chore(deps): update dependency tensorflow to v2 [security]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tensorflow	`==1.14.0` -> `==2.7.2`

GitHub Vulnerability Alerts

CVE-2022-35935

Impact

The implementation of SobolSampleOp is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by assuming input(0), input(1), and input(2) to be scalar.

import tensorflow as tf
tf.raw_ops.SobolSample(dim=tf.constant([1,0]), num_results=tf.constant([1]), skip=tf.constant([1]))

Patches

We have patched the issue in GitHub commit c65c67f88ad770662e8f191269a907bf2b94b1bf.

The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by:

Kang Hong Jin from Singapore Management University
Neophytos Christou, Secure Systems Labs, Brown University
刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology

CVE-2022-35934

Impact

The implementation of tf.reshape op in TensorFlow is vulnerable to a denial of service via CHECK-failure (assertion failure) caused by overflowing the number of elements in a tensor:

import tensorflow as tf

tf.reshape(tensor=[[1]],shape=tf.constant([0 for i in range(255)], dtype=tf.int64))

This is another instance of TFSA-2021-198 (https://github.com/advisories/GHSA-prcg-wp5q-rv7p).

Patches

We have patched the issue in GitHub commit 61f0f9b94df8c0411f0ad0ecc2fec2d3f3c33555.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Kang Hong Jin from Singapore Management University.

CVE-2022-35937

Impact

The GatherNd function takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read is triggered.

Patches

We have patched the issue in GitHub commit 595a65a3e224a0362d7e68c2213acfc2b499a196.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Hui Peng from Baidu Security.

CVE-2022-36027

Impact

When converting transposed convolutions using per-channel weight quantization the converter segfaults and crashes the Python process.

import tensorflow as tf

class QuantConv2DTransposed(tf.keras.layers.Layer):
    def build(self, input_shape):
        self.kernel = self.add_weight("kernel", [3, 3, input_shape[-1], 24])

    def call(self, inputs):
        filters = tf.quantization.fake_quant_with_min_max_vars_per_channel(
            self.kernel, -3.0 * tf.ones([24]), 3.0 * tf.ones([24]), narrow_range=True
        )
        filters = tf.transpose(filters, (0, 1, 3, 2))
        return tf.nn.conv2d_transpose(inputs, filters, [*inputs.shape[:-1], 24], 1)

inp = tf.keras.Input(shape=(6, 8, 48), batch_size=1)
x = tf.quantization.fake_quant_with_min_max_vars(inp, -3.0, 3.0, narrow_range=True)
x = QuantConv2DTransposed()(x)
x = tf.quantization.fake_quant_with_min_max_vars(x, -3.0, 3.0, narrow_range=True)

model = tf.keras.Model(inp, x)

model.save("/tmp/testing")
converter = tf.lite.TFLiteConverter.from_saved_model("/tmp/testing")
converter.optimizations = [tf.lite.Optimize.DEFAULT]

# terminated by signal SIGSEGV (Address boundary error)
tflite_model = converter.convert()

Patches

We have patched the issue in GitHub commit aa0b852a4588cea4d36b74feb05d93055540b450.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Lukas Geiger via Github issue.

CVE-2022-35939

Impact

The ScatterNd function takes an input argument that determines the indices of of the output tensor. An input index greater than the output tensor or less than zero will either write content at the wrong index or trigger a crash.

Patches

We have patched the issue in GitHub commit b4d4b4cb019bd7240a52daa4ba61e3cc814f0384.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Hui Peng from Baidu Security.

CVE-2022-36019

Impact

If FakeQuantWithMinMaxVarsPerChannel is given min or max tensors of a rank other than one, it results in a CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf

num_bits = 8
narrow_range = False
inputs = tf.constant(0, shape=[4], dtype=tf.float32)
min = tf.constant([], shape=[4,0,0], dtype=tf.float32)
max = tf.constant(0, shape=[4], dtype=tf.float32)
tf.raw_ops.FakeQuantWithMinMaxVarsPerChannel(inputs=inputs, min=min, max=max, num_bits=num_bits, narrow_range=narrow_range)

Patches

We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-36018

Impact

If RaggedTensorToVariant is given a rt_nested_splits list that contains tensors of ranks other than one, it results in a CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf

batched_input = True
rt_nested_splits = tf.constant([0,32,64], shape=[3], dtype=tf.int64)
rt_dense_values = tf.constant([0,32,64], shape=[3], dtype=tf.int64)
tf.raw_ops.RaggedTensorToVariant(rt_nested_splits=rt_nested_splits, rt_dense_values=rt_dense_values, batched_input=batched_input)

Patches

We have patched the issue in GitHub commit 88f93dfe691563baa4ae1e80ccde2d5c7a143821.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-36026

Impact

If QuantizeAndDequantizeV3 is given a nonscalar num_bits input tensor, it results in a CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf

signed_input = True
range_given = False
narrow_range = False
axis = -1
input = tf.constant(-3.5, shape=[1], dtype=tf.float32)
input_min = tf.constant(-3.5, shape=[1], dtype=tf.float32)
input_max = tf.constant(-3.5, shape=[1], dtype=tf.float32)
num_bits = tf.constant([], shape=[0], dtype=tf.int32)
tf.raw_ops.QuantizeAndDequantizeV3(input=input, input_min=input_min, input_max=input_max, num_bits=num_bits, signed_input=signed_input, range_given=range_given, narrow_range=narrow_range, axis=axis)

Patches

We have patched the issue in GitHub commit f3f9cb38ecfe5a8a703f2c4a8fead434ef291713.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35941

Impact

The AvgPoolOp function takes an argument ksize that must be positive but is not checked. A negative ksize can trigger a CHECK failure and crash the program.

import tensorflow as tf
import numpy as np

value = np.ones([1, 1, 1, 1])
ksize = [1, 1e20, 1, 1]
strides = [1, 1, 1, 1]
padding = 'SAME'
data_format = 'NHWC'

tf.raw_ops.AvgPool(value=value, ksize=ksize, strides=strides, padding=padding, data_format=data_format)

Patches

We have patched the issue in GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Jingyi Shi.

CVE-2022-35987

Impact

DenseBincount assumes its input tensor weights to either have the same shape as its input tensor input or to be length-0. A different weights shape will trigger a CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf
binary_output = True
input = tf.random.uniform(shape=[0, 0], minval=-10000, maxval=10000, dtype=tf.int32, seed=-2460)
size = tf.random.uniform(shape=[], minval=-10000, maxval=10000, dtype=tf.int32, seed=-10000)
weights = tf.random.uniform(shape=[], minval=-10000, maxval=10000, dtype=tf.float32, seed=-10000)
tf.raw_ops.DenseBincount(input=input, size=size, weights=weights, binary_output=binary_output)

Patches

We have patched the issue in GitHub commit bf4c14353c2328636a18bfad1e151052c81d5f43.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Di Jin, Secure Systems Labs, Brown University

CVE-2022-36012

Impact

When mlir::tfg::ConvertGenericFunctionToFunctionDef is given empty function attributes, it crashes.

// We pre-allocate the array of operands and populate it using the
// `output_name_to_position` and `control_output_to_position` populated
// previously.
SmallVector<Value> ret_vals(func.ret_size() + func.control_ret_size(),
                            Value());
for (const auto& ret_val : func.ret()) {
  auto position = output_name_to_position.find(ret_val.first);
  if (position == output_name_to_position.end())
    return InvalidArgument(
        "Can't import function, returned value references unknown output "
        "argument ",
        ret_val.first);
  ret_vals[position->second] =
      value_manager.GetValueOrCreatePlaceholder(ret_val.second);
}
for (const auto& ret_val : func.control_ret()) {
  auto position = control_output_to_position.find(ret_val.first);
  if (position == control_output_to_position.end())
    return InvalidArgument(
        "Can't import function, returned value references unknown output "
        "argument ",
        ret_val.first);
  Value result = value_manager.GetValueOrCreatePlaceholder(
      (Twine("^") + ret_val.second).str());

ret_val.second cannot be empty. Neither can input.

// Process every node and create a matching MLIR operation
for (const NodeDef& node : nodes) {
  if (node.op().empty()) return InvalidArgument("empty op type");
  OperationState state(unknown_loc, absl::StrCat("tfg.", node.op()));
  // Fetch the inputs, creating placeholder if an input hasn't been visited.
  for (const std::string& input : node.input())
    state.operands.push_back(
        value_manager.GetValueOrCreatePlaceholder(input));

Patches

We have patched the issue in GitHub commit ad069af92392efee1418c48ff561fd3070a03d7b.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-36015

Impact

When RangeSize receives values that do not fit into an int64_t, it crashes.

  auto size = (std::is_integral<T>::value
                   ? ((Eigen::numext::abs(limit - start) +
                       Eigen::numext::abs(delta) - T(1)) /
                      Eigen::numext::abs(delta))
                   : (Eigen::numext::ceil(
                         Eigen::numext::abs((limit - start) / delta))));

  // This check does not cover all cases.
  if (size > std::numeric_limits<int64_t>::max()) {
    return errors::InvalidArgument("Requires ((limit - start) / delta) <= ",
                                   std::numeric_limits<int64_t>::max());
  }

  c->set_output(0, c->Vector(static_cast<int64_t>(size)));
  return Status::OK();
}

Patches

We have patched the issue in GitHub commit 37e64539cd29fcfb814c4451152a60f5d107b0f0. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-36014

Impact

When mlir::tfg::TFOp::nameAttr receives null type list attributes, it crashes.


StatusOr<unsigned> GraphDefImporter::ArgNumType(const NamedAttrList &attrs,
                                                const OpDef::ArgDef &arg_def,
                                                SmallVectorImpl<Type> &types) {
  // Check whether a type list attribute is specified.
  if (!arg_def.type_list_attr().empty()) {
    if (auto v = attrs.get(arg_def.type_list_attr()).dyn_cast<ArrayAttr>()) {
      for (Attribute attr : v) {
        if (auto dtype = attr.dyn_cast<TypeAttr>()) {
          types.push_back(UnrankedTensorType::get(dtype.getValue()));
        } else {
          return InvalidArgument("Expected '", arg_def.type_list_attr(),
                                 "' to be a list of types");
        }
      }
      return v.size();
    }
    return NotFound("Type attr not found: ", arg_def.type_list_attr());
  }

  unsigned num = 1;
  // Check whether a number attribute is specified.
  if (!arg_def.number_attr().empty()) {
    if (auto v = attrs.get(arg_def.number_attr()).dyn_cast<IntegerAttr>()) {
      num = v.getValue().getZExtValue();
    } else {
      return NotFound("Type attr not found: ", arg_def.number_attr());
    }
  }

  // Check for a type or type attribute.
  Type dtype;
  if (arg_def.type() != DataType::DT_INVALID) {
    TF_RETURN_IF_ERROR(ConvertDataType(arg_def.type(), b_, &dtype));
  } else if (arg_def.type_attr().empty()) {
    return InvalidArgument("Arg '", arg_def.name(),
                           "' has invalid type and no type attribute");
  } else {
    if (auto v = attrs.get(arg_def.type_attr()).dyn_cast<TypeAttr>()) {
      dtype = v.getValue();
    } else {
      return NotFound("Type attr not found: ", arg_def.type_attr());
    }
  }
  types.append(num, UnrankedTensorType::get(dtype));
  return num;
}

Patches

We have patched the issue in GitHub commits 3a754740d5414e362512ee981eefba41561a63a6 and a0f0b9a21c9270930457095092f558fbad4c03e5.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-36004

Impact

When tf.random.gamma receives large input shape and rates, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
arg_0=tf.random.uniform(shape=(4,), dtype=tf.int32, maxval=65536)
arg_1=tf.random.uniform(shape=(4, 4), dtype=tf.float64, maxval=None)
arg_2=tf.random.uniform(shape=(4, 4, 4, 4, 4), dtype=tf.float64, maxval=None)
arg_3=tf.float64
arg_4=48
arg_5='None'
tf.random.gamma(shape=arg_0, alpha=arg_1, beta=arg_2, dtype=arg_3, seed=arg_4, name=arg_5)

Patches

We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-36016

Impact

When tensorflow::full_type::SubstituteFromAttrs receives a FullTypeDef& t that is not exactly three args, it triggers a CHECK-fail instead of returning a status.

Status SubstituteForEach(AttrMap& attrs, FullTypeDef& t) {
  DCHECK_EQ(t.args_size(), 3);

  const auto& cont = t.args(0);
  const auto& tmpl = t.args(1);
  const auto& t_var = t.args(2);

Patches

We have patched the issue in GitHub commit 6104f0d4091c260ce9352f9155f7e9b725eab012. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-35995

Impact

When AudioSummaryV2 receives an input sample_rate with more than one element, it gives a CHECK fails that can be used to trigger a denial of service attack.

import tensorflow as tf
arg_0=''
arg_1=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None)
arg_2=tf.random.uniform(shape=(2,1), dtype=tf.float32, maxval=None)
arg_3=3
arg_4=''
tf.raw_ops.AudioSummaryV2(tag=arg_0, tensor=arg_1, sample_rate=arg_2,
                          max_outputs=arg_3, name=arg_4)

Patches

We have patched the issue in GitHub commit bf6b45244992e2ee543c258e519489659c99fb7f.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-36005

Impact

When tf.quantization.fake_quant_with_min_max_vars_gradient receives input min or max that is nonscalar, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
import numpy as np 
arg_0=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32)
arg_1=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32)
arg_2=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32)
arg_3=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32)
arg_4=8
arg_5=False
arg_6=''
tf.quantization.fake_quant_with_min_max_vars_gradient(gradients=arg_0, inputs=arg_1,
min=arg_2, max=arg_3, num_bits=arg_4, narrow_range=arg_5, name=arg_6)

Patches

We have patched the issue in GitHub commit f3cf67ac5705f4f04721d15e485e192bb319feed.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by

刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology
Neophytos Christou, Secure Systems Labs, Brown University

CVE-2022-36003

Impact

When RandomPoissonV2 receives large input shape and rates, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
arg_0=tf.random.uniform(shape=(4,), dtype=tf.int32, maxval=65536)
arg_1=tf.random.uniform(shape=(4, 4, 4, 4, 4), dtype=tf.float32, maxval=None)
arg_2=0
arg_3=0
arg_4=tf.int32
arg_5=None
tf.raw_ops.RandomPoissonV2(shape=arg_0, rate=arg_1, seed=arg_2,
                           seed2=arg_3, dtype=arg_4, name=arg_5)

Patches

We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-36017

Impact

If Requantize is given input_min, input_max, requested_output_min, requested_output_max tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack.

import tensorflow as tf

out_type = tf.quint8
input = tf.constant([1], shape=[3], dtype=tf.qint32)
input_min = tf.constant([], shape=[0], dtype=tf.float32)
input_max = tf.constant(-256, shape=[1], dtype=tf.float32)
requested_output_min = tf.constant(-256, shape=[1], dtype=tf.float32)
requested_output_max = tf.constant(-256, shape=[1], dtype=tf.float32)
tf.raw_ops.Requantize(input=input, input_min=input_min, input_max=input_max, requested_output_min=requested_output_min, requested_output_max=requested_output_max, out_type=out_type)

Patches

We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-36011

Impact

When mlir::tfg::ConvertGenericFunctionToFunctionDef is given empty function attributes, it gives a null dereference.

// Import the function attributes with a `tf.` prefix to match the current
// infrastructure expectations.
for (const auto& namedAttr : func.attr()) {
  const std::string& name = "tf." + namedAttr.first;
  const AttrValue& tf_attr = namedAttr.second;
  TF_ASSIGN_OR_RETURN(Attribute attr,
                      ConvertAttributeValue(tf_attr, builder, tfgDialect));
  attrs.append(name, attr);
}

If namedAttr.first is empty, it will crash.

Patches

We have patched the issue in GitHub commit 1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-36013

Impact

When mlir::tfg::GraphDefImporter::ConvertNodeDef tries to convert NodeDefs without an op name, it crashes.

Status GraphDefImporter::ConvertNodeDef(OpBuilder &builder, ConversionState &s,
                                        const NodeDef &node) {
  VLOG(4) << "Importing: " << node.name();
  OperationState state(ConvertLocation(node), absl::StrCat("tfg.", node.op()));

  // The GraphImporter does light shape inference, but here we will defer all of
  // that to the shape inference pass.
  const OpDef *op_def;
  const OpRegistrationData *op_reg_data = nullptr;
  if ((op_reg_data = registry_.LookUp(node.op()))) {
    op_def = &op_reg_data->op_def;
  } else {
    auto it = function_op_defs_.find(node.op());
    if (it == function_op_defs_.end())
      return InvalidArgument("Unable to find OpDef for ", node.op());
    op_def = it->second;
  }

node.op().empty() cannot be empty.

Patches

We have patched the issue in GitHub commit a0f0b9a21c9270930457095092f558fbad4c03e5.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-36002

Impact

When Unbatch receives a nonscalar input id, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
import numpy as np
arg_0=tf.constant(value=np.random.random(size=(3, 3, 1)), dtype=tf.float64)
arg_1=tf.constant(value=np.random.randint(0,100,size=(3, 3, 1)), dtype=tf.int64)
arg_2=tf.constant(value=np.random.randint(0,100,size=(3, 3,  1)), dtype=tf.int64)
arg_3=47
arg_4=''
arg_5=''
tf.raw_ops.Unbatch(batched_tensor=arg_0, batch_index=arg_1, id=arg_2, 
                   timeout_micros=arg_3, container=arg_4, shared_name=arg_5)

Patches

We have patched the issue in GitHub commit 4419d10d576adefa36b0e0a9425d2569f7c0189f.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-36000

Impact

Eig can be fed an incorrect Tout input, resulting in a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
import numpy as np 
arg_0=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32)
arg_1=tf.complex128
arg_2=True
arg_3=''
tf.raw_ops.Eig(input=arg_0, Tout=arg_1, compute_v=arg_2, name=arg_3)

Patches

We have patched the issue in GitHub commit aed36912609fc07229b4d0a7b44f3f48efc00fd0.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-36001

Impact

When DrawBoundingBoxes receives an input boxes that is not of dtype float, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
import numpy as np
arg_0=tf.constant(value=np.random.random(size=(1, 3, 2, 3)), shape=(1, 3, 2, 3), dtype=tf.half)
arg_1=tf.constant(value=np.random.random(size=(1, 2, 4)), shape=(1, 2, 4), dtype=tf.float32)
arg_2=''
tf.raw_ops.DrawBoundingBoxes(images=arg_0, boxes=arg_1, name=arg_2)

Patches

We have patched the issue in GitHub commit da0d65cdc1270038e72157ba35bf74b85d9bda11.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-35998

Impact

If EmptyTensorList receives an input element_shape with more than one dimension, it gives a CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf

tf.raw_ops.EmptyTensorList(element_shape=tf.ones(dtype=tf.int32, shape=[1, 0]), max_num_elements=tf.constant(1),element_dtype=tf.int32)

Patches

We have patched the issue in GitHub commit c8ba76d48567aed347508e0552a257641931024d.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Kang Hong Jin.

CVE-2022-35996

Impact

If Conv2D is given empty input and the filter and padding sizes are valid, the output is all-zeros. This causes division-by-zero floating point exceptions that can be used to trigger a denial of service attack.

import tensorflow as tf
import numpy as np
with tf.device("CPU"): # also can be triggerred on GPU
   input = np.ones([1, 0, 2, 1])
   filter = np.ones([1, 1, 1, 1])
   strides = ([1, 1, 1, 1])
   padding = "EXPLICIT"
   explicit_paddings = [0 , 0, 1, 1, 1, 1, 0, 0]
   data_format = "NHWC"
   res = tf.raw_ops.Conv2D(
       input=input,
       filter=filter,
       strides=strides,
       padding=padding,
        explicit_paddings=explicit_paddings,
       data_format=data_format,
  )

Patches

We have patched the issue in GitHub commit 611d80db29dd7b0cfb755772c69d60ae5bca05f9.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Jingyi Shi.

CVE-2022-35959

Impact

The implementation of AvgPool3DGradOp does not fully validate the input orig_input_shape. This results in an overflow that results in a CHECK failure which can be used to trigger a denial of service attack:

import tensorflow as tf

ksize = [1, 1, 1, 1, 1]
strides = [1, 1, 1, 1, 1]
padding = "SAME"
data_format = "NDHWC"
orig_input_shape = tf.constant(1879048192, shape=[5], dtype=tf.int32)
grad = tf.constant(1, shape=[1,3,2,4,2], dtype=tf.float32)
tf.raw_ops.AvgPool3DGrad(orig_input_shape=orig_input_shape, grad=grad, ksize=ksize, strides=strides, padding=padding, data_format=data_format)

Patches

We have patched the issue in GitHub commit 9178ac9d6389bdc54638ab913ea0e419234d14eb.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35960

Impact

In core/kernels/list_kernels.cc's TensorListReserve, num_elements is assumed to be a tensor of size 1. When a num_elements of more than 1 element is provided, then tf.raw_ops.TensorListReserve fails the CHECK_EQ in CheckIsAlignedAndSingleElement.

import tensorflow as tf

tf.raw_ops.TensorListReserve(element_shape=(1,1), num_elements=tf.constant([1,1], dtype=tf.int32), element_dtype=tf.int8)

Patches

We have patched the issue in GitHub commit b5f6fbfba76576202b72119897561e3bd4f179c7.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Kang Hong Jin from Singapore Management University.

CVE-2022-35994

Impact

When CollectiveGather receives an scalar input input, it gives a CHECK fails that can be used to trigger a denial of service attack.

import tensorflow as tf
arg_0=1
arg_1=1
arg_2=1
arg_3=1
arg_4=(3, 3,3)
arg_5='auto'
arg_6=0
arg_7=''
tf.raw_ops.CollectiveGather(input=arg_0, group_size=arg_1, group_key=arg_2,
                            instance_key=arg_3, shape=arg_4,
                            communication_hint=arg_5, timeout_seconds=arg_6, name=arg_7)

Patches

We have patched the issue in GitHub commit c1f491817dec39a26be3c574e86a88c30f3c4770.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-35940

Impact

The RaggedRangOp function takes an argument limits that is eventually used to construct a TensorShape as an int64. If limits is a very large float, it can overflow when converted to an int64. This triggers an InvalidArgument but also throws an abort signal that crashes the program.

import tensorflow as tf
tf.raw_ops.RaggedRange(starts=[1.1,0.1],limits=[10.0,1e20],deltas=[1,1])

Patches

We have patched the issue in GitHub commit 37cefa91bee4eace55715eeef43720b958a01192.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Jingyi Shi.

CVE-2022-35952

Impact

The UnbatchGradOp function takes an argument id that is assumed to be a scalar. A nonscalar id can trigger a CHECK failure and crash the program.

import numpy as np
import tensorflow as tf

# `id` is not scalar
tf.raw_ops.UnbatchGrad(original_input= tf.constant([1]),batch_index=tf.constant([[0,0,0 ], ], dtype=tf.int64),grad=tf.constant([1,]),id=tf.constant([1,1,], dtype=tf.int64))

It also requires its argument batch_index to contain three times the number of elements as indicated in its batch_index.dim_size(0). An incorrect batch_index can trigger a CHECK failure and crash the program.

import numpy as np
import tensorflow as tf

# batch_index's size is not 3
tf.raw_ops.UnbatchGrad(original_input= tf.constant([1]),batch_index=tf.constant([[0,0], ], dtype=tf.int64),grad=tf.constant([1,]),id=tf.constant([1,], dtype=tf.int64))

Patches

We have patched the issue in GitHub commit 5f945fc6409a3c1e90d6970c9292f805f6e6ddf2.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Kang Hong Jin from Singapore Management University and 刘力源 from the Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology

CVE-2022-35963

Impact

The implementation of FractionalAvgPoolGrad does not fully validate the input orig_input_tensor_shape. This results in an overflow that results in a CHECK failure which can be used to trigger a denial of service attack.

import tensorflow as tf

overlapping = True
orig_input_tensor_shape = tf.constant(-1879048192, shape=[4], dtype=tf.int64)
out_backprop = tf.constant([], shape=[0,0,0,0], dtype=tf.float64)
row_pooling_sequence = tf.constant(1, shape=[4], dtype=tf.int64)
col_pooling_sequence = tf.constant(1, shape=[4], dtype=tf.int64)
tf.raw_ops.FractionalAvgPoolGrad(orig_input_tensor_shape=orig_input_tensor_shape, out_backprop=out_backprop, row_pooling_sequence=row_pooling_sequence, col_pooling_sequence=col_pooling_sequence, overlapping=overlapping)

Patches

We have patched the issue in GitHub commit 03a659d7be9a1154fdf5eeac221e5950fec07dad.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35964

Impact

The implementation of BlockLSTMGradV2 does not fully validate its inputs.

wci, wcf, wco, b must be rank 1
w, cs_prev,h_prev` must be rank 2
x must be rank 3 This results in a a segfault that can be used to trigger a denial of service attack.
```
import tensorflow as tf
```

use_peephole = False seq_len_max = tf.constant(1, shape=[], dtype=tf.int64) x = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) cs_prev = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) h_prev = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) w = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) wci = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) wcf = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) wco = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) b = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) i = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) cs = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) f = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) o = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) ci = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) co = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) h = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) cs_grad = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) h_grad = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) tf.raw_ops.BlockLSTMGradV2(seq_len_max=seq_len_max, x=x, cs_prev=cs_prev, h_prev=h_prev, w=w, wci=wci, wcf=wcf, wco=wco, b=b, i=i, cs=cs, f=f, o=o, ci=ci, co=co, h=h, cs_grad=cs_grad, h_grad=h_grad, use_peephole=use_peephole)


### Patches
We have patched the issue in GitHub commit [2a458fc4866505be27c62f81474ecb2b870498fa](https://togithub.com/tensorflow/tensorflow/commit/2a458fc4866505be27c62f81474ecb2b870498fa).

The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.

### For more information
Please consult [our security guide](https://togithub.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.

### Attribution
This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

#### [CVE-2022-35993](https://togithub.com/tensorflow/tensorflow/security/advisories/GHSA-wq6q-6m32-9rv9)

### Impact
When `SetSize` receives an input `set_shape` that is not a 1D tensor, it gives a `CHECK` fails that can be used to trigger a denial of service attack.
```python
import tensorflow as tf
arg_0=1
arg_1=[1,1]
arg_2=1
arg_3=True
arg_4=''
tf.raw_ops.SetSize(set_indices=arg_0, set_values=arg_1, set_shape=arg_2,
                   validate_indices=arg_3, name=arg_4)

Patches

We have patched the issue in GitHub commit cf70b79d2662c0d3c6af74583641e345fc939467.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-35992

Impact

When TensorListFromTensor receives an element_shape of a rank greater than one, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
arg_0=tf.random.uniform(shape=(6, 6, 2), dtype=tf.bfloat16, maxval=None)
arg_1=tf.random.uniform(shape=(6, 9, 1, 3), dtype=tf.int64, maxval=65536)
arg_2=''
tf.raw_ops.TensorListFromTensor(tensor=arg_0, element_shape=arg_1, name=arg_2)

Patches

We have patched the issue in GitHub commit 3db59a042a38f4338aa207922fa2f476e000a6ee.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-35965

Impact

If LowerBound or UpperBound is given an emptysorted_inputs input, it results in a nullptr dereference, leading to a segfault that can be used to trigger a denial of service attack.

import tensorflow as tf

out_type = tf.int32
sorted_inputs = tf.constant([], shape=[10,0], dtype=tf.float32)
values = tf.constant([], shape=[10,10,0,10,0], dtype=tf.float32)
tf.raw_ops.LowerBound(sorted_inputs=sorted_inputs, values=values, out_type=out_type)

import tensorflow as tf

out_type = tf.int64
sorted_inputs = tf.constant([], shape=[2,2,0,0,0,0,0,2], dtype=tf.float32)
values = tf.constant(0.372660398, shape=[2,4], dtype=tf.float32)
tf.raw_ops.UpperBound(sorted_inputs=sorted_inputs, values=values, out_type=out_type)

Patches

We have patched the issue in GitHub commit bce3717eaef4f769019fd18e990464ca4a2efeea.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35991

Impact

When TensorListScatter and TensorListScatterV2 receive an element_shape of a rank greater than one, they give a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
arg_0=tf.random.uniform(shape=(2, 2, 2), dtype=tf.float16, maxval=None)
arg_1=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536)
arg_2=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536)
arg_3=''
tf.raw_ops.TensorListScatter(tensor=arg_0, indices=arg_1, 
element_shape=arg_2, name=arg_3)

Patches

We have patched the issue in GitHub commit bb03fdf4aae944ab2e4b35c7daa051068a8b7f61.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-35990

Impact

When tf.quantization.fake_quant_with_min_max_vars_per_channel_gradient receives input min or max of rank other than 1, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
arg_0=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None)
arg_1=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None)
arg_2=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None)
arg_3=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None)
arg_4=8
arg_5=False
arg_6=None
tf.quantization.fake_quant_with_min_max_vars_per_channel_gradient(gradients=arg_0, 
            inputs=arg_1, min=arg_2,  max=arg_3, num_bits=arg_4, 
            narrow_range=arg_5, name=arg_6)

Patches

We have patched the issue in GitHub commit f3cf67ac5705f4f04721d15e485e192bb319feed.

For more information

Please consult our security guide for more information regarding the security model and how to

technologiestiftung / maps-latent-space