`CHECK`-failures in Tensorflow

Impact An attacker can trigger denial of service via assertion failure by altering a SavedModel on disk such that AttrDefs of some operation are duplicated. Patches We have patched the issue in GitHub commit c2b31ff2d3151acb230edc3f5b1832d2c713a9e0. The fix will be included in TensorFlow 2.8.0. W...

Division by zero in TFLite

Impact An attacker can craft a TFLite model that would trigger a division by zero in the implementation of depthwise convolutions. The parameters of the convolution can be user controlled and are also used within a division operation to determine the size of the padding that needs to be added...

Null pointer dereference in TensorFlow

Impact The implementation of QuantizedMaxPool has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer. python import tensorflow as tf tf.rawops.QuantizedMaxPool input = tf.constant4, dtype=tf.quint8, mininput = , maxinput = 1, ksize = 1, 1, 1, 1,...

Integer Overflow or Wraparound in TensorFlow

Impact The Grappler component of TensorFlow is vulnerable to a denial of service via CHECK-failure assertion failure in constant folding: cc for const auto& outputprop : outputprops const PartialTensorShape outputshapeoutputprop.shape; // ... The outputprop tensor has a shape that is controlled b...

Null pointer dereference in TensorFlow

Impact When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference: cc string allowedgpus = flr-configproto-gpuoptions.visibledevicelist; In the default scenario, all devices are allowed, so flr-configproto is nullptr. Patches We have patch...

Segfault in `simplifyBroadcast` in Tensorflow

Impact The simplifyBroadcast function in the MLIR-TFRT infrastructure in TensorFlow is vulnerable to a segfault hence, denial of service, if called with scalar shapes. cc sizet maxRank = 0; for auto shape : llvm::enumerateshapes auto foundshape = analysis.dimensionsForShapeTensorshape.value; if...

Stack overflow in TensorFlow

Impact The GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel: library function signature name: "SomeOp" description:...

Reachable Assertion in Tensorflow

Impact When decoding a tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments, if the tensors have an invalid dtype and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow...

Crash when type cannot be specialized in Tensorflow

Impact Under certain scenarios, TensorFlow can fail to specialize a type during shape inference: cc void InferenceContext::PreInputInit const OpDef& opdef, const std::vector& inputtensors, const std::vector& inputtensorsasshapes const auto ret = fulltype::SpecializeTypeattrs, opdef;...

Memory leak in decoding PNG images

Impact When decoding PNG images TensorFlow can produce a memory leak if the image is invalid. After calling png::CommonInitDecode..., &decode, the decode value contains allocated buffers which can only be freed by calling png::CommonFreeDecode&decode. However, several error case in the function...

Out of bounds read and write in Tensorflow

Impact There is a typo in TensorFlow's SpecializeType which results in heap OOB read/write: cc for int i = 0; i argssize; j++ auto arg = t-mutableargsi; // ... Due to a typo, arg is initialized to the ith mutable argument in a loop where the loop index is j. Hence it is possible to assign to arg...

Abort caused by allocating a vector that is too large in Tensorflow

Impact During shape inference, TensorFlow can allocate a large vector based on a value from a tensor controlled by the user: cc const auto numdims = Valueshapedim; std::vector dims; dims.reservenumdims; Patches We have patched the issue in GitHub commit 1361fb7e29449629e1df94d44e0427ebec8c83c7. T...

GHSA-2XHG-W2G5-W95X CSV Injection in symfony/serializer

Description ----------- CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with = is interpreted by the software as a formula and could be abused by an attacker. In Symfony 4.1, we'...

Overflow/crash in `tf.tile` when tiling tensor is large

Impact If tf.tile is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. python import tensorflow as tf import numpy as np tf.keras.backend.tilex=np.ones1,1,1, n=100000000,100000000, 100000000 The number of elements in the output...

Segfault while copying constant resource tensor

Impact During TensorFlow's Grappler optimizer phase, constant folding might attempt to deep copy a resource tensor. This results in a segfault, as these tensors are supposed to not change. Patches We have patched the issue in GitHub commit 7731e8dfbe4a56773be5dc94d631611211156659. The fix will be...

FPE in `ParallelConcat`

Impact The implementation of ParallelConcat misses some input validation and can produce a division by 0: python import tensorflow as tf @tf.function def test: y = tf.rawops.ParallelConcatvalues='tf',shape=0 return y test Patches We have patched the issue in GitHub commit...

Null pointer exception in `DeserializeSparse`

Impact The shape inference code for DeserializeSparse can trigger a null pointer dereference: python import tensorflow as tf dataset = tf.data.Dataset.range3 @tf.function def test: y = tf.rawops.DeserializeSparse serializedsparse=tf.data.experimental.tovariantdataset, dtype=tf.int32 test This is...

Undefined behavior via `nullptr` reference binding in sparse matrix multiplication

Impact The code for sparse matrix multiplication is vulnerable to undefined behavior via binding a reference to nullptr: python import tensorflow as tf tf.rawops.SparseMatMul a=1.0,1.0,1.0, b=,,, transposea=False, transposeb=False, aissparse=False, bissparse=True This occurs whenever the dimensio...

A use of uninitialized value vulnerability in Tensorflow

Impact TensorFlow's Grappler optimizer has a use of unitialized variable: cc const NodeDef dequeuenode; for const auto& trainnode : trainnodes if IsDequeueOptrainnode dequeuenode = trainnode; break; if dequeuenode ... If the trainnodes vector obtained from the saved model that gets optimized does...

Heap OOB in `SparseBinCount`

Impact The implementation of SparseBinCount is vulnerable to a heap OOB: python import tensorflow as tf tf.rawops.SparseBincount indices=0,1,2 values=0,-10000000 denseshape=1,1 size=1 weights=3,2,1 binaryoutput=False This is because of missing validation between the elements of the values argumen...