Code injection in `saved_model_cli`

Impact TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings python def preprocessinputexprsargstringinputexprsstr: ... for inputraw in filterbool, inputexprsstr.split';': ... inputkey, expr = inputraw.split'=', 1 inputdictinputkey = evalexpr...

Floating point exception in `SparseDenseCwiseDiv`

Impact The implementation of tf.rawops.SparseDenseCwiseDiv is vulnerable to a division by 0 error: python import tensorflow as tf import numpy as np tf.rawops.SparseDenseCwiseDiv spindices=np.array4, spvalues=np.array-400, spshape=np.array647., dense=np.array0 The implementation uses a common cla...

GHSA-HWR7-8GXX-FJ5P Null pointer dereference in `RaggedTensorToTensor`

Impact Sending invalid argument for rowpartitiontypes of tf.rawops.RaggedTensorToTensor API results in a null pointer dereference and undefined behavior: python import tensorflow as tf tf.rawops.RaggedTensorToTensor shape=1, values=10, defaultvalue=21, rowpartitiontensors=tf.constant0,0,0,0,...

Integer division by 0 in sparse reshaping

Impact The implementation of tf.rawops.SparseReshape can be made to trigger an integral division by 0 exception: python import tensorflow as tf tf.rawops.SparseReshape inputindices = np.ones1,3, inputshape = np.array1,1,0, newshape = np.array1,0 The implementation calls the reshaping functor...

Null pointer dereference in `MatrixDiagPartOp`

Impact If a user does not provide a valid padding value to tf.rawops.MatrixDiagPartOp, then the code triggers a null pointer dereference if input is empty or produces invalid behavior, ignoring all values after the first: python import tensorflow as tf tf.rawops.MatrixDiagPartV2...

Integer overflow due to conversion to unsigned

Impact The implementation of tf.rawops.QuantizeAndDequantizeV4Grad is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. python import tensorflow as tf tf.rawops.QuantizeAndDequantizeV4Grad...

Null pointer dereference in `SparseTensorSliceDataset`

Impact When a user does not supply arguments that determine a valid sparse tensor, tf.rawops.SparseTensorSliceDataset implementation can be made to dereference a null pointer: python import tensorflow as tf tf.rawops.SparseTensorSliceDataset indices=,,, values=1,2,3, denseshape=3,3 The...

Null pointer dereference in `UncompressElement`

Impact The code for tf.rawops.UncompressElement can be made to trigger a null pointer dereference: python import tensorflow as tf data = tf.data.Dataset.fromtensors0.0 tf.rawops.UncompressElement compressed=tf.data.experimental.tovariantdata, outputtypes=tf.int64, outputshapes=2 The implementatio...

Division by 0 in `ResourceGather`

Impact An attacker can trigger a crash via a floating point exception in tf.rawops.ResourceGather: python import tensorflow as tf tensor = tf.constantvalue=,shape=0,1,dtype=tf.uint32 v = tf.Variabletensor tf.rawops.ResourceGather resource=v.handle, indices=0, dtype=tf.uint32, batchdims=1,...

Reference binding to nullptr in `MatrixDiagV*` ops

Impact An attacker can cause undefined behavior via binding a reference to null pointer in all operations of type tf.rawops.MatrixDiagV: python import tensorflow as tf tf.rawops.MatrixDiagV3 diagonal=1,0, k=, numrows=1,2,3, numcols=4,5, paddingvalue=, align='RIGHTRIGHT' The implementation has...

Reference binding to nullptr in `MatrixSetDiagV*` ops

Impact An attacker can cause undefined behavior via binding a reference to null pointer in all operations of type tf.rawops.MatrixSetDiagV: python import tensorflow as tf tf.rawops.MatrixSetDiagV3 input=1,2,3, diagonal=1,1, k=, align='RIGHTLEFT' The implementation has incomplete validation that t...

Division by 0 in inplace operations

Impact An attacker can cause a floating point exception by calling inplace operations with crafted arguments that would result in a division by 0: python import tensorflow as tf tf.rawops.InplaceSubx=,i=-99,-1,-1,v=1,1,1 The implementation has a logic error: it should skip processing if x and v a...

Reference binding to nullptr in boosted trees

Impact An attacker can generate undefined behavior via a reference binding to nullptr in BoostedTreesCalculateBestGainsPerFeature: python import tensorflow as tf tf.rawops.BoostedTreesCalculateBestGainsPerFeature nodeidrange=, statssummarylist=1,2,3, l1=1.0, l2=1.0, treecomplexity =1.0,...

Incomplete validation in `QuantizeV2`

Impact Due to incomplete validation in tf.rawops.QuantizeV2, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap allocated arrays: python import tensorflow as tf tf.rawops.QuantizeV2 input=1,2,3, minrange=1,2, maxrange...

FPE in `tf.raw_ops.UnravelIndex`

Impact An attacker can cause denial of service in applications serving models using tf.rawops.UnravelIndex by triggering a division by 0: python import tensorflow as tf tf.rawops.UnravelIndexindices=-1, dims=1,0,2 The implementation does not check that the tensor subsumed by dims is not empty...

Heap OOB in `UpperBound` and `LowerBound`

Impact An attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to tf.rawops.UpperBound: python import tensorflow as tf tf.rawops.UpperBound sortedinput=1,2,3, values=tf.constantvalue=0,0,0,1,1,1,2,2,2,dtype=tf.int64, outtype=tf.int64 The...

`CHECK`-fail in `MapStage`

Impact An attacker can trigger a denial of service via a CHECK-fail in tf.rawops.MapStage: python import tensorflow as tf tf.rawops.MapStage key=tf.constant, shape=0, 0, 0, 0, dtype=tf.int64, indices=tf.constant0, dtype=tf.int32, values=tf.constant0, dtype=tf.int32, dtypes=tf.int32, tf.int64,...

Division by 0 in most convolution operators

Impact Most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash: python import tensorflow as tf tf.compat.v1.disablev2behavior tf.rawops.Conv2D input = tf.constant, shape=0, 0, 0, 0,...

Heap OOB in nested `tf.map_fn` with `RaggedTensor`s

Impact It is possible to nest a tf.mapfn within another tf.mapfn call. However, if the input tensor is a RaggedTensor and there is no function signature provided, code assumes the output is a fully specified tensor and fills output buffer with uninitialized contents from the heap: python import...

NPE in TFLite

Impact The implementation of SVDF in TFLite is vulnerable to a null pointer error: cc TfLiteTensor state = GetVariableInputcontext, node, kStateTensor; // ... GetTensorDatastate The GetVariableInput function can return a null pointer but GetTensorData assumes that the argument is always a valid...