| # OpenCV ONNX importer out-of-bounds read in getMatFromTensor |
|
|
| This repository contains a proof-of-concept malicious ONNX model that crashes OpenCV's |
| `cv2.dnn.readNetFromONNX` with an out-of-bounds read at model-load time (SIGSEGV). |
|
|
| It is a security PoC for a huntr Model File Format report. The model is intentionally malformed |
| and the repo is gated. |
|
|
| ## Affected |
|
|
| - `opencv-python` / OpenCV `cv2.dnn`, confirmed on **4.13.0** (latest at time of writing), on Linux. |
| - The vulnerable code is unchanged on `master`. |
| - Entry point: `cv2.dnn.readNetFromONNX(path)` (also reachable via `readNetFromONNX` from a buffer). |
|
|
| ## Root cause |
|
|
| `modules/dnn/src/onnx/onnx_graph_simplifier.cpp`, function `getMatFromTensor`. It reads a tensor's |
| dims into a `sizes` vector and copies the tensor bytes into a `cv::Mat` without validating that |
| `raw_data` actually holds that many elements: |
|
|
| ```cpp |
| std::vector<int> sizes; // = tensor dims, attacker controlled |
| for (int i = 0; i < tensor_proto.dims_size(); i++) |
| sizes.push_back(tensor_proto.dims(i)); |
| ... |
| // FLOAT path |
| Mat(sizes, CV_32FC1, (void*)tensor_proto.raw_data().c_str()).copyTo(blob); |
| ``` |
|
|
| The source `Mat` is a header over the (tiny) `raw_data` buffer but carries the declared element |
| count. `copyTo` allocates the destination for the declared count and `memcpy`s that many bytes from |
| the source, reading far past the end of `raw_data`. There is no size check, and no |
| `CV_Assert(blob.isContinuous())` guard (the TensorFlow and Darknet importers have such guards; this |
| ONNX path does not, and it has no length assertion at all). |
|
|
| ## Proof of concept |
|
|
| `poc.onnx` is an 80-byte model whose single FLOAT initializer declares `dims = [10000000]` but |
| carries only 16 bytes of `raw_data`. Loading it makes `getMatFromTensor` allocate a 40 MB |
| destination and copy ~40 MB from the 16-byte source, reading off the end of the heap buffer. |
|
|
| ``` |
| pip install opencv-python onnx numpy |
| python make_poc.py # writes poc.onnx |
| python verify.py # loads poc.onnx in a child process; reports the crash |
| ``` |
|
|
| Observed on opencv-python 4.13.0 (Linux): the child process terminates with SIGSEGV (exit -11) |
| inside `readNetFromONNX`, before any inference. On Windows it terminates with an access violation |
| (`0xC0000005`). A non-vulnerable build would load the model or raise an ordinary exception. |
|
|
| ## Impact |
|
|
| Any application that loads an untrusted or attacker-supplied `.onnx` through OpenCV is exposed. |
| Loading third-party ONNX models is a normal, documented use of this API. An 80-byte file reliably |
| crashes the process via an out-of-bounds read in native code (a denial of service), and because the |
| over-read bytes are copied into the model's weight blob, the read can also disclose adjacent process |
| heap memory (information leak). |
|
|
| ## Fix |
|
|
| In `getMatFromTensor`, validate the tensor's declared element count against the actual size of the |
| data source before constructing the source `Mat` / calling `copyTo`, for every dtype path (FLOAT, |
| DOUBLE, FP16, INT32, INT64, raw_data). For example require |
| `raw_data.size() == elementCount * elemSize` (and the analogous check for the typed `*_data` |
| fields), and reject the model otherwise. |
| |
| ## Relation to the Caffe importer issue |
| |
| This is a distinct vulnerability from the OpenCV Caffe importer out-of-bounds issue in |
| `caffe_importer.cpp` `blobFromProto`: a different importer, a different function |
| (`getMatFromTensor` in `onnx_graph_simplifier.cpp`), and a different model format (ONNX). It also |
| manifests differently, faulting on Linux via the source over-read rather than only on Windows. |
| |
