Verify in-memory references when loading a model #26764
Merged
+103
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
XXX: Problem, ModelEditor can create models with in-memory references, which causes issues when loading such models.
…ith 'import' and 'import from' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
adrianlizarraga
previously approved these changes
Dec 10, 2025
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a critical security fix to prevent arbitrary memory access when loading ONNX models with malicious in-memory external data references. The fix validates that any in-memory references (identified by the special tag */_ORT_MEM_ADDR_/*) point to valid OrtValue objects created through ModelEditor, rather than allowing arbitrary memory addresses to be dereferenced.
Key changes:
- Added validation logic in
Graph::ConvertInitializersIntoOrtValues()to verify in-memory external data references match existing OrtValue initializers - Added validation in
Graph::AddInitializedOrtValue()to ensure data pointer consistency between tensor proto and OrtValue - Created test artifacts to demonstrate the vulnerability and verify the fix
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| onnxruntime/test/testdata/test_evil_weights.py | Python script that generates a malicious ONNX model with arbitrary in-memory external data references for testing the security fix |
| onnxruntime/test/testdata/test_evil_weights.onnx | Binary ONNX model file generated by the Python script containing malicious external data references |
| onnxruntime/test/shared_lib/test_inference.cc | C++ test case that verifies models with malicious external data references fail to load with appropriate error messages |
| onnxruntime/core/graph/graph.cc | Core security fix that validates in-memory references during model loading and prevents arbitrary memory access |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
adrianlizarraga
approved these changes
Dec 10, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
When loading the model verify that in-memory references point to an existing and valid OrtValue as if created my ModelEditor.
Motivation and Context
This prevents reading from arbitrary memory location when loading the model.