7035 matches found
Division by zero in Tensorflow
Impact The implementation of FractionalMaxPool can be made to crash a TensorFlow process via a division by 0:pythonimport tensorflow as tfimport numpy as nptf.rawops.FractionalMaxPool value=tf.constantvalue=1, 4, 2, 3, dtype=tf.int64, poolingratio=1.0, 1.44, 1.73, 1.0, pseudorandom=False,...
Improper Restriction of XML External Entity Reference in trytond and proteus
An XXE issue was discovered in Tryton Application Platform Server 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform Command Line Client proteus 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. An authenticated user...
Null-dereference in Tensorflow
ImpactThe implementation of GetInitOp is vulnerable to a crash caused by dereferencing a null pointer:ccconst auto& initopsigit = metagraphdef.signaturedef.findkSavedModelInitOpSignatureKey;if initopsigit != sigdefmap.end initopname = initopsigit-second.outputs .findkSavedModelInitOpSignatureKey...
Memory leak in Tensorflow
ImpactIf a graph node is invalid, TensorFlow can leak memory in the implementation of ImmutableExecutorState::Initialize:ccStatus s = params.createkerneln-properties, &item-;kernel;if !s.ok item-kernel = nullptr; s = AttachDefs, n; return s; Here, we set item-kernel to nullptr but it is a simple...
Integer overflow in Tensorflow
ImpactThe implementation of OpLevelCostEstimator::CalculateTensorSize is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements:ccint64t OpLevelCostEstimator::CalculateTensorSize const OpInfo::TensorProperties&...
`CHECK`-failures in binary ops in Tensorflow
ImpactA malicious user can cause a denial of service by altering a SavedModel such that any binary op would trigger CHECK failures. This occurs when the protobuf part corresponding to the tensor arguments is modified such that the dtype no longer matches the dtype expected by the op. In that case...
Type confusion leading to segfault in Tensorflow
Impact The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion:pythonimport tensorflow as [email protected] test: y = tf.rawops.ConcatV2 values=1,2,3,4,5,6, axis = 0xb500005b return ytestThe axis argument is...
Use after free in `DecodePng` kernel
ImpactA malicious user can cause a use after free behavior when decoding PNG images:ccif / ... error conditions ... / png::CommonFreeDecode; OPREQUIREScontext, false, errors::InvalidArgument"PNG size too large for int: ", decode.width, " by ", decode.height; After png::CommonFreeDecode gets calle...
Memory exhaustion in Tensorflow
Impact The implementation of StringNGrams can be used to trigger a denial of service attack by causing an OOM condition after an integer overflow:pythonimport tensorflow as tftf.rawops.StringNGrams data='123456', datasplits=0,1, separator='a'15, ngramwidths=, leftpad='', rightpad='', padwidth=-5,...
`CHECK`-failures in Tensorflow
Impact The implementation of MapStage is vulnerable a CHECK-fail if the key tensor is not a scalar:pythonimport tensorflow as tfimport numpy as nptf.rawops.MapStage key = tf.constantvalue=4, shape= 1,2, dtype=tf.int64, indices = np.array6, values = np.array-60, dtypes = tf.int64, capacity=0,...
Division by zero in Tensorflow
Impact The estimator for the cost of some convolution operations can be made to execute a division by 0:pythonimport tensorflow as [email protected] test: y=tf.rawops.AvgPoolGrad originputshape=1,1,1,1, grad=1.0,1.0,1.0,2.0,2.0,2.0,3.0,3.0,3.0, ksize=1,1,1,1, strides=1,1,1,0, padding='VALID',...
Memory exhaustion in Tensorflow
Impact The implementation of ThreadPoolHandle can be used to trigger a denial of service attack by allocating too much memory:pythonimport tensorflow as tfy = tf.rawops.ThreadPoolHandlenumthreads=0x60000000,displayname='tf'This is because the numthreads argument is only checked to not be negative...
Overflow and uncaught divide by zero in Tensorflow
Impact The implementation of UnravelIndex is vulnerable to a division by zero caused by an integer overflow bug:pythonimport tensorflow as tftf.rawops.UnravelIndexindices=-0x100000,dims=0x100000,0x100000 PatchesWe have patched the issue in GitHub commit 58b34c6c8250983948b5a781b426f6aa01fd47af. T...
Out of bounds write in Tensorflow
ImpactTensorFlow is vulnerable to a heap OOB write in Grappler:ccStatus SetUnknownShapeconst NodeDef node, int outputport shapeinference::ShapeHandle shape = GetUnknownOutputShapenode, outputport; InferenceContext ctx = GetContextnode; if ctx == nullptr return errors::InvalidArgument"Missing...
Insecure temporary file in Tensorflow
ImpactIn multiple places, TensorFlow uses tempfile.mktemp to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check for the filename in mktemp and the actual creation of the file by a...
Reachable Assertion in Tensorflow
ImpactWhen decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes. PatchesWe have patched the issue in GitHub...
Division by zero in TFLite
Impact An attacker can craft a TFLite model that would trigger a division by zero in the implementation of depthwise convolutions.The parameters of the convolution can be user controlled and are also used within a division operation to determine the size of the padding that needs to be added befo...
Read and Write outside of bounds in TensorFlow
ImpactAn attacker can craft a TFLite model that would allow limited reads and writes outside of arrays in TFLite. This exploits missing validation in the conversion from sparse tensors to dense tensors. PatchesWe have patched the issue in GitHub commit 6364463d6f5b6254cac3d6aedf999b6a96225038.The...
Out of bounds write in TFLite
Impact An attacker can craft a TFLite model that would cause a write outside of bounds of an array in TFLite. In fact, the attacker can override the linked list used by the memory allocator. This can be leveraged for an arbitrary write primitive under certain conditions. PatchesWe have patched th...
`CHECK`-failures in Tensorflow
ImpactAn attacker can trigger denial of service via assertion failure by altering a SavedModel on disk such that AttrDefs of some operation are duplicated. PatchesWe have patched the issue in GitHub commit c2b31ff2d3151acb230edc3f5b1832d2c713a9e0.The fix will be included in TensorFlow 2.8.0. We...
Division by zero in TFLite
Impact An attacker can craft a TFLite model that would trigger a division by zero in BiasAndClamp implementation:ccinline void BiasAndClampfloat clampmin, float clampmax, int biassize, const float biasdata, int arraysize, float arraydata // ... TFLITEDCHECKEQarraysize % biassize, 0; // ... There ...
Integer overflow in TFLite
Impact An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations:cc int embeddingsize = 1; int lookupsize = 1; for int i = 0; i data.i32i; lookupsize = dim; outputshape-datak = dim; for int i = 1; i datak = dim; Both embeddingsize and lookupsize are...
Heap overflow in Tensorflow
Impact The implementation of SparseCountSparseOutput is vulnerable to a heap overflow:pythonimport tensorflow as tfimport numpy as nptf.rawops.SparseCountSparseOutput indices=-1,-1, values=2, denseshape=1, 1, weights=1, binaryoutput=True, minlength=-1, maxlength=-1, name=None PatchesWe have patch...
Integer overflow in Tensorflow
ImpactThe implementation of Range suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations. PatchesWe have patched the issue in GitHub commit f0147751fd5d2ff23251149ebad9af9f03010732 merging 51733.The fix will be included in TensorFlo...
Integer overflow in TFLite array creation
Impact An attacker can craft a TFLite model that would cause an integer overflow in TfLiteIntArrayCreate:ccTfLiteIntArray TfLiteIntArrayCreateint size int allocsize = TfLiteIntArrayGetSizeInBytessize; // ... TfLiteIntArray ret = TfLiteIntArraymallocallocsize; // ... The TfLiteIntArrayGetSizeInByt...
Integer overflows in Tensorflow
Impact The implementation of AddManySparseToTensorsMap is vulnerable to an integer overflow which results in a CHECK-fail when building new TensorShape objects so, an assert failure based denial of service:pythonimport tensorflow as tfimport numpy as nptf.rawops.AddManySparseToTensorsMap...
Null-dereference in Tensorflow
ImpactWhen decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a DCHECK:cc const auto attr = attrs.Findarg-s; DCHECKattr != nullptr; if attr-valuecase == AttrValue::kList ...
Assertion failure based denial of service in Tensorflow
Impact The implementation of Bincount operations allows malicious users to cause denial of service by passing in arguments which would trigger a CHECK-fail:pythonimport tensorflow as tftf.rawops.DenseBincount input=0, 1, 2, size=1, weights=3,2,1, binaryoutput=FalseThere are several conditions tha...
Null pointer dereference in TensorFlow
Impact The implementation of QuantizedMaxPool has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer.pythonimport tensorflow as tftf.rawops.QuantizedMaxPool input = tf.constant4, dtype=tf.quint8, mininput = , maxinput = 1, ksize = 1, 1, 1, 1, stride...
Undefined behavior in `SparseTensorSliceDataset`
Impact The implementation of SparseTensorSliceDataset has an undefined behavior: under certain condition it can be made to dereference a nullptr value:pythonimport tensorflow as tfimport numpy as nptf.rawops.SparseTensorSliceDataset indices=, values=, denseshape=1,1The 3 input arguments represent...
Integer overflows in Tensorflow
Impact The implementations of SparseCwise ops are vulnerable to integer overflows. These can be used to trigger large allocations so, OOM based denial of service or CHECK-fails when building new TensorShape objects so, assert failures based denial of service:pythonimport tensorflow as tfimport...
Null pointer dereference in TensorFlow
ImpactWhen building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference:cc string allowedgpus = flr-configproto-gpuoptions.visibledevicelist; In the default scenario, all devices are allowed, so flr-configproto is nullptr. PatchesWe have patched...
`CHECK`-fails when building invalid tensor shapes in Tensorflow
Impact Multiple operations in TensorFlow can be used to trigger a denial of service via CHECK-fails i.e., assertion failures. This is similar to TFSA-2021-198 CVE-2021-41197 and has similar fixes. PatchesWe have patched the reported issues in multiple GitHub commits. It is possible that other...
Integer overflow leading to crash in Tensorflow
Impact The implementation of SparseCountSparseOutput can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation:pythonimport tensorflow as tfimport numpy as np tf.rawops.SparseCountSparseOutput indices=1,1, values=2, denseshape=2 31, 2 32,...
Crash due to erroneous `StatusOr` in TensorFlow
ImpactA GraphDef from a TensorFlow SavedModel can be maliciously altered to cause a TensorFlow process to crash due to encountering a StatusOr value that is an error and forcibly extracting the value from it:cc if opregdata-typector != nullptr VLOG3 opdef; const FullTypeDef ctortypedef =...
Null pointer dereference in Grappler's `IsConstant`
ImpactUnder certain scenarios, Grappler component of TensorFlow can trigger a null pointer dereference. There are 2 places where this can occur, for the same malicious alteration of a SavedModel file fixing the first one would trigger the same dereference in the second place:First, during constan...
Crash when type cannot be specialized in Tensorflow
ImpactUnder certain scenarios, TensorFlow can fail to specialize a type during shape inference:ccvoid InferenceContext::PreInputInit const OpDef& opdef, const std::vector& inputtensors, const std::vector& inputtensorsasshapes const auto ret = fulltype::SpecializeTypeattrs, opdef;...
Reachable Assertion in Tensorflow
ImpactWhen decoding a tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments, if the tensors have an invalid dtype and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow...
Out of bounds read in Tensorflow
ImpactTensorFlow's type inference can cause a heap OOB read as the bounds checking is done in a DCHECK which is a no-op during production:ccif nodet.typeid != TFTUNSET int ix = inputidxi; DCHECKix nodet.argssize "input " i " should have an output " ix " but instead only has " nodet.argssize "...
Segfault in `simplifyBroadcast` in Tensorflow
ImpactThe simplifyBroadcast function in the MLIR-TFRT infrastructure in TensorFlow is vulnerable to a segfault hence, denial of service, if called with scalar shapes.cc sizet maxRank = 0; for auto shape : llvm::enumerateshapes auto foundshape = analysis.dimensionsForShapeTensorshape.value; if...
Out of bounds read in Tensorflow
ImpactThe TFG dialect of TensorFlow MLIR makes several assumptions about the incoming GraphDef before converting it to the MLIR-based dialect.If an attacker changes the SavedModel format on disk to invalidate these assumptions and the GraphDef is then converted to MLIR-based IR then they can caus...
Out of bounds read in Tensorflow
ImpactThe TFG dialect of TensorFlow MLIR makes several assumptions about the incoming GraphDef before converting it to the MLIR-based dialect.If an attacker changes the SavedModel format on disk to invalidate these assumptions and the GraphDef is then converted to MLIR-based IR then they can caus...
Stack overflow in TensorFlow
ImpactThe GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel: library function signature name: "SomeOp" description:...
Out of bounds read and write in Tensorflow
ImpactThere is a typo in TensorFlow's SpecializeType which results in heap OOB read/write:ccfor int i = 0; i argssize; j++ auto arg = t-mutableargsi; // ... Due to a typo, arg is initialized to the ith mutable argument in a loop where the loop index is j. Hence it is possible to assign to arg fro...
Integer overflow in TensorFlow
ImpactUnder certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior. PatchesWe have patched the issue in GitHub commit...
Out of bounds read in Tensorflow
Impact The implementation of FractionalAvgPoolGrad does not consider cases where the input tensors are invalid allowing an attacker to read from outside of bounds of heap:pythonimport tensorflow as [email protected] test: y = tf.rawops.FractionalAvgPoolGrad originputtensorshape=2,2,2,2,...
Out of bounds read in Tensorflow
Impact The implementation of shape inference for ReverseSequence does not fully validate the value of batchdim and can result in a heap OOB read:pythonimport tensorflow as [email protected] test: y = tf.rawops.ReverseSequence input = 'aaa','bbb', seqlengths = 1,1,1, seqdim = -10, batchdim = -10...
Uninitialized variable access in Tensorflow
ImpactThe implementation of AssignOp can result in copying unitialized data to a new tensor. This later results in undefined behavior.The implementation has a check that the left hand side of the assignment is initialized to minimize number of allocations, but does not check that the right hand...
Multiple `CHECK`-fails in `function.cc` in TensowFlow
ImpactA malicious user can cause a denial of service by altering a SavedModel such that assertions in function.cc would be falsified and crash the Python interpreter. PatchesWe have patched the issue in GitHub commits dcc21c7bc972b10b6fb95c2fb0f4ab5a59680ec2 and...
Memory leak in decoding PNG images
ImpactWhen decoding PNG images TensorFlow can produce a memory leak if the image is invalid.After calling png::CommonInitDecode..., , the decode value contains allocated buffers which can only be freed by calling png::CommonFreeDecode. However, several error case in the function implementation...