BIT-TENSORFLOW-2022-41884 Seg fault in `ndarray_tensor_bridge` due to zero and large inputs in Tensorflow

TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784. The fix will be...

BIT-TENSORFLOW-2022-41888 Unckecked rank size in `tf.image.generate_bounding_box_proposals` in Tensorflow

TensorFlow is an open source platform for machine learning. When running on GPU, tf.image.generateboundingboxproposals receives a scores input that must be of rank 4 but is not checked. We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98. The fix will be included i...

BIT-TENSORFLOW-2022-41894 Buffer overflow in `CONV_3D_TRANSPOSE` on TFLite

TensorFlow is an open source platform for machine learning. The reference kernel of the CONV3DTRANSPOSE TensorFlow Lite operator wrongly increments the dataptr when adding the bias to the result. Instead of dataptr += numchannels; it should be dataptr += outputnumchannels; as if the number of inp...

BIT-TENSORFLOW-2022-41895 `MirrorPadGrad` heap out of bounds read in Tensorflow

TensorFlow is an open source platform for machine learning. If MirrorPadGrad is given outsize input paddings, TensorFlow will give a heap OOB error. We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. The fix will be included in TensorFlow 2.11. We will also...

BIT-TENSORFLOW-2022-41899 `CHECK` fail via inputs in `SdcaOptimizer` in Tensorflow

TensorFlow is an open source platform for machine learning. Inputs densefeatures or examplestatedata not of rank 2 will trigger a CHECK fail in SdcaOptimizer. We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa. The fix will be included in TensorFlow 2.11. We will...

CBL Mariner 2.0 Security Update: tensorflow (CVE-2022-41884)

The version of tensorflow installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-41884 advisory. - TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape suc...

CBL Mariner 2.0 Security Update: tensorflow (CVE-2022-41893)

The version of tensorflow installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-41893 advisory. - TensorFlow is an open source platform for machine learning. If tf.rawops.TensorListResize is given a...

CBL Mariner 2.0 Security Update: tensorflow (CVE-2022-41895)

The version of tensorflow installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-41895 advisory. - TensorFlow is an open source platform for machine learning. If MirrorPadGrad is given outsize input...

CBL Mariner 2.0 Security Update: tensorflow (CVE-2022-41897)

The version of tensorflow installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-41897 advisory. - TensorFlow is an open source platform for machine learning. If FractionMaxPoolGrad is given outsize inpu...

Tensorflow vulnerable to Out-of-Bounds Read

Impact When the BaseCandidateSamplerOp function receives a value in trueclasses larger than rangemax, a heap oob vuln occurs. python tf.rawops.ThreadUnsafeUnigramCandidateSampler trueclasses=0x100000,1, numtrue = 2, numsampled = 2, unique = False, rangemax = 2, seed = 2, seed2 = 2 Patches We have...

`CHECK` fail in `TensorListScatter` and `TensorListScatterV2` in eager mode

Impact Another instance of CVE-2022-35991, where TensorListScatter and TensorListScatterV2 crash via non scalar inputs inelementshape, was found in eager mode and fixed. python import tensorflow as tf arg0=tf.random.uniformshape=2, 2, 2, dtype=tf.float16, maxval=None arg1=tf.random.uniformshape=2...

GHSA-XVWP-H6JV-7472 FractionalMaxPool and FractionalAVGPool heap out-of-bounds acess

Impact An input poolingratio that is smaller than 1 will trigger a heap OOB in tf.rawops.FractionalMaxPool and tf.rawops.FractionalAvgPool. Patches We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48. The fix will be included in TensorFlow 2.11.0. We will also cher...

Segfault in `tf.raw_ops.TensorListConcat`

Impact If tf.rawops.TensorListConcat is given elementshape=, it results segmentation fault which can be used to trigger a denial of service attack. python import tensorflow as tf tf.rawops.TensorListConcat inputhandle=tf.data.experimental.tovarianttf.data.Dataset.fromtensorslices1, 2, 3,...

`CHECK` fail in `BCast` overflow

Impact If BCast::ToShape is given input larger than an int32, it will crash, despite being supposed to handle up to an int64. An example can be seen in tf.experimental.numpy.outer by passing in large input to the input b. python import tensorflow as tf value = tf.constantshape=2, 1024, 1024, 1024...

Segfault via invalid attributes in `pywrap_tfe_src.cc`

Impact If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr, which is not caught. An example can be seen in tf.compat.v1.extractvolumepatches by passing in quantized tensors as input ksizes. python import numpy as np import...

GHSA-54PP-C6PP-7FPX Overflow in `ImageProjectiveTransformV2`

Impact When tf.rawops.ImageProjectiveTransformV2 is given a large output shape, it overflows. python import tensorflow as tf interpolation = "BILINEAR" fillmode = "REFLECT" images = tf.constant0.184634328, shape=2,5,8,3, dtype=tf.float32 transforms = tf.constant0.378575385, shape=2,8,...

CVE-2022-41909

TensorFlow is an open source platform for machine learning. An input encoded that is not a valid CompositeTensorVariant tensor will trigger a segfault in tf.rawops.CompositeTensorVariantToComponents. We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and...

CVE-2022-41897

TensorFlow is an open source platform for machine learning. If FractionMaxPoolGrad is given outsize inputs rowpoolingsequence and colpoolingsequence, TensorFlow will crash. We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927. The fix will be included in TensorFlow...

CVE-2022-41893

TensorFlow is an open source platform for machine learning. If tf.rawops.TensorListResize is given a nonscalar value for input size, it results CHECK fail which can be used to trigger a denial of service attack. We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56...

CVE-2022-41890

TensorFlow is an open source platform for machine learning. If BCast::ToShape is given input larger than an int32, it will crash, despite being supposed to handle up to an int64. An example can be seen in tf.experimental.numpy.outer by passing in large input to the input b. We have patched the...