|
|
This marker is used when data is always in little endian format. |
|
*/ |
|
constexpr const ORTCHAR_T* kTensorProtoLittleEndianMemoryAddressTag = ORT_TSTR("*/_ORT_MEM_ADDR_/*"); |
|
|
|
/** |
|
Special marker used to indicate an existing memory buffer contains the TensorProto external data. |
|
If the 'location' field of the external data info is set to this marker, the 'offset' field should contain the |
|
address of the memory containing the data. |
|
|
|
This marker is used when data is in native endian format, i.e. big endian on big endian systems. |
|
*/ |
|
constexpr const ORTCHAR_T* kTensorProtoNativeEndianMemoryAddressTag = ORT_TSTR("*/_ORT_NATIVE_ENDIAN_MEM_ADDR_/*"); |
For dense TensorProtos, ORT currently correctly validates that such "in-memory" references point to valid memory.
However, for sparse tensors, ORT is missing this validation, which could trigger an invalid memory read. Specifically, SparseTensorProtoToDenseTensorProto passes these tensors to UnpackInitializerData, which dereferences the supplied "in-memory" references without checks.
Note: this issue was discussed in a separate PR: #28408 (comment)
To reproduce
Create a model with sparse tensors that use an arbitrary memory address. Here's an example model that was added in a PR that added validation for dense tensors (needs to be adapted for sparse tensors): https://github.com/microsoft/onnxruntime/blob/main/onnxruntime/test/testdata/test_evil_weights.py
Urgency
No response
Platform
Windows
OS Version
Windows 11
ONNX Runtime Installation
Built from Source
ONNX Runtime Version or Commit ID
1.26.0
ONNX Runtime API
Python
Architecture
X64
Execution Provider
Default CPU
Execution Provider Library Version
No response
Describe the issue
ORT uses special markers on TensorProtos to indicate that an existing memory buffer contains the TensorProto external data:
onnxruntime/onnxruntime/core/framework/tensorprotoutils.h
Lines 225 to 241 in 158bdef
For dense TensorProtos, ORT currently correctly validates that such "in-memory" references point to valid memory.
However, for sparse tensors, ORT is missing this validation, which could trigger an invalid memory read. Specifically, SparseTensorProtoToDenseTensorProto passes these tensors to UnpackInitializerData, which dereferences the supplied "in-memory" references without checks.
Note: this issue was discussed in a separate PR: #28408 (comment)
To reproduce
Create a model with sparse tensors that use an arbitrary memory address. Here's an example model that was added in a PR that added validation for dense tensors (needs to be adapted for sparse tensors): https://github.com/microsoft/onnxruntime/blob/main/onnxruntime/test/testdata/test_evil_weights.py
Urgency
No response
Platform
Windows
OS Version
Windows 11
ONNX Runtime Installation
Built from Source
ONNX Runtime Version or Commit ID
1.26.0
ONNX Runtime API
Python
Architecture
X64
Execution Provider
Default CPU
Execution Provider Library Version
No response