Closed renovate[bot] closed 3 years ago
As this PR has been closed unmerged, Renovate will ignore this upgrade and you will not receive PRs for any future 2.x releases. However, if you upgrade to 2.x manually then Renovate will reenable minor and patch updates automatically.
If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.
This PR contains the following updates:
==1.14.0
->==2.4.0
GitHub Vulnerability Alerts
CVE-2019-16778
Impact
A heap buffer overflow in
UnsortedSegmentSum
can be produced when theIndex
template argument isint32
. In this casedata_size
andnum_segments
fields are truncated fromint64
toint32
and can produce negative numbers, resulting in accessing out of bounds heap memory.This is unlikely to be exploitable and was detected and fixed internally. We are making the security advisory only to notify users that it is better to update to TensorFlow 1.15 or 2.0 or later as these versions already have this fixed.
Patches
Patched by db4f9717c41bccc3ce10099ab61996b246099892 and released in all official releases after 1.15 and 2.0.
For more information
Please consult
SECURITY.md
for more information regarding the security model and how to contact us with issues and questions.CVE-2020-5215
Impact
Converting a string (from Python) to a
tf.float16
value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode.This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a
tf.float16
value.Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar
tf.float16
value with a scalar string will trigger this issue due to automatic conversions.This can be easily reproduced by
tf.constant("hello", tf.float16)
, if eager execution is enabled.Patches
We have patched the vulnerability in GitHub commit 5ac1b9.
We are additionally releasing TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched.
TensorFlow 2.1.0 was released after we fixed the issue, thus it is not affected.
We encourage users to switch to TensorFlow 1.15.1, 2.0.1 or 2.1.0.
For more information
Please consult
SECURITY.md
for more information regarding the security model and how to contact us with issues and questions.CVE-2020-15195
Impact
The implementation of
SparseFillEmptyRowsGrad
uses a double indexing pattern: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/sparse_fill_empty_rows_op.cc#L263-L269It is possible for
reverse_index_map(i)
to be an index outside of bounds ofgrad_values
, thus resulting in a heap buffer overflow.Patches
We have patched the issue in 390611e0d45c5793c7066110af37c8514e6a6c54 and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
CVE-2020-15204
Impact
In eager mode, TensorFlow does not set the session state. Hence, calling
tf.raw_ops.GetSessionHandle
ortf.raw_ops.GetSessionHandleV2
results in a null pointer dereference: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/session_ops.cc#L45In the above snippet, in eager mode,
ctx->session_state()
returnsnullptr
. Since code immediately dereferences this, we get a segmentation fault.Patches
We have patched the issue in 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1 and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
CVE-2020-15211
Impact
In TensorFlow Lite, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get the data of each tensor:https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/kernel_util.cc#L36
However, some operators can have some tensors be optional. To handle this scenario, the flatbuffer model uses a negative
-1
value as index for these tensors: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/c/common.h#L82This results in special casing during validation at model loading time: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/core/subgraph.cc#L566-L580
Unfortunately, this means that the
-1
index is a valid tensor index for any operator, including those that don't expect optional inputs and including for output tensors. Thus, this allows writing and reading from outside the bounds of heap allocated arrays, although only at a specific offset from the start of these arrays.This results in both read and write gadgets, albeit very limited in scope.
Patches
We have patched the issue in several commits (46d5b0852, 00302787b7, e11f5558, cd31fd0ce, 1970c21, and fff2c83). We will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
Workarounds
A potential workaround would be to add a custom
Verifier
to the model loading code to ensure that only operators which accept optional inputs use the-1
special value and only for the tensors that they expect to be optional. Since this allow-list type approach is erro-prone, we advise upgrading to the patched code.For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
CVE-2020-15210
Impact
If a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption.
Patches
We have patched the issue in d58c96946b and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
Workarounds
A potential workaround would be to add a custom
Verifier
to the model loading code to ensure that no operator reuses tensors as both inputs and outputs. Care should be taken to check all types of inputs (i.e., constant or variable tensors as well as optional tensors).For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been discovered from a variant analysis of GHSA-cvpc-8phh-8f45.
CVE-2020-15202
Impact
The
Shard
API in TensorFlow expects the last argument to be a function taking twoint64
(i.e.,long long
) arguments: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/util/work_sharder.h#L59-L60However, there are several places in TensorFlow where a lambda taking
int
orint32
arguments is being used: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/random_op.cc#L204-L205 https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/random_op.cc#L317-L318In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside of heap allocated arrays, stack overflows, or data corruption.
Patches
We have patched the issue in 27b417360cbd671ef55915e4bb6bb06af8b8a832 and ca8c013b5e97b1373b3bb1c97ea655e69f31a575. We will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
CVE-2020-15208
Impact
When determining the common dimension size of two tensors, TFLite uses a
DCHECK
which is no-op outside of debug compilation modes: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/types.h#L437-L442Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this is larger than that of the second tensor. In turn, this would result in reads/writes outside of bounds since the interpreter will wrongly assume that there is enough data in both tensors.
Patches
We have patched the issue in 8ee24e7949a20 and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
CVE-2020-15209
Impact
A crafted TFLite model can force a node to have as input a tensor backed by a
nullptr
buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized withnullptr
: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/core/subgraph.cc#L1224-L1227However, by changing the buffer index for a tensor and implicitly converting that tensor to be a read-write one, as there is nothing in the model that writes to it, we get a null pointer dereference.
Patches
We have patched the issue in 0b5662bc and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360 but was also discovered through variant analysis of GHSA-cvpc-8phh-8f45.
CVE-2020-15194
Impact
The
SparseFillEmptyRowsGrad
implementation has incomplete validation of the shapes of its arguments: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/sparse_fill_empty_rows_op.cc#L235-L241Although
reverse_index_map_t
andgrad_values_t
are accessed in a similar pattern, onlyreverse_index_map_t
is validated to be of proper shape. Hence, malicious users can pass a badgrad_values_t
to trigger an assertion failure invec
, causing denial of service in serving installations.Patches
We have patched the issue in 390611e0d45c5793c7066110af37c8514e6a6c54 and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability is a variant of GHSA-63xm-rx5p-xvqr
CVE-2020-15205
Impact
The
data_splits
argument oftf.raw_ops.StringNGrams
lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memoryAll the binary strings after
ee ff
are contents from the memory stack. Since these can contain return addresses, this data leak can be used to defeat ASLR.Patches
We have patched the issue in 0462de5b544ed4731aa2fb23946ac22c01856b80 and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
CVE-2020-15207
Impact
To mimic Python's indexing with negative values, TFLite uses
ResolveAxis
to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/reference/reduce.h#L68-L72If the
DCHECK
does not trigger, then code execution moves ahead with a negative index. This, in turn, results in accessing data out of bounds which results in segfaults and/or data corruption.Patches
We have patched the issue in 2d88f470dea2671b430884260f3626b1fe99830a and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
CVE-2020-15203
Impact
By controlling the
fill
argument oftf.strings.as_string
, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in aprintf
call is constructed: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/as_string_op.cc#L68-L74This can result in unexpected output:
However, passing in
n
ors
results in segmentation fault.Patches
We have patched the issue in 33be22c65d86256e6826666662e40dbdfe70ee83 and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
CVE-2020-15206
Impact
Changing the TensorFlow's
SavedModel
protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products usingtensorflow-serving
or other inference-as-a-service installments.We have added fixes to this in f760f88b4267d981e13f4b302c437ae800445968 and fcfef195637c6e365577829c4d67681695956e7d (both going into TensorFlow 2.2.0 and 2.3.0 but not yet backported to earlier versions). However, this was not enough, as #41097 reports a different failure mode.
Patches
We have patched the issue in adf095206f25471e864a8e63a0f1caef53a0e3a6 and will release patch releases for all versions between 1.15 and 2.3. Patch releases for versions between 1.15 and 2.1 will also contain cherry-picks of f760f88b4267d981e13f4b302c437ae800445968 and fcfef195637c6e365577829c4d67681695956e7d.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Shuaike Dong, from Alipay Tian Qian Security Lab && Lab for Applied Security Research, CUHK.
CVE-2020-15190
Impact
The
tf.raw_ops.Switch
operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor.However, the eager runtime traverses all tensors in the output: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/common_runtime/eager/kernel_and_device.cc#L308-L313
Since only one of the tensors is defined, the other one is
nullptr
, hence we are binding a reference tonullptr
. This is undefined behavior and reported as an error if compiling with-fsanitize=null
. In this case, this results in a segmentation faultPatches
We have patched the issue in da8558533d925694483d2c136a9220d6d49d843c and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
CVE-2020-15265
Impact
An attacker can pass an invalid
axis
value totf.quantization.quantize_and_dequantize
:This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation:
However,
dim_size
only does aDCHECK
to validate the argument and then uses it to access the corresponding element of an array:Since in normal builds,
DCHECK
-like macros are no-ops, this results in segfault and access out of bounds of the array.Patches
We have patched the issue in eccb7ec454e6617738554a255d77f08e60ee0808 and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported in #42105
CVE-2020-15266
Impact
When the
boxes
argument oftf.image.crop_and_resize
has a very large value, the CPU kernel implementation receives it as a C++nan
floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault.Patches
We have patched the issue in c0319231333f0f16e1cc75ec83660b01fedd4182 and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported in #42129
CVE-2020-26270
Impact
Running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a
CHECK
failure when using the CUDA backend.This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer.
Patches
We have patched the issue in GitHub commit 14755416e364f17fb1870882fa778c7fec7f16e3 and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases between 1.15 and 2.3 inclusive.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
CVE-2020-26267
Impact
The
tf.raw_ops.DataFormatVecPermute
API does not validate thesrc_format
anddst_format
attributes. The code assumes that these two arguments define a permutation ofNHWC
.However, these assumptions are not checked and this can result in uninitialized memory accesses, read outside of bounds and even crashes.
A similar issue occurs in
tf.raw_ops.DataFormatDimMap
, for the same reasons:Patches
We have patched the issue in GitHub commit ebc70b7a592420d3d2f359e4b1694c236b82c7ae and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases between 1.15 and 2.3 inclusive.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
CVE-2020-26271
Impact
Under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The
MakeEdge
function creates an edge between one output tensor of thesrc
node (given byoutput_index
) and the input slot of thedst
node (given byinput_index
). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the correspondingDataType
values and comparing these for equality:However, there is no check that the indices point to inside of the arrays they index into. Thus, this can result in accessing data out of bounds of the corresponding heap allocated arrays.
In most scenarios, this can manifest as unitialized data access, but if the index points far away from the boundaries of the arrays this can be used to leak addresses from the library.
Patches
We have patched the issue in GitHub commit 0cc38aaa4064fd9e79101994ce9872c6d91f816b and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases between 1.15 and 2.3 inclusive.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
CVE-2020-26268
Impact
The
tf.raw_ops.ImmutableConst
operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area:If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault.
This is because the alocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overriden.
Patches
We have patched the issue in GitHub commit c1e1fc899ad5f8c725dcbb6470069890b5060bc7 and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases between 1.15 and 2.3 inclusive.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
CVE-2020-26266
Impact
Under certain cases, a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen:
Patches
We have patched the issue in GitHub commit ace0c15a22f7f054abcc1f53eabbcb0a1239a9e2 and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases between 1.15 and 2.3 inclusive.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Renovate configuration
:date: Schedule: "" in timezone Europe/Berlin.
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.