EUVD-2023-59648

Malicious code in bioql PyPI...

CVE-2023-52921

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix possible UAF in amdgpucspass1 Since the gangsize check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang @VAR10CK of Baidu Security...

CVE-2023-52921 drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix possible UAF in amdgpucspass1 Since the gangsize check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang @VAR10CK of Baidu Security...

CVE-2023-52921 drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix possible UAF in amdgpucspass1 Since the gangsize check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang @VAR10CK of Baidu Security...

CVE-2023-52921 drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix possible UAF in amdgpucspass1 Since the gangsize check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang @VAR10CK of Baidu Security...

CVE-2023-52921

The CVE-2023-52921 entry affects the Linux kernel’s DRM/amdgpu path, where a use-after-free (UAF) can occur in amdgpu_cs_pass1. The root cause is that the gang_size check is outside the chunk parsing loop, so i must be reset before freeing the chunk data. This vulnerability has been addressed by ...

CVE-2023-52921

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix possible UAF in amdgpucspass1 Since the gangsize check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang @VAR10CK of Baidu Security...

TensorFlow vulnerable to OOB write in `scatter_nd` in TF Lite

Impact The ScatterNd function takes an input argument that determines the indices of of the output tensor. An input index greater than the output tensor or less than zero will either write content at the wrong index or trigger a crash. Patches We have patched the issue in GitHub commit...

TensorFlow vulnerable to OOB read in `Gather_nd` in TF Lite

Impact The GatherNd function takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read is triggered. Patches We have patched the issue in GitHub commit...

A use of uninitialized value vulnerability in Tensorflow

Impact TensorFlow's Grappler optimizer has a use of unitialized variable: cc const NodeDef dequeuenode; for const auto& trainnode : trainnodes if IsDequeueOptrainnode dequeuenode = trainnode; break; if dequeuenode ... If the trainnodes vector obtained from the saved model that gets optimized does...

Incomplete validation in `MaxPoolGrad`

Impact An attacker can trigger a denial of service via a segmentation fault in tf.rawops.MaxPoolGrad caused by missing validation: python import tensorflow as tf tf.rawops.MaxPoolGrad originput = tf.constant, shape=3, 0, 0, 2, dtype=tf.float32, origoutput = tf.constant, shape=3, 0, 0, 2,...

Division by 0 in most convolution operators

Impact Most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash: python import tensorflow as tf tf.compat.v1.disablev2behavior tf.rawops.Conv2D input = tf.constant, shape=0, 0, 0, 0,...

Reference binding to nullptr in shape inference

Impact An attacker can cause undefined behavior via binding a reference to null pointer in tf.rawops.SparseFillEmptyRows: python import tensorflow as tf tf.compat.v1.disablev2behavior tf.rawops.SparseFillEmptyRows indices = tf.constant, shape=0, 0, dtype=tf.int64, values = tf.constant, shape=0,...

Missing validation in shape inference for `Dequantize`

Impact The shape inference code for tf.rawops.Dequantize has a vulnerability that could trigger a denial of service via a segfault if an attacker provides invalid arguments: python import tensorflow as tf tf.compat.v1.disablev2behavior tf.rawops.Dequantize inputtensor = tf.constant-10.0,...

Division by zero in TFLite

Impact The implementation of fully connected layers in TFLite is vulnerable to a division by zero error: cc const int batchsize = inputsize / filter-dims-data1; An attacker can craft a model such that filter-dims-data1 is 0. Patches We have patched the issue in GitHub commit...

Heap OOB in TFLite

Impact TFLite's expanddims.cc contains a vulnerability which allows reading one element outside of bounds of heap allocated data: cc if axis size; ++i if i datai = inputdims.datai; else if i == axis outputdims-datai = 1; else outputdims-datai = inputdims.datai - 1; If axis is a large negative val...

Heap OOB in TFLite's `Gather*` implementations

Impact TFLite's GatherNd implementation does not support negative indices but there are no checks for this situation. Hence, an attacker can read arbitrary data from the heap by carefully crafting a model with negative values in indices. Similar issue exists in Gather implementation. python impor...

Null pointer dereference in TFLite

Impact An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service: python import tensorflow as tf model = tf.keras.models.Sequential model.addtf.keras.Inputshape=1, 2, 3 model.addtf.keras.layers.Dense0, activation='relu'...

Null pointer dereference in TFLite MLIR optimizations

Impact An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service: This is caused by the MLIR optimization of L2NormalizeReduceAxis operator. The implementation unconditionally dereferences a pointer to an iterator to a...

FPE in LSH in TFLite

Impact An attacker can craft a TFLite model that would trigger a division by zero error in LSH implementation. cc int RunningSignBitconst TfLiteTensor input, const TfLiteTensor weight, float seed int inputitembytes = input-bytes / SizeOfDimensioninput, 0; // ... There is no check that the first...