Update dependency tensorflow to v2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tensorflow	==1.15.0 -> ==2.7.2

GitHub Vulnerability Alerts

CVE-2021-41208

Impact

The code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service (via dereferencing nullptrs or via CHECK-failures) as well as abuse undefined behavior (binding references to nullptrs). An attacker can also read and write from heap buffers, depending on the API that gets used and the arguments that are passed to the call.

Note: Given that the boosted trees implementation in TensorFlow is unmaintained, it is recommend to no longer use these APIs. Instead, please use the downstream TensorFlow Decision Forests project which is newer and supports more features. We will deprecate TensorFlow's boosted trees APIs in subsequent releases.

Patches

We have patched the issue in GitHub commit 5c8c9a8bfe750f9743d0c859bae112060b216f5c.

The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by members of the Aivul Team from Qihoo 360.

CVE-2022-23586

Impact

A malicious user can cause a denial of service by altering a SavedModel such that assertions in function.cc would be falsified and crash the Python interpreter.

Patches

We have patched the issue in GitHub commits dcc21c7bc972b10b6fb95c2fb0f4ab5a59680ec2 and 3d89911481ba6ebe8c88c1c0b595412121e6c645.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23573

Impact

The implementation of AssignOp can result in copying unitialized data to a new tensor. This later results in undefined behavior.

The implementation has a check that the left hand side of the assignment is initialized (to minimize number of allocations), but does not check that the right hand side is also initialized.

Patches

We have patched the issue in GitHub commit ef1d027be116f25e25bb94a60da491c2cf55bd0b.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23574

Impact

There is a typo in TensorFlow's SpecializeType which results in heap OOB read/write:

for (int i = 0; i < op_def.output_arg_size(); i++) {
  // ...
  for (int j = 0; j < t->args_size(); j++) {
    auto* arg = t->mutable_args(i);
    // ...
  }
} 

Due to a typo, arg is initialized to the ith mutable argument in a loop where the loop index is j. Hence it is possible to assign to arg from outside the vector of arguments. Since this is a mutable proto value, it allows both read and write to outside of bounds data.

Patches

We have patched the issue in GitHub commit 0657c83d08845cc434175934c642299de2c0f042.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23585

Impact

When decoding PNG images TensorFlow can produce a memory leak if the image is invalid.
After calling png::CommonInitDecode(..., &decode), the decode value contains allocated buffers which can only be freed by calling png::CommonFreeDecode(&decode). However, several error case in the function implementation invoke the OP_REQUIRES macro which immediately terminates the execution of the function, without allowing for the memory free to occur.

Patches

We have patched the issue in GitHub commit ab51e5b813573dc9f51efa335aebcf2994125ee9.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23587

Impact

Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior.

Patches

We have patched the issue in GitHub commit 0aaaae6eca5a7175a193696383f582f53adab23f.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23572

Impact

Under certain scenarios, TensorFlow can fail to specialize a type during shape inference:

void InferenceContext::PreInputInit(
    const OpDef& op_def, const std::vector<const Tensor*>& input_tensors,
    const std::vector<ShapeHandle>& input_tensors_as_shapes) {
  const auto ret = full_type::SpecializeType(attrs_, op_def);
  DCHECK(ret.status().ok()) << "while instantiating types: " << ret.status();
  ret_types_ = ret.ValueOrDie();
  // ... 
}

However, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the ValueOrDie line. This results in an assertion failure as ret contains an error Status, not a value. In the second case we also get a crash due to the assertion failure.

Patches

We have patched the issue in GitHub commit cb164786dc891ea11d3a900e90367c339305dc7b.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23571

Impact

When decoding a tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments, if the tensors have an invalid dtype and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow processes.

Patches

We have patched the issue in GitHub commit 5b491cd5e41ad63735161cec9c2a568172c8b6a3.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23588

Impact

A malicious user can cause a denial of service by altering a SavedModel such that Grappler optimizer would attempt to build a tensor using a reference dtype. This would result in a crash due to a CHECK-fail in the Tensor constructor as reference types are not allowed.

Patches

We have patched the issue in GitHub commit 6b5adc0877de832b2a7c189532dbbbc64622eeb6.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23591

Impact

The GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel:

  library {
    function {
      signature {
        name: "SomeOp"
        description: "Self recursive op"
      }
      node_def {
        name: "1"
        op: "SomeOp"
      }
      node_def {
        name: "2"
        op: "SomeOp"
      }
    }
  } 

This would result in a stack overflow during execution as resolving each NodeDef means resolving the function itself and its nodes.

Patches

We have patched the issue in GitHub commit 448a16182065bd08a202d9057dd8ca541e67996c.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23589

Impact

Under certain scenarios, Grappler component of TensorFlow can trigger a null pointer dereference. There are 2 places where this can occur, for the same malicious alteration of a SavedModel file (fixing the first one would trigger the same dereference in the second place):

First, during constant folding, the GraphDef might not have the required nodes for the binary operation:

  NodeDef* mul_left_child = node_map_->GetNode(node->input(0));
  NodeDef* mul_right_child = node_map_->GetNode(node->input(1));
  // One child must be constant, and the second must be Conv op.
  const bool left_child_is_constant = IsReallyConstant(*mul_left_child);
  const bool right_child_is_constant = IsReallyConstant(*mul_right_child);

If a node is missing, the correposning mul_*child would be null, and the dereference in the subsequent line would be incorrect.

We have a similar issue during IsIdentityConsumingSwitch:

  NodeDef* input_node = graph.GetNode(tensor_id.node());
  return IsSwitch(*input_node);

Patches

We have patched the issue in GitHub commits 0a365c029e437be0349c31f8d4c9926b69fa3fa1 and 045deec1cbdebb27d817008ad5df94d96a08b1bf.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23595

Impact

When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference:

  string allowed_gpus =
      flr->config_proto()->gpu_options().visible_device_list();

In the default scenario, all devices are allowed, so flr->config_proto is nullptr.

Patches

We have patched the issue in GitHub commit e21af685e1828f7ca65038307df5cc06de4479e8.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

GHSA-wcv5-vrvr-3rx2

Impact

The Grappler component of TensorFlow is vulnerable to a denial of service via CHECK-failure (assertion failure) in constant folding:

  for (const auto& output_prop : output_props) {
    const PartialTensorShape output_shape(output_prop.shape());
    // ...
  }

The output_prop tensor has a shape that is controlled by user input and this can result in triggering one of the CHECKs in the PartialTensorShape constructor. This is an instance of TFSA-2021-198 (CVE-2021-41197).

Patches

We have patched the issue in GitHub commit be7b286d40bc68cb0b56f702186cc4837d508058.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23570

Impact

When decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a DCHECK:

  const auto* attr = attrs.Find(arg->s()); 
  DCHECK(attr != nullptr);
  if (attr->value_case() == AttrValue::kList) {
    // ...
  }

However, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the dereferencing of the null pointer, whereas in the second case it results in a crash due to the assertion failure.

Patches

We have patched the issue in GitHub commit 8a513cec4bec15961fbfdedcaa5376522980455c.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

GHSA-h6gw-r52c-724r

Impact

The code for boosted trees in TensorFlow is still missing validation. This allows malicious users to read and write outside of bounds of heap allocated data as well as trigger denial of service (via dereferencing nullptrs or via CHECK-failures).

This follows after CVE-2021-41208 where these APIs were still vulnerable to multiple security issues.

Note: Given that the boosted trees implementation in TensorFlow is unmaintained, it is recommend to no longer use these APIs. Instead, please use the downstream TensorFlow Decision Forests project which is newer and supports more features.

These APIs are now deprecated in TensorFlow 2.8. We will remove TensorFlow's boosted trees APIs in subsequent releases.

Patches

We have patched the known issues in multiple GitHub commits.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

This should allow users to use existing boosted trees APIs for a while until they migrate to TensorFlow Decision Forests, while guaranteeing that known vulnerabilities are fixed.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

These vulnerabilities have been reported by Yu Tian of Qihoo 360 AIVul Team and Faysal Hossain Shezan from University of Virginia. Some of the issues have been discovered internally after a careful audit of the APIs.

GHSA-43q8-3fv7-pr5x

Impact

The implementation of tf.sparse.split does not fully validate the input arguments. Hence, a malicious user can trigger a denial of service via a segfault or a heap OOB read:

import tensorflow as tf
data = tf.random.uniform([1, 32, 32], dtype=tf.float32)
axis = [1, 2]
x = tf.sparse.from_dense(data)
result = tf.sparse.split(x,3, axis=axis)

The code assumes axis is a scalar. This is another instance of TFSA-2021-190 (CVE-2021-41206).

Patches

We have patched the issue in GitHub commit 61bf91e768173b001d56923600b40d9a95a04ad5 (merging #​53695).

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported externally via a GitHub issue.

CVE-2022-23567

Impact

The implementations of Sparse*Cwise* ops are vulnerable to integer overflows. These can be used to trigger large allocations (so, OOM based denial of service) or CHECK-fails when building new TensorShape objects (so, assert failures based denial of service):

import tensorflow as tf
import numpy as np

tf.raw_ops.SparseDenseCwiseDiv(
    sp_indices=np.array([[9]]),
    sp_values=np.array([5]),
    sp_shape=np.array([92233720368., 92233720368]),
    dense=np.array([4]))

We are missing some validation on the shapes of the input tensors as well as directly constructing a large TensorShape with user-provided dimensions. The latter is an instance of TFSA-2021-198 (CVE-2021-41197) and is easily fixed by replacing a call to TensorShape constructor with a call to BuildTensorShape static helper factory.

Patches

We have patched the issue in GitHub commits 1b54cadd19391b60b6fcccd8d076426f7221d5e8 and e952a89b7026b98fe8cbe626514a93ed68b7c510.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.

CVE-2022-23569

Impact

Multiple operations in TensorFlow can be used to trigger a denial of service via CHECK-fails (i.e., assertion failures). This is similar to TFSA-2021-198 (CVE-2021-41197) and has similar fixes.

Patches

We have patched the reported issues in multiple GitHub commits. It is possible that other similar instances exist in TensorFlow, we will issue fixes as these are discovered.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.

CVE-2022-23568

Impact

The implementation of AddManySparseToTensorsMap is vulnerable to an integer overflow which results in a CHECK-fail when building new TensorShape objects (so, an assert failure based denial of service):

import tensorflow as tf
import numpy as np

tf.raw_ops.AddManySparseToTensorsMap(
    sparse_indices=[(0,0),(0,1),(0,2),(4,3),(5,0),(5,1)],
    sparse_values=[1,1,1,1,1,1],
    sparse_shape=[2**32,2**32],
    container='',
    shared_name='',
    name=None)

We are missing some validation on the shapes of the input tensors as well as directly constructing a large TensorShape with user-provided dimensions. The latter is an instance of TFSA-2021-198 (CVE-2021-41197) and is easily fixed by replacing a call to TensorShape constructor with a call to BuildTensorShape static helper factory.

Patches

We have patched the issue in GitHub commits b51b82fe65ebace4475e3c54eb089c18a4403f1c and a68f68061e263a88321c104a6c911fe5598050a8.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.

CVE-2022-21738

Impact

The implementation of SparseCountSparseOutput can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation:

import tensorflow as tf
import numpy as np
    
tf.raw_ops.SparseCountSparseOutput(
  indices=[[1,1]],
  values=[2],
  dense_shape=[2 ** 31, 2 ** 32],
  weights=[1],
  binary_output=True,
  minlength=-1,
  maxlength=-1,
  name=None)

Patches

We have patched the issue in GitHub commit 6f4d3e8139ec724dbbcb40505891c81dd1052c4a.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.

CVE-2022-21736

Impact

The implementation of SparseTensorSliceDataset has an undefined behavior: under certain condition it can be made to dereference a nullptr value:

import tensorflow as tf
import numpy as np

tf.raw_ops.SparseTensorSliceDataset(
  indices=[[]],
  values=[],
  dense_shape=[1,1])

The 3 input arguments represent a sparse tensor. However, there are some preconditions that these arguments must satisfy but these are not validated in the implementation.

Patches

We have patched the issue in GitHub commit 965b97e4a9650495cda5a8c210ef6684b4b9eceb.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.

CVE-2022-21737

Impact

The implementation of *Bincount operations allows malicious users to cause denial of service by passing in arguments which would trigger a CHECK-fail:

import tensorflow as tf

tf.raw_ops.DenseBincount(
  input=[[0], [1], [2]],
  size=[1],
  weights=[3,2,1],
  binary_output=False)

There are several conditions that the input arguments must satisfy. Some are not caught during shape inference and others are not caught during kernel implementation. This results in CHECK failures later when the output tensors get allocated.

Patches

We have patched the issue in GitHub commit 7019ce4f68925fd01cdafde26f8d8c938f47e6f9.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.

CVE-2022-21739

Impact

The implementation of QuantizedMaxPool has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer.

import tensorflow as tf

tf.raw_ops.QuantizedMaxPool(
    input = tf.constant([[[[4]]]], dtype=tf.quint8),
    min_input = [],
    max_input = [1],
    ksize = [1, 1, 1, 1],
    strides = [1, 1, 1, 1],
    padding = "SAME", name=None
)

Patches

We have patched the issue in GitHub commit 53b0dd6dc5957652f35964af16b892ec9af4a559.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.

CVE-2022-23557

Impact

An attacker can craft a TFLite model that would trigger a division by zero in BiasAndClamp implementation:

inline void BiasAndClamp(float clamp_min, float clamp_max, int bias_size,
                         const float* bias_data, int array_size,
                         float* array_data) {
  // ...
  TFLITE_DCHECK_EQ((array_size % bias_size), 0);
  // ...
} 

There is no check that the bias_size is non zero.

Patches

We have patched the issue in GitHub commit 8c6f391a2282684a25cbfec7687bd5d35261a209.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Wang Xuan of Qihoo 360 AIVul Team.

CVE-2022-21740

Impact

The implementation of SparseCountSparseOutput is vulnerable to a heap overflow:

import tensorflow as tf
import numpy as np

tf.raw_ops.SparseCountSparseOutput(
  indices=[[-1,-1]],
  values=[2],
  dense_shape=[1, 1],
  weights=[1],
  binary_output=True,
  minlength=-1,
  maxlength=-1,
  name=None)

Patches

We have patched the issue in GitHub commits 2b7100d6cdff36aa21010a82269bc05a6d1cc74a and adbbabdb0d3abb3cdeac69e38a96de1d678b24b3.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.

CVE-2022-21741

Impact

An attacker can craft a TFLite model that would trigger a division by zero in the implementation of depthwise convolutions.

The parameters of the convolution can be user controlled and are also used within a division operation to determine the size of the padding that needs to be added before applying the convolution. There is no check before this division that the divisor is stricly positive.

Patches

We have patched the issue in GitHub commit e5b0eec199c2d03de54fd6a7fd9275692218e2bc.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Wang Xuan of Qihoo 360 AIVul Team.

CVE-2022-23565

Impact

An attacker can trigger denial of service via assertion failure by altering a SavedModel on disk such that AttrDefs of some operation are duplicated.

Patches

We have patched the issue in GitHub commit c2b31ff2d3151acb230edc3f5b1832d2c713a9e0.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23558

Impact

An attacker can craft a TFLite model that would cause an integer overflow in TfLiteIntArrayCreate:

TfLiteIntArray* TfLiteIntArrayCreate(int size) {
  int alloc_size = TfLiteIntArrayGetSizeInBytes(size);
  // ...
  TfLiteIntArray* ret = (TfLiteIntArray*)malloc(alloc_size);
  // ...
} 

The TfLiteIntArrayGetSizeInBytes returns an int instead of a size_t:

int TfLiteIntArrayGetSizeInBytes(int size) {
  static TfLiteIntArray dummy;

  int computed_size = sizeof(dummy) + sizeof(dummy.data[0]) * size;

#if defined(_MSC_VER)
  // Context for why this is needed is in http://b/189926408#comment21
  computed_size -= sizeof(dummy.data[0]);

#endif
  return computed_size;
}

An attacker can control model inputs such that computed_size overflows the size of int datatype.

Patches

We have patched the issue in GitHub commit a1e1511dde36b3f8aa27a6ec630838e7ea40e091.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Wang Xuan of Qihoo 360 AIVul Team.

CVE-2022-23559

Impact

An attacker can craft a TFLite model that would cause an integer overflow in embedding lookup operations:

  int embedding_size = 1;
  int lookup_size = 1;
  for (int i = 0; i < lookup_rank - 1; i++, k++) {
    const int dim = dense_shape->data.i32[i];
    lookup_size *= dim;
    output_shape->data[k] = dim;
  }
  for (int i = 1; i < embedding_rank; i++, k++) {
    const int dim = SizeOfDimension(value, i);
    embedding_size *= dim;
    output_shape->data[k] = dim;
  } 

Both embedding_size and lookup_size are products of values provided by the user. Hence, a malicious user could trigger overflows in the multiplication.

In certain scenarios, this can then result in heap OOB read/write.

Patches

We have patched the issue in GitHub commits f19be71717c497723ba0cea0379e84f061a75e01, 1de49725a5fc4e48f1a3b902ec3599ee99283043 and a4e401da71458d253b05e41f28637b65baf64be4.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Wang Xuan of Qihoo 360 AIVul Team.

CVE-2022-23560

Impact

An attacker can craft a TFLite model that would allow limited reads and writes outside of arrays in TFLite. This exploits missing validation in the conversion from sparse tensors to dense tensors.

Patches

We have patched the issue in GitHub commit 6364463d6f5b6254cac3d6aedf999b6a96225038.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Wang Xuan of Qihoo 360 AIVul Team.

CVE-2022-23561

Impact

An attacker can craft a TFLite model that would cause a write outside of bounds of an array in TFLite. In fact, the attacker can override the linked list used by the memory allocator. This can be leveraged for an arbitrary write primitive under certain conditions.

Patches

We have patched the issue in GitHub commit 6c0b2b70eeee588591680f5b7d5d38175fd7cdf6.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Wang Xuan of Qihoo 360 AIVul Team.

CVE-2022-23566

Impact

TensorFlow is vulnerable to a heap OOB write in Grappler:

Status SetUnknownShape(const NodeDef* node, int output_port) {
  shape_inference::ShapeHandle shape = 
      GetUnknownOutputShape(node, output_port);
  InferenceContext* ctx = GetContext(node);
  if (ctx == nullptr) {
    return errors::InvalidArgument("Missing context");
  }
  ctx->set_output(output_port, shape);
  return Status::OK();
}

The set_output function writes to an array at the specified index:

void set_output(int idx, ShapeHandle shape) { outputs_.at(idx) = shape; }

Hence, this gives a malicious user a write primitive.

Patches

We have patched the issue in GitHub commit 97282c6d0d34476b6ba033f961590b783fa184cd.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23562

Impact

The implementation of Range suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations.

Patches

We have patched the issue in GitHub commit f0147751fd5d2ff23251149ebad9af9f03010732 (merging #​51733).

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported externally via a GitHub issue.

CVE-2022-23584

Impact

A malicious user can cause a use after free behavior when decoding PNG images:

if (/* ... error conditions ... */) {
  png::CommonFreeDecode(&decode);
  OP_REQUIRES(context, false,
              errors::InvalidArgument("PNG size too large for int: ",
                                      decode.width, " by ", decode.height));
}   

After png::CommonFreeDecode(&decode) gets called, the values of decode.width and decode.height are in an unspecified state.

Patches

We have patched the issue in GitHub commit e746adbfcfee15e9cfdb391ff746c765b99bdf9b.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23564

Impact

When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes.

Patches

We have patched the issue in GitHub commit 14fea662350e7c26eb5fe1be2ac31704e5682ee6.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23563

Impact

In multiple places, TensorFlow uses tempfile.mktemp to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check for the filename in mktemp and the actual creation of the file by a subsequent operation (a TOC/TOU type of weakness).

In several instances, TensorFlow was supposed to actually create a temporary directory instead of a file. This logic bug is hidden away by the mktemp function usage.

Patches

We have patched the issue in several commits, replacing mktemp with the safer mkstemp/mkdtemp functions, according to the usage pattern.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported on huntr.dev for one scenario and discovered via variant analysis on other instances.

CVE-2022-21726

Impact

The implementation of Dequantize does not fully validate the value of axis and can result in heap OOB accesses:

import tensorflow as tf

@​tf.function
def test():
  y = tf.raw_ops.Dequantize(
    input=tf.constant([1,1],dtype=tf.qint32),
    min_range=[1.0],
    max_range=[10.0],
    mode='MIN_COMBINED',
    narrow_range=False,
    axis=2**31-1,
    dtype=tf.bfloat16)
  return y

test()

The axis argument can be -1 (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked and this results in reading past the end of the array containing the dimensions of the input tensor:

  if (axis_ > -1) {
    num_slices = input.dim_size(axis_);
  }
  // ...
  int64_t pre_dim = 1, post_dim = 1;
  for (int i = 0; i < axis_; ++i) {
    pre_dim *= float_output.dim_size(i);
  }
  for (int i = axis_ + 1; i < float_output.dims(); ++i) {
    post_dim *= float_output.dim_size(i);
  }

Patches

We have patched the issue in GitHub commit 23968a8bf65b009120c43b5ebcceaf52dbc9e943.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team.

CVE-2022-21727

Impact

The implementation of shape inference for Dequantize is vulnerable to an integer overflow weakness:

import tensorflow as tf

input = tf.constant([1,1],dtype=tf.qint32)

@​tf.function
def test():
  y = tf.raw_ops.Dequantize(
    input=input,
    min_range=[1.0],
    max_range=[10.0],
    mode='MIN_COMBINED',
    narrow_range=False,
    axis=2**31-1,
    dtype=tf.bfloat16)
  return y

test()

The axis argument can be -1 (the default value for the optional argument) or any other positive value at most the number of dimensions of the input. Unfortunately, the upper bound is not checked, and, since the code computes axis + 1, an attacker can trigger an integer overflow:

  int axis = -1; 
  Status s = c->GetAttr("axis", &axis);
  // ...
  if (axis < -1) {
    return errors::InvalidArgument("axis should be at least -1, got ",
                                   axis);
  }
  // ...
  if (axis != -1) {
    ShapeHandle input;
    TF_RETURN_IF_ERROR(c->WithRankAtLeast(c->input(0), axis + 1, &input));
    // ...
  }

Patches

We have patched the issue in GitHub commit b64638ec5ccaa77b7c1eb90958e3d85ce381f91b.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team.

CVE-2022-21731

Impact

The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion:

import tensorflow as tf

@​tf.function
def test():
  y = tf.raw_ops.ConcatV2(
    values=[[1,2,3],[4,5,6]],
    axis = 0xb500005b)
  return y

test()

The axis argument is translated into concat_dim in the ConcatShapeHelper helper function. Then, a value for min_rank is computed based on concat_dim. This is then used to validate that the values tensor has at least the required rank:

  int64_t concat_dim;
  if (concat_dim_t->dtype() == DT_INT32) {
    concat_dim = static_cast<int64_t>(concat_dim_t->flat<int32>()(0));
  } else {
    concat_dim = concat_dim_t->flat<int64_t>()(0);
  }

  // Minimum required number of dimensions.
  const int min_rank = concat_dim < 0 ? -concat_dim : concat_dim + 1;

  // ...
  ShapeHandle input = c->input(end_value_index - 1);
  TF_RETURN_IF_ERROR(c->WithRankAtLeast(input, min_rank, &input));

However, WithRankAtLeast receives the lower bound as a 64-bits value and then compares it against the maximum 32-bits integer value that could be represented:

Status InferenceContext::WithRankAtLeast(ShapeHandle shape, int64_t rank,
                                         ShapeHandle* out) {
  if (rank > kint32max) {
    return errors::InvalidArgument("Rank cannot exceed kint32max");
  }
  // ...
}

Due to the fact that min_rank is a 32-bits value and the value of axis, the rank argument is a negative value, so the error check is bypassed.

Patches

We have patched the issue in GitHub commit 08d7b00c0a5a20926363849f611729f53f3ec022.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yu Tian