Update dependency tensorflow [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tensorflow	==2.4.1 -> ==2.5.3
tensorflow	==2.4.1 -> ==2.4.2

GitHub Vulnerability Alerts

CVE-2022-23562

Impact

The implementation of Range suffers from integer overflows. These can trigger undefined behavior or, in some scenarios, extremely large allocations.

Patches

We have patched the issue in GitHub commit f0147751fd5d2ff23251149ebad9af9f03010732 (merging #​51733).

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported externally via a GitHub issue.

CVE-2022-23563

Impact

In multiple places, TensorFlow uses tempfile.mktemp to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check for the filename in mktemp and the actual creation of the file by a subsequent operation (a TOC/TOU type of weakness).

In several instances, TensorFlow was supposed to actually create a temporary directory instead of a file. This logic bug is hidden away by the mktemp function usage.

Patches

We have patched the issue in several commits, replacing mktemp with the safer mkstemp/mkdtemp functions, according to the usage pattern.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported on huntr.dev for one scenario and discovered via variant analysis on other instances.

CVE-2022-23564

Impact

When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes.

Patches

We have patched the issue in GitHub commit 14fea662350e7c26eb5fe1be2ac31704e5682ee6.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23566

Impact

TensorFlow is vulnerable to a heap OOB write in Grappler:

Status SetUnknownShape(const NodeDef* node, int output_port) {
  shape_inference::ShapeHandle shape = 
      GetUnknownOutputShape(node, output_port);
  InferenceContext* ctx = GetContext(node);
  if (ctx == nullptr) {
    return errors::InvalidArgument("Missing context");
  }
  ctx->set_output(output_port, shape);
  return Status::OK();
}

The set_output function writes to an array at the specified index:

void set_output(int idx, ShapeHandle shape) { outputs_.at(idx) = shape; }

Hence, this gives a malicious user a write primitive.

Patches

We have patched the issue in GitHub commit 97282c6d0d34476b6ba033f961590b783fa184cd.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23567

Impact

The implementations of Sparse*Cwise* ops are vulnerable to integer overflows. These can be used to trigger large allocations (so, OOM based denial of service) or CHECK-fails when building new TensorShape objects (so, assert failures based denial of service):

import tensorflow as tf
import numpy as np

tf.raw_ops.SparseDenseCwiseDiv(
    sp_indices=np.array([[9]]),
    sp_values=np.array([5]),
    sp_shape=np.array([92233720368., 92233720368]),
    dense=np.array([4]))

We are missing some validation on the shapes of the input tensors as well as directly constructing a large TensorShape with user-provided dimensions. The latter is an instance of TFSA-2021-198 (CVE-2021-41197) and is easily fixed by replacing a call to TensorShape constructor with a call to BuildTensorShape static helper factory.

Patches

We have patched the issue in GitHub commits 1b54cadd19391b60b6fcccd8d076426f7221d5e8 and e952a89b7026b98fe8cbe626514a93ed68b7c510.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.

CVE-2022-23568

Impact

The implementation of AddManySparseToTensorsMap is vulnerable to an integer overflow which results in a CHECK-fail when building new TensorShape objects (so, an assert failure based denial of service):

import tensorflow as tf
import numpy as np

tf.raw_ops.AddManySparseToTensorsMap(
    sparse_indices=[(0,0),(0,1),(0,2),(4,3),(5,0),(5,1)],
    sparse_values=[1,1,1,1,1,1],
    sparse_shape=[2**32,2**32],
    container='',
    shared_name='',
    name=None)

We are missing some validation on the shapes of the input tensors as well as directly constructing a large TensorShape with user-provided dimensions. The latter is an instance of TFSA-2021-198 (CVE-2021-41197) and is easily fixed by replacing a call to TensorShape constructor with a call to BuildTensorShape static helper factory.

Patches

We have patched the issue in GitHub commits b51b82fe65ebace4475e3c54eb089c18a4403f1c and a68f68061e263a88321c104a6c911fe5598050a8.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.

CVE-2022-23569

Impact

Multiple operations in TensorFlow can be used to trigger a denial of service via CHECK-fails (i.e., assertion failures). This is similar to TFSA-2021-198 (CVE-2021-41197) and has similar fixes.

Patches

We have patched the reported issues in multiple GitHub commits. It is possible that other similar instances exist in TensorFlow, we will issue fixes as these are discovered.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.

GHSA-h6gw-r52c-724r

Impact

The code for boosted trees in TensorFlow is still missing validation. This allows malicious users to read and write outside of bounds of heap allocated data as well as trigger denial of service (via dereferencing nullptrs or via CHECK-failures).

This follows after CVE-2021-41208 where these APIs were still vulnerable to multiple security issues.

Note: Given that the boosted trees implementation in TensorFlow is unmaintained, it is recommend to no longer use these APIs. Instead, please use the downstream TensorFlow Decision Forests project which is newer and supports more features.

These APIs are now deprecated in TensorFlow 2.8. We will remove TensorFlow's boosted trees APIs in subsequent releases.

Patches

We have patched the known issues in multiple GitHub commits.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

This should allow users to use existing boosted trees APIs for a while until they migrate to TensorFlow Decision Forests, while guaranteeing that known vulnerabilities are fixed.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

These vulnerabilities have been reported by Yu Tian of Qihoo 360 AIVul Team and Faysal Hossain Shezan from University of Virginia. Some of the issues have been discovered internally after a careful audit of the APIs.

GHSA-43q8-3fv7-pr5x

Impact

The implementation of tf.sparse.split does not fully validate the input arguments. Hence, a malicious user can trigger a denial of service via a segfault or a heap OOB read:

import tensorflow as tf
data = tf.random.uniform([1, 32, 32], dtype=tf.float32)
axis = [1, 2]
x = tf.sparse.from_dense(data)
result = tf.sparse.split(x,3, axis=axis)

The code assumes axis is a scalar. This is another instance of TFSA-2021-190 (CVE-2021-41206).

Patches

We have patched the issue in GitHub commit 61bf91e768173b001d56923600b40d9a95a04ad5 (merging #​53695).

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported externally via a GitHub issue.

GHSA-wcv5-vrvr-3rx2

Impact

The Grappler component of TensorFlow is vulnerable to a denial of service via CHECK-failure (assertion failure) in constant folding:

  for (const auto& output_prop : output_props) {
    const PartialTensorShape output_shape(output_prop.shape());
    // ...
  }

The output_prop tensor has a shape that is controlled by user input and this can result in triggering one of the CHECKs in the PartialTensorShape constructor. This is an instance of TFSA-2021-198 (CVE-2021-41197).

Patches

We have patched the issue in GitHub commit be7b286d40bc68cb0b56f702186cc4837d508058.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23570

Impact

When decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a DCHECK:

  const auto* attr = attrs.Find(arg->s()); 
  DCHECK(attr != nullptr);
  if (attr->value_case() == AttrValue::kList) {
    // ...
  }

However, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the dereferencing of the null pointer, whereas in the second case it results in a crash due to the assertion failure.

Patches

We have patched the issue in GitHub commit 8a513cec4bec15961fbfdedcaa5376522980455c.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23595

Impact

When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference:

  string allowed_gpus =
      flr->config_proto()->gpu_options().visible_device_list();

In the default scenario, all devices are allowed, so flr->config_proto is nullptr.

Patches

We have patched the issue in GitHub commit e21af685e1828f7ca65038307df5cc06de4479e8.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23591

Impact

The GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel:

  library {
    function {
      signature {
        name: "SomeOp"
        description: "Self recursive op"
      }
      node_def {
        name: "1"
        op: "SomeOp"
      }
      node_def {
        name: "2"
        op: "SomeOp"
      }
    }
  } 

This would result in a stack overflow during execution as resolving each NodeDef means resolving the function itself and its nodes.

Patches

We have patched the issue in GitHub commit 448a16182065bd08a202d9057dd8ca541e67996c.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23589

Impact

Under certain scenarios, Grappler component of TensorFlow can trigger a null pointer dereference. There are 2 places where this can occur, for the same malicious alteration of a SavedModel file (fixing the first one would trigger the same dereference in the second place):

First, during constant folding, the GraphDef might not have the required nodes for the binary operation:

  NodeDef* mul_left_child = node_map_->GetNode(node->input(0));
  NodeDef* mul_right_child = node_map_->GetNode(node->input(1));
  // One child must be constant, and the second must be Conv op.
  const bool left_child_is_constant = IsReallyConstant(*mul_left_child);
  const bool right_child_is_constant = IsReallyConstant(*mul_right_child);

If a node is missing, the correposning mul_*child would be null, and the dereference in the subsequent line would be incorrect.

We have a similar issue during IsIdentityConsumingSwitch:

  NodeDef* input_node = graph.GetNode(tensor_id.node());
  return IsSwitch(*input_node);

Patches

We have patched the issue in GitHub commits 0a365c029e437be0349c31f8d4c9926b69fa3fa1 and 045deec1cbdebb27d817008ad5df94d96a08b1bf.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23571

Impact

When decoding a tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments, if the tensors have an invalid dtype and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow processes.

Patches

We have patched the issue in GitHub commit 5b491cd5e41ad63735161cec9c2a568172c8b6a3.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23572

Impact

Under certain scenarios, TensorFlow can fail to specialize a type during shape inference:

void InferenceContext::PreInputInit(
    const OpDef& op_def, const std::vector<const Tensor*>& input_tensors,
    const std::vector<ShapeHandle>& input_tensors_as_shapes) {
  const auto ret = full_type::SpecializeType(attrs_, op_def);
  DCHECK(ret.status().ok()) << "while instantiating types: " << ret.status();
  ret_types_ = ret.ValueOrDie();
  // ... 
}

However, DCHECK is a no-op in production builds and an assertion failure in debug builds. In the first case execution proceeds to the ValueOrDie line. This results in an assertion failure as ret contains an error Status, not a value. In the second case we also get a crash due to the assertion failure.

Patches

We have patched the issue in GitHub commit cb164786dc891ea11d3a900e90367c339305dc7b.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23588

Impact

A malicious user can cause a denial of service by altering a SavedModel such that Grappler optimizer would attempt to build a tensor using a reference dtype. This would result in a crash due to a CHECK-fail in the Tensor constructor as reference types are not allowed.

Patches

We have patched the issue in GitHub commit 6b5adc0877de832b2a7c189532dbbbc64622eeb6.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23587

Impact

Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during cost estimation for crop and resize. Since the cropping parameters are user controlled, a malicious person can trigger undefined behavior.

Patches

We have patched the issue in GitHub commit 0aaaae6eca5a7175a193696383f582f53adab23f.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23586

Impact

A malicious user can cause a denial of service by altering a SavedModel such that assertions in function.cc would be falsified and crash the Python interpreter.

Patches

We have patched the issue in GitHub commits dcc21c7bc972b10b6fb95c2fb0f4ab5a59680ec2 and 3d89911481ba6ebe8c88c1c0b595412121e6c645.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23573

Impact

The implementation of AssignOp can result in copying unitialized data to a new tensor. This later results in undefined behavior.

The implementation has a check that the left hand side of the assignment is initialized (to minimize number of allocations), but does not check that the right hand side is also initialized.

Patches

We have patched the issue in GitHub commit ef1d027be116f25e25bb94a60da491c2cf55bd0b.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23585

Impact

When decoding PNG images TensorFlow can produce a memory leak if the image is invalid.
After calling png::CommonInitDecode(..., &decode), the decode value contains allocated buffers which can only be freed by calling png::CommonFreeDecode(&decode). However, several error case in the function implementation invoke the OP_REQUIRES macro which immediately terminates the execution of the function, without allowing for the memory free to occur.

Patches

We have patched the issue in GitHub commit ab51e5b813573dc9f51efa335aebcf2994125ee9.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23574

Impact

There is a typo in TensorFlow's SpecializeType which results in heap OOB read/write:

for (int i = 0; i < op_def.output_arg_size(); i++) {
  // ...
  for (int j = 0; j < t->args_size(); j++) {
    auto* arg = t->mutable_args(i);
    // ...
  }
} 

Due to a typo, arg is initialized to the ith mutable argument in a loop where the loop index is j. Hence it is possible to assign to arg from outside the vector of arguments. Since this is a mutable proto value, it allows both read and write to outside of bounds data.

Patches

We have patched the issue in GitHub commit 0657c83d08845cc434175934c642299de2c0f042.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, and TensorFlow 2.6.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23584

Impact

A malicious user can cause a use after free behavior when decoding PNG images:

if (/* ... error conditions ... */) {
  png::CommonFreeDecode(&decode);
  OP_REQUIRES(context, false,
              errors::InvalidArgument("PNG size too large for int: ",
                                      decode.width, " by ", decode.height));
}   

After png::CommonFreeDecode(&decode) gets called, the values of decode.width and decode.height are in an unspecified state.

Patches

We have patched the issue in GitHub commit e746adbfcfee15e9cfdb391ff746c765b99bdf9b.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23583

Impact

A malicious user can cause a denial of service by altering a SavedModel such that any binary op would trigger CHECK failures. This occurs when the protobuf part corresponding to the tensor arguments is modified such that the dtype no longer matches the dtype expected by the op. In that case, calling the templated binary operator for the binary op would receive corrupted data, due to the type confusion involved:

functor::BinaryFunctor<Device, Functor, 1>()(
    eigen_device, out->template flat<Tout>(),
    input_0.template flat<Tin>(), input_1.template flat<Tin>(),
    error_ptr);

If Tin and Tout don't match the type of data in out and input_* tensors then flat<*> would interpret it wrongly. In most cases, this would be a silent failure, but we have noticed scenarios where this results in a CHECK crash, hence a denial of service.

Patches

We have patched the issue in GitHub commit a7c02f1a9bbc35473969618a09ee5f9f5d3e52d9.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23582

Impact

A malicious user can cause a denial of service by altering a SavedModel such that TensorByteSize would trigger CHECK failures.

int64_t TensorByteSize(const TensorProto& t) {
  // num_elements returns -1 if shape is not fully defined.
  int64_t num_elems = TensorShape(t.tensor_shape()).num_elements();
  return num_elems < 0 ? -1 : num_elems * DataTypeSize(t.dtype());
}

TensorShape constructor throws a CHECK-fail if shape is partial or has a number of elements that would overflow the size of an int. The PartialTensorShape constructor instead does not cause a CHECK-abort if the shape is partial, which is exactly what this function needs to be able to return -1.

Patches

We have patched the issue in GitHub commit c2426bba00a01de6913738df8fa78e0215fcce02.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23581

Impact

The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a SavedModel such that IsSimplifiableReshape would trigger CHECK failures.

Patches

We have patched the issue in GitHub commits ebc1a2ffe5a7573d905e99bd0ee3568ee07c12c1, 1fb27733f943295d874417630edd3b38b34ce082, and 240655511cd3e701155f944a972db71b6c0b1bb6.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23580

Impact

During shape inference, TensorFlow can allocate a large vector based on a value from a tensor controlled by the user:

  const auto num_dims = Value(shape_dim);
  std::vector<DimensionHandle> dims;
  dims.reserve(num_dims);

Patches

We have patched the issue in GitHub commit 1361fb7e29449629e1df94d44e0427ebec8c83c7.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23579

Impact

The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a SavedModel such that SafeToRemoveIdentity would trigger CHECK failures.

Patches

We have patched the issue in GitHub commit 92dba16749fae36c246bec3f9ba474d9ddeb7662.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23578

Impact

If a graph node is invalid, TensorFlow can leak memory in the implementation of ImmutableExecutorState::Initialize:

Status s = params_.create_kernel(n->properties(), &item->kernel);
if (!s.ok()) {
  item->kernel = nullptr;
  s = AttachDef(s, *n);
  return s;           
}                     

Here, we set item->kernel to nullptr but it is a simple OpKernel* pointer so the memory that was previously allocated to it would leak.

Patches

We have patched the issue in GitHub commit c79ccba517dbb1a0ccb9b01ee3bd2a63748b60dd.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23575

Impact

The implementation of OpLevelCostEstimator::CalculateTensorSize is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements:

int64_t OpLevelCostEstimator::CalculateTensorSize(
    const OpInfo::TensorProperties& tensor, bool* found_unknown_shapes) {
  int64_t count = CalculateTensorElementCount(tensor, found_unknown_shapes);
  int size = DataTypeSize(BaseType(tensor.dtype()));
  VLOG(2) << "Count: " << count << " DataTypeSize: " << size;
  return count * size;
}

Here, count and size can be large enough to cause count * size to overflow.

Patches

We have patched the issue in GitHub commit fcd18ce3101f245b083b30655c27b239dc72221e.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23576

Impact

The implementation of OpLevelCostEstimator::CalculateOutputSize is vulnerable to an integer overflow if an attacker can create an operation which would involve tensors with large enough number of elements:

for (const auto& dim : output_shape.dim()) {
  output_size *= dim.size();
} 

Here, we can have a large enough number of dimensions in output_shape.dim() or just a small number of dimensions being large enough to cause an overflow in the multiplication.

Patches

We have patched the issue in GitHub commit b9bd6cfd1c50e6807846af9a86f9b83cafc9c8ae.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-23577

Impact

The implementation of GetInitOp is vulnerable to a crash caused by dereferencing a null pointer:

const auto& init_op_sig_it =
    meta_graph_def.signature_def().find(kSavedModelInitOpSignatureKey);
if (init_op_sig_it != sig_def_map.end()) {
  *init_op_name = init_op_sig_it->second.outputs()
                      .find(kSavedModelInitOpSignatureKey)
                      ->second.name();
  return Status::OK();
}

Here, we have a nested map and we assume that if the first .find succeeds then so would be the search in the internal map. However, the maps are built based on the SavedModel protobuf format and a malicious user can alter that on disk before loading to cause the second .find to return nullptr.

Patches

We have patched the issue in GitHub commit 4f38b1ac8e42727e18a2f0bde06d3bee8e77b250.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2021-29607

Impact

Incomplete validation in SparseAdd results in allowing attackers to exploit undefined behavior (dereferencing null pointers) as well as write outside of bounds of heap allocated data:

import tensorflow as tf

a_indices = tf.ones([45, 92], dtype=tf.int64)
a_values = tf.ones([45], dtype=tf.int64)
a_shape = tf.ones([1], dtype=tf.int64)
b_indices = tf.ones([1, 1], dtype=tf.int64)
b_values = tf.ones([1], dtype=tf.int64)
b_shape = tf.ones([1], dtype=tf.int64)
                    
tf.raw_ops.SparseSparseMinimum(a_indices=a_indices,
    a_values=a_values,
    a_shape=a_shape,
    b_indices=b_indices,
    b_values=b_values,
    b_shape=b_shape)

The implementation has a large set of validation for the two sparse tensor inputs (6 tensors in total), but does not validate that the tensors are not empty or that the second dimension of *_indices matches the size of corresponding *_shape. This allows attackers to send tensor triples that represent invalid sparse tensors to abuse code assumptions that are not protected by validation.

Patches

We have patched the issue in GitHub commit ba6822bd7b7324ba201a28b2f278c29a98edbef2 followed by GitHub commit f6fde895ef9c77d848061c0517f19d0ec2682f3a.

The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[viezly]

Pull request by bot. No need to analyze