Update dependency tensorflow to ~2.11.0 [SECURITY]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tensorflow	~2.8 -> ~2.11.0

GitHub Vulnerability Alerts

CVE-2022-41884

Impact

If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. E.g. the following raises an error:

np.ones((0, 2**31, 2**31))

An example of a proof of concept:

import numpy as np
import tensorflow as tf

input_val = tf.constant([1])
shape_val = np.array([i for i in range(21)])

tf.broadcast_to(input=input_val,shape=shape_val)

The return value of PyArray_SimpleNewFromData, which returns null on such shapes, is not checked.

Patches

We have patched the issue in GitHub commit 2b56169c16e375c521a3bc8ea658811cc0793784.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Pattarakrit Rattanukul.

CVE-2022-41886

Impact

When tf.raw_ops.ImageProjectiveTransformV2 is given a large output shape, it overflows.

import tensorflow as tf

interpolation = "BILINEAR"
fill_mode = "REFLECT"
images = tf.constant(0.184634328, shape=[2,5,8,3], dtype=tf.float32)
transforms = tf.constant(0.378575385, shape=[2,8], dtype=tf.float32)
output_shape = tf.constant([1879048192,1879048192], shape=[2], dtype=tf.int32)
tf.raw_ops.ImageProjectiveTransformV2(images=images, transforms=transforms, output_shape=output_shape, interpolation=interpolation, fill_mode=fill_mode)

Patches

We have patched the issue in GitHub commit 8faa6ea692985dbe6ce10e1a3168e0bd60a723ba.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou from the Secure Systems Lab (SSL) at Brown University.

CVE-2022-41887

Impact

tf.keras.losses.poisson receives a y_pred and y_true that are passed through functor::mul in BinaryOp. If the resulting dimensions overflow an int32, TensorFlow will crash due to a size mismatch during broadcast assignment.

import numpy as np
import tensorflow as tf

true_value = tf.reshape(shape=[1, 2500000000], tensor = tf.zeros(dtype=tf.bool, shape=[50000, 50000]))
pred_value = np.array([[[-2]], [[8]]], dtype = np.float64)

tf.keras.losses.poisson(y_true=true_value,y_pred=pred_value)

Patches

We have patched the issue in GitHub commit c5b30379ba87cbe774b08ac50c1f6d36df4ebb7c.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1 and 2.9.3, as these are also affected and still in supported range. However, we will not cherrypick this commit into TensorFlow 2.8.x, as it depends on Eigen behavior that changed between 2.8 and 2.9.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Pattarakrit Rattankul.

CVE-2022-41888

Impact

When running on GPU, tf.image.generate_bounding_box_proposals receives a scores input that must be of rank 4 but is not checked.

import tensorflow as tf

a = tf.constant(value=[[1.0, 1.0], [1.0, 1.0], [1.0, 1.0], [1.0, 1.0]])
b = tf.constant(value=[1])

tf.image.generate_bounding_box_proposals(scores=a,bbox_deltas=a,image_info=a,anchors=a,pre_nms_topn=b)

Patches

We have patched the issue in GitHub commit cf35502463a88ca7185a99daa7031df60b3c1c98.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Pattarakrit Rattankul.

CVE-2022-41889

Impact

If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr, which is not caught. An example can be seen in tf.compat.v1.extract_volume_patches by passing in quantized tensors as input ksizes.

import numpy as np
import tensorflow as tf

a_input = np.array([1, -1], dtype= np.int32)
a_ksizes =  a_strides = tf.constant(dtype=tf.dtypes.qint16, value=[[1, 4], [5, 2]])

tf.compat.v1.extract_volume_patches(input=a_input,ksizes=a_ksizes,strides=a_strides,padding='VALID')

Patches

We have patched the issue in GitHub commit e9e95553e5411834d215e6770c81a83a3d0866ce.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Pattarakrit Rattankul.

CVE-2022-41890

Impact

If BCast::ToShape is given input larger than an int32, it will crash, despite being supposed to handle up to an int64. An example can be seen in tf.experimental.numpy.outer by passing in large input to the input b.

import tensorflow as tf
value = tf.constant(shape=[2, 1024, 1024, 1024], value=False)
tf.experimental.numpy.outer(a=6,b=value)

Patches

We have patched the issue in GitHub commit 8310bf8dd188ff780e7fc53245058215a05bdbe5.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Pattarakrit Rattankul.

CVE-2022-41891

Impact

If tf.raw_ops.TensorListConcat is given element_shape=[], it results segmentation fault which can be used to trigger a denial of service attack.

import tensorflow as tf
tf.raw_ops.TensorListConcat(
    input_handle=tf.data.experimental.to_variant(tf.data.Dataset.from_tensor_slices([1, 2, 3])),
    element_dtype=tf.dtypes.float32,
    element_shape=[]
)

Patches

We have patched the issue in GitHub commit fc33f3dc4c14051a83eec6535b608abe1d355fde.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Tong Liu, ShanghaiTech University

CVE-2022-41893

Impact

If tf.raw_ops.TensorListResize is given a nonscalar value for input size, it results CHECK fail which can be used to trigger a denial of service attack.

import numpy as np
import tensorflow as tf

a = data_structures.tf_tensor_list_new(elements = tf.constant(value=[3, 4, 5]))
b = np.zeros([0, 2, 3, 3])

tf.raw_ops.TensorListResize(input_handle=a, size=b)

Patches

We have patched the issue in GitHub commit 888e34b49009a4e734c27ab0c43b0b5102682c56.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Pattarakrit Rattankul

CVE-2022-41895

Impact

If MirrorPadGrad is given outsize input paddings, TensorFlow will give a heap OOB error.

import tensorflow as tf
tf.raw_ops.MirrorPadGrad(input=[1],
             paddings=[[0x77f00000,0xa000000]],
             mode = 'REFLECT')

Patches

We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Vul AI.

CVE-2022-41896

Impact

If ThreadUnsafeUnigramCandidateSampler is given input filterbank_channel_count greater than the allowed max size, TensorFlow will crash.

import tensorflow as tf
tf.raw_ops.Mfcc(
    spectrogram = [[[1.38, 6.32, 5.75, 9.51]]],
    sample_rate = 2,
    upper_frequency_limit = 5.0,
    lower_frequency_limit = 1.0,
    filterbank_channel_count = 2**31 - 1,
    dct_coefficient_count = 1
)

Patches

We have patched the issue in GitHub commit 39ec7eaf1428e90c37787e5b3fbd68ebd3c48860.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Vul AI.

CVE-2022-41897

Impact

If FractionMaxPoolGrad is given outsize inputs row_pooling_sequence and col_pooling_sequence, TensorFlow will crash.

import tensorflow as tf
tf.raw_ops.FractionMaxPoolGrad(
	orig_input = [[[[1, 1, 1, 1, 1]]]],
    orig_output = [[[[1, 1, 1]]]],
    out_backprop = [[[[3], [3], [6]]]],
    row_pooling_sequence = [-0x4000000, 1, 1], 
    col_pooling_sequence = [-0x4000000, 1, 1], 
    overlapping = False
 )

Patches

We have patched the issue in GitHub commit d71090c3e5ca325bdf4b02eb236cfb3ee823e927.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Vul AI.

CVE-2022-41898

Impact

If SparseFillEmptyRowsGrad is given empty inputs, TensorFlow will crash.

import tensorflow as tf
tf.raw_ops.SparseFillEmptyRowsGrad(
    reverse_index_map=[], grad_values=[], name=None
)

Patches

We have patched the issue in GitHub commit af4a6a3c8b95022c351edae94560acc61253a1b8.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Jiawei Liu, PhD student at University of Illinois, Urbana-Champaign.

CVE-2022-41899

Impact

Inputs dense_features or example_state_data not of rank 2 will trigger a CHECK fail in SdcaOptimizer.

import tensorflow as tf

tf.raw_ops.SdcaOptimizer(
    sparse_example_indices=4 * [tf.random.uniform([5,5,5,3], dtype=tf.dtypes.int64, maxval=100)],
    sparse_feature_indices=4 * [tf.random.uniform([5,5,5,3], dtype=tf.dtypes.int64, maxval=100)],
    sparse_feature_values=8 * [tf.random.uniform([5,5,5,3], dtype=tf.dtypes.float32, maxval=100)],
    dense_features=4 * [tf.random.uniform([5,5,5,3], dtype=tf.dtypes.float32, maxval=100)],
    example_weights=tf.random.uniform([5,5,5,3], dtype=tf.dtypes.float32, maxval=100),
    example_labels=tf.random.uniform([5,5,5,3], dtype=tf.dtypes.float32, maxval=100),
    sparse_indices=4 * [tf.random.uniform([5,5,5,3], dtype=tf.dtypes.int64, maxval=100)],
    sparse_weights=4 * [tf.random.uniform([5,5,5,3], dtype=tf.dtypes.float32, maxval=100)],
    dense_weights=4 * [tf.random.uniform([5,5,5,3], dtype=tf.dtypes.float32, maxval=100)],
    example_state_data=tf.random.uniform([5,5,5,3], dtype=tf.dtypes.float32, maxval=100),
    loss_type="squared_loss",
    l1=0.0,
    l2=0.0,
    num_loss_partitions=1,
    num_inner_iterations=1,
    adaptative=False,)

Patches

We have patched the issue in GitHub commit 80ff197d03db2a70c6a111f97dcdacad1b0babfa.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Zizhuang Deng of IIE, UCAS

CVE-2022-41900

Impact

An input pooling_ratio that is smaller than 1 will trigger a heap OOB in tf.raw_ops.FractionalMaxPool and tf.raw_ops.FractionalAvgPool.

Patches

We have patched the issue in GitHub commit 216525144ee7c910296f5b05d214ca1327c9ce48.

The fix will be included in TensorFlow 2.11.0. We will also cherry pick this commit on TensorFlow 2.10.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-41901

Impact

An input sparse_matrix that is not a matrix with a shape with rank 0 will trigger a CHECK fail in tf.raw_ops.SparseMatrixNNZ.

import tensorflow as tf
tf.raw_ops.SparseMatrixNNZ(sparse_matrix=[])

Patches

We have patched the issue in GitHub commit f856d02e5322821aad155dad9b3acab1e9f5d693.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Kang Hong Jin

CVE-2022-41902

Impact

The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered.

Patches

We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7.

The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-41907

Impact

When tf.raw_ops.ResizeNearestNeighborGrad is given a large size input, it overflows.

import tensorflow as tf

align_corners = True
half_pixel_centers = False
grads = tf.constant(1, shape=[1,8,16,3], dtype=tf.float16)
size = tf.constant([1879048192,1879048192], shape=[2], dtype=tf.int32)
tf.raw_ops.ResizeNearestNeighborGrad(grads=grads, size=size, align_corners=align_corners, half_pixel_centers=half_pixel_centers)

Patches

We have patched the issue in GitHub commit 00c821af032ba9e5f5fa3fe14690c8d28a657624.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Neophytos Christou from the Secure Systems Lab (SSL) at Brown University.

CVE-2022-41908

Impact

An input token that is not a UTF-8 bytestring will trigger a CHECK fail in tf.raw_ops.PyFunc.

import tensorflow as tf

value = tf.constant(value=[1,2])
token = b'\xb0'
dataType = [tf.int32]

tf.raw_ops.PyFunc(input=value,token=token,Tout=dataType)

Patches

We have patched the issue in GitHub commit 9f03a9d3bafe902c1e6beb105b2f24172f238645.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by [email protected]

CVE-2022-41909

Impact

An input encoded that is not a valid CompositeTensorVariant tensor will trigger a segfault in tf.raw_ops.CompositeTensorVariantToComponents.

import tensorflow as tf

encode = tf.raw_ops.EmptyTensorList(element_dtype=tf.int32, element_shape=[10, 15], max_num_elements=2)
meta= ""
component=[tf.int32]

print(tf.raw_ops.CompositeTensorVariantToComponents(encoded=encode,metadata=meta,Tcomponents=component))

Patches

We have patched the issue in GitHub commits bf594d08d377dc6a3354d9fdb494b32d45f91971 and 660ce5a89eb6766834bdc303d2ab3902aef99d3d.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by [email protected]

CVE-2022-41910

Impact

The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered.

import tensorflow as tf
@​tf.function
def test():
    tf.raw_ops.QuantizeAndDequantizeV2(input=[2.5],
    								   input_min=[1.0],
    								   input_max=[10.0],
    								   signed_input=True,
    								   num_bits=1,
    								   range_given=True,
    								   round_mode='HALF_TO_EVEN',
    								   narrow_range=True,
    								   axis=0x7fffffff)
test()

Patches

We have patched the issue in GitHub commit 7b174a0f2e40ff3f3aa957aecddfd5aaae35eccb.

The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-41911

Impact

When printing a tensor, we get it's data as a const char* array (since that's the underlying storage) and then we typecast it to the element type. However, conversions from char to bool are undefined if the char is not 0 or 1, so sanitizers/fuzzers will crash.

Patches

We have patched the issue in GitHub commit 1be743703279782a357adbf9b77dcb994fe8b508.

The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.10.1, TensorFlow 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability was discovered via internal fuzzing.

GHSA-xf83-q765-xm6m

Impact

Another instance of CVE-2022-35991, where TensorListScatter and TensorListScatterV2 crash via non scalar inputs inelement_shape, was found in eager mode and fixed.

import tensorflow as tf
arg_0=tf.random.uniform(shape=(2, 2, 2), dtype=tf.float16, maxval=None)
arg_1=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536)
arg_2=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536)
arg_3=''
tf.raw_ops.TensorListScatter(tensor=arg_0, indices=arg_1, 
element_shape=arg_2, name=arg_3)

Patches

We have patched the issue in GitHub commit bf9932fc907aff0e9e8cccf769e8b00d30fd81a1.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Pattarakrit Rattankul

GHSA-cqvq-fvhr-v6hc

Impact

Another instance of CVE-2022-35935, where SobolSample is vulnerable to a denial of service via assumed scalar inputs, was found and fixed.

import tensorflow as tf
tf.raw_ops.SobolSample(dim=tf.constant([1,0]), num_results=tf.constant([1]), skip=tf.constant([1]))

Patches

We have patched the issue in GitHub commits c65c67f88ad770662e8f191269a907bf2b94b1bf and 02400ea266bd811fc016a848445de1bbff3a23a0

The fix will be included in TensorFlow 2.11. We will also cherrypick both commits on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range. TensorFlow 2.7.4 will have the first commit cherrypicked.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by:

• Kang Hong Jin from Singapore Management University
• Neophytos Christou, Secure Systems Labs, Brown University
• 刘力源, Information System & Security and Countermeasures Experiments Center, Beijing Institute of Technology
• Pattarakrit Rattankul

CVE-2022-41880

Impact

When the BaseCandidateSamplerOp function receives a value in true_classes larger than range_max, a heap oob vuln occurs.

tf.raw_ops.ThreadUnsafeUnigramCandidateSampler(
    true_classes=[[0x100000,1]],
    num_true = 2,
    num_sampled = 2,
    unique = False,
    range_max = 2,
    seed = 2,
    seed2 = 2)

Patches

We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4.

The fix will be included in TensorFlow 2.11. We will also cherrypick this commit on TensorFlow 2.10.1, 2.9.3, and TensorFlow 2.8.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team.

CVE-2023-25658

Impact

Out of bounds read in GRUBlockCellGrad

func = tf.raw_ops.GRUBlockCellGrad

para = {'x': [[21.1, 156.2], [83.3, 115.4]], 'h_prev': array([[136.5],
      [136.6]]), 'w_ru': array([[26.7,  0.8],
      [47.9, 26.1],
      [26.2, 26.3]]), 'w_c': array([[ 0.4],
      [31.5],
      [ 0.6]]), 'b_ru': array([0.1, 0.2 ], dtype=float32), 'b_c': 0x41414141, 'r': array([[0.3],
      [0.4]], dtype=float32), 'u': array([[5.7],
      [5.8]]), 'c': array([[52.9],
      [53.1]]), 'd_h': array([[172.2],
      [188.3 ]])}

Patches

We have patched the issue in GitHub commit ff459137c2716a2a60f7d441b855fcb466d778cb.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by r3pwnx.

CVE-2023-27579

Impact

Constructing a tflite model with a paramater filter_input_channel of less than 1 gives a FPE.

Patches

We have patched the issue in GitHub commit 34f8368c535253f5c9cb3a303297743b62442aaa.

The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability was reported by Wang Xuan of Qihoo 360 AIVul Team.

CVE-2023-25801

Impact

nn_ops.fractional_avg_pool_v2 and nn_ops.fractional_max_pool_v2 require the first and fourth elements of their parameter pooling_ratio to be equal to 1.0, as pooling on batch and channel dimensions is not supported.

import tensorflow as tf
import os
import numpy as np
from tensorflow.python.ops import nn_ops
try:
  arg_0_tensor = tf.random.uniform([3, 30, 50, 3], dtype=tf.float64)
  arg_0 = tf.identity(arg_0_tensor)
  arg_1_0 = 2
  arg_1_1 = 3
  arg_1_2 = 1
  arg_1_3 = 1
  arg_1 = [arg_1_0,arg_1_1,arg_1_2,arg_1_3,]
  arg_2 = True
  arg_3 = True
  seed = 341261001
  out = nn_ops.fractional_avg_pool_v2(arg_0,arg_1,arg_2,arg_3,seed=seed,)
except Exception as e:
  print("Error:"+str(e))

Patches

We have patched the issue in GitHub commit ee50d1e00f81f62a4517453f721c634bbb478307.

The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability was reported by dmc1778, of nimashiri2012@​gmail.com.

CVE-2023-25676

Impact

When running with XLA, tf.raw_ops.ParallelConcat segfaults with a nullptr dereference when given a parameter shape with rank that is not greater than zero.

import tensorflow as tf

func = tf.raw_ops.ParallelConcat
para = {'shape':  0, 'values': [1]}

@​tf.function(jit_compile=True)
def test():
   y = func(**para)
   return y

test()

Patches

We have patched the issue in GitHub commit da66bc6d5ff466aee084f9e7397980a24890cd15.

The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by r3pwnx of 360 AIVul Team

CVE-2023-25675

Impact

When running with XLA, tf.raw_ops.Bincount segfaults when given a parameter weights that is neither the same shape as parameter arr nor a length-0 tensor.

import tensorflow as tf

func = tf.raw_ops.Bincount
para={'arr': 6, 'size': 804, 'weights': [52, 351]}

@​tf.function(jit_compile=True)
def fuzz_jit():
 y = func(**para)
 return y

print(fuzz_jit())

Patches

We have patched the issue in GitHub commit 8ae76cf085f4be26295d2ecf2081e759e04b8acf.

The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by r3pwnx of 360 AIVul Team

CVE-2023-25674

Impact

NPE in RandomShuffle with XLA enable

import tensorflow as tf

func = tf.raw_ops.RandomShuffle
para = {'value': 1e+20, 'seed': -4294967297, 'seed2': -2147483649}

@​tf.function(jit_compile=True)
def test():
   y = func(**para)
   return y

test()

Patches

We have patched the issue in GitHub commit 728113a3be690facad6ce436660a0bc1858017fa.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by r3pwnx

CVE-2023-25673

Impact

FPE in TensorListSplit with XLA

import tensorflow as tf

func = tf.raw_ops.TensorListSplit
para = {'tensor': [1], 'element_shape': -1, 'lengths': [0]}

@​tf.function(jit_compile=True)
def fuzz_jit():
 y = func(**para)
 return y

print(fuzz_jit())

Patches

We have patched the issue in GitHub commit 728113a3be690facad6ce436660a0bc1858017fa.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by r3pwnx

CVE-2023-25672

Impact

The function tf.raw_ops.LookupTableImportV2 cannot handle scalars in the values parameter and gives an NPE.

import tensorflow as tf

v = tf.Variable(1)

@​tf.function(jit_compile=True)
def test():
   func = tf.raw_ops.LookupTableImportV2
   para={'table_handle': v.handle,'keys': [62.98910140991211, 94.36528015136719], 'values': -919}

   y = func(**para)
   return y

print(test())

Patches

We have patched the issue in GitHub commit 980b22536abcbbe1b4a5642fc940af33d8c19b69.

The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by r3pwnx of 360 AIVul Team

CVE-2023-25671

Impact

Out-of-bounds access due to mismatched integer type sizes in ValueMap::Manager::GetValueOrCreatePlaceholder. Bug with tfg-translate call to InitMlir. The problem happens with generic functions, as it is already handled for non-generic functions. This is because they, unlike non-generic functions, are using the "old importer". A better long-term solution may be to have the "new importer" handle generic functions.

Patches

We have patched the issue in GitHub

• commit 760322a71ac9033e122ef1f4b1c62813021e5938.
• commit 2eedc8f676d2c3b8be9492e547b2bc814c10b367

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by r3pwnx

Affiliation

360 AIVul

CVE-2023-25670

Impact

NPE in QuantizedMatMulWithBiasAndDequantize with MKL enable

import tensorflow as tf

func = tf.raw_ops.QuantizedMatMulWithBiasAndDequantize
para={'a': tf.constant(138, dtype=tf.quint8), 'b': tf.constant(4, dtype=tf.qint8), 'bias': [[31.81644630432129, 47.21876525878906], [109.95201110839844, 152.07968139648438]], 'min_a': 141.5337138686371, 'max_a': [73.84139251708984, 173.15280151367188], 'min_b': [], 'max_b': [[16.128345489501953, 193.26820373535156]], 'min_freezed_output': [], 'max_freezed_output': [115.50032806396484, 156.974853515625], 'Toutput': 1.0, 'transpose_a': True, 'transpose_b': False, 'input_quant_mode': 'MIN_FIRST'}

func(**para)

Patches

We have patched the issue in GitHub commit 8a47a39d9697969206d23a523c977238717e8727.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by r3pwnx

CVE-2023-25669

Impact

If the stride and window size are not positive for tf.raw_ops.AvgPoolGrad, it can give an FPE.

import tensorflow as tf
import numpy as np

@​tf.function(jit_compile=True)
def test():
   y = tf.raw_ops.AvgPoolGrad(orig_input_shape=[1,0,0,0], grad=[[[[0.39117979]]]], ksize=[1,0,0,0], strides=[1,0,0,0], padding="SAME", data_format="NCHW")
   return y

print(test())

Patches

We have patched the issue in GitHub commit 1295ae4dbb52fe06b19733b0257e2340d7b63b8d.

The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by r3pwnx of 360 AIVul Team

CVE-2023-25668

Impact

Attackers using Tensorflow can exploit the vulnerability. They can access heap memory which is not in the control of user, leading to a crash or RCE.
When axis is larger than the dim of input, c->Dim(input,axis) goes out of bound.
Same problem occurs in the QuantizeAndDequantizeV2/V3/V4/V4Grad operations too.

import tensorflow as tf
@​tf.function
def test():
    tf.raw_ops.QuantizeAndDequantizeV2(input=[2.5],
    								   input_min=[1.0],
    								   input_max=[10.0],
    								   signed_input=True,
    								   num_bits=1,
    								   range_given=True,
    								   round_mode='HALF_TO_EVEN',
    								   narrow_range=True,
    								   axis=0x7fffffff)
test()

Patches

We have patched the issue in GitHub commit 7b174a0f2e40ff3f3aa957aecddfd5aaae35eccb.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2023-25667

Impact

Integer overflow occurs when 2^31 <= num_frames * height * width * channels < 2^32, for example Full HD screencast of at least 346 frames.

import urllib.request
dat = urllib.request.urlopen('https://raw.githubusercontent.com/tensorflow/tensorflow/1c38ad9b78ffe06076745a1ee00cec42f39ff726/tensorflow/core/lib/gif/testdata/3g_multiframe.gif').read()
import tensorflow as tf
tf.io.decode_gif(dat)

Patches

We have patched the issue in GitHub commit 8dc723fcdd1a6127d6c970bd2ecb18b019a1a58d.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Andrei

CVE-2023-25666

Impact

version:2.11.0 //core/ops/audio_ops.cc:70

Status SpectrogramShapeFn(InferenceContext* c) { ShapeHandle input; TF_RETURN_IF_ERROR(c->WithRank(c->input(0), 2, &input)); int32_t window_size; TF_RETURN_IF_ERROR(c->GetAttr("window_size", &window_size)); int32_t stride; TF_RETURN_IF_ERROR(c->GetAttr("stride", &stride)); .....[1]

DimensionHandle input_length = c->Dim(input, 0); DimensionHandle input_channels = c->Dim(input, 1);

DimensionHandle output_length; if (!c->ValueKnown(input_length)) { output_length = c->UnknownDim(); } else { const int64_t input_length_value = c->Value(input_length); const int64_t length_minus_window = (input_length_value - window_size); int64_t output_length_value; if (length_minus_window < 0) { output_length_value = 0; } else { output_length_value = 1 + (length_minus_window / stride); .....[2] } output_length = c->MakeDim(output_length_value); }

Get the value of stride at [1], and the used at [2]

import tensorflow as tf

para = {'input': tf.constant([[14.], [24.]], dtype=tf.float32), 'window_size': 1, 'stride': 0, 'magnitude_squared': False}
func = tf.raw_ops.AudioSpectrogram

@​tf.function(jit_compile=True)
def fuzz_jit():
   y = func(**para)
   return y

fuzz_jit()

Patches

We have patched the issue in GitHub commit d0d4e779da0d0f56499c6fa5ba09f0a576cc6b14.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by r3pwnx

CVE-2023-25665

Impact

When SparseSparseMaximum is given invalid sparse tensors as inputs, it can give an NPE.

import tensorflow as tf
tf.raw_ops.SparseSparseMaximum(
 a_indices=[[1]],
 a_values =[ 0.1 ],
 a_shape = [2],
 b_indices=[[]],
 b_values =[2 ],
 b_shape = [2],
)

Patches

We have patched the issue in GitHub commit 5e0ecfb42f5f65629fd7a4edd6c4afe7ff0feb04.

The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team

CVE-2023-25664

Impact

import os
os.environ['TF_ENABLE_ONEDNN_OPTS'] = '0'
import tensorflow as tf
print(tf.__version__)
with tf.device("CPU"):
    ksize = [1, 40, 128, 1]
    strides = [1, 128, 128, 30]
    padding = "SAME"
    data_format = "NHWC"
    orig_input_shape = [11, 9, 78, 9]
    grad = tf.saturate_cast(tf.random.uniform([16, 16, 16, 16], minval=-128, maxval=129, dtype=tf.int64), dtype=tf.float32)
    res = tf.raw_ops.AvgPoolGrad(
        ksize=ksize,
        strides=strides,
        padding=padding,
        data_format=data_format,
        orig_input_shape=orig_input_shape,
        grad=grad,
    )

Patches

We have patched the issue in GitHub commit ddaac2bdd099bec5d7923dea45276a7558217e5b.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by [email protected]

CVE-2023-25663

Impact

When ctx->step_containter() is a null ptr, the Lookup function will be executed with a null pointer.

import tensorflow as tf
tf.raw_ops.TensorArrayConcatV2(handle=['a', 'b'], flow_in = 0.1, dtype=tf.int32, element_shape_except0=1)

Patches

We have patched the issue in GitHub commit 239139d2ae6a81ae9ba499ad78b56d9b2931538a.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yu Tian

CVE-2023-25662

Impact

TFversion 2.11.0 //tensorflow/core/ops/array_ops.cc:1067 const Tensor* hypothesis_shape_t = c->input_tensor(2); std::vector dims(hypothesis_shape_t->NumElements() - 1); for (int i = 0; i < dims.size(); ++i) { dims[i] = c->MakeDim(std::max(h_values(i), t_values(i))); }

if hypothesis_shape_t is empty, hypothesis_shape_t->NumElements() - 1 will be integer overflow, and the it will deadlock

import tensorflow as tf
para={
    'hypothesis_indices': [[]],
    'hypothesis_values': ['tmp/'],
    'hypothesis_shape': [],
    'truth_indices': [[]],
    'truth_values': [''],
    'truth_shape': [],
    'normalize': False
    }
tf.raw_ops.EditDistance(**para)

Patches

We have patched the issue in GitHub commit 08b8e18643d6dcde00890733b270ff8d9960c56c.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by r3pwnx

CVE-2023-25660

Impact

When the parameter summarize of tf.raw_ops.Print is zero, the new method SummarizeArray<bool> will reference to a nullptr, leading to a seg fault.

import tensorflow as tf

tf.raw_ops.Print(input =  tf.constant([1, 1, 1, 1],dtype=tf.int32),
                            data =  [[False, False, False, False], [False], [False, False, False]],
                            message =  'tmp/I',
                            first_n = 100,
                            summarize = 0)

Patches

We have patched the issue in GitHub commit 6d423b8bcc9aa9f5554dc988c1c16d038b508df1.

The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team

CVE-2023-25659

Impact

If the parameter indices for DynamicStitch does not match the shape of the parameter data, it can trigger an stack OOB read.

import tensorflow as tf
func = tf.raw_ops.DynamicStitch
para={'indices': [[0xdeadbeef], [405], [519], [758], [1015]], 'data': [[110.27793884277344], [120.29475402832031], [157.2418212890625], [157.2626953125], [188.45382690429688]]}
y = func(**para)

Patches

We have patched the issue in GitHub commit ee004b18b976eeb5a758020af8880236cd707d05.

The fix will be included in TensorFlow 2.12. We will also cherrypick this commit on TensorFlow 2.11.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This has been reported via Google OSS VRP.

CVE-2023-25661

Impact

A malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack.
To minimize the bug, we built a simple single-layer TensorFlow model containing a Convolution3DTranspose layer, which works well with expected inputs and can be deployed in real-world systems. However, if we call the model with a malicious input which has a zero dimension, it gives Check Failed failure and crashes.

import tensorflow as tf

class MyModel(tf.keras.Model):
    def __init__(self):
        super().__init__()
        self.conv = tf.keras.layers.Convolution3DTranspose(2, [3,3,3], padding="same")
        
    def call(self, input):
        return self.conv(input)
model = MyModel() # Defines a valid model.

x = tf.random.uniform([1, 32, 32, 32, 3], minval=0, maxval=0, dtype=tf.float32) # This is a valid input.
output = model.predict(x)
print(output.shape) # (1, 32, 32, 32, 2)

x = tf.random.uniform([1, 32, 32, 0, 3], dtype=tf.float32) # This is an invalid input.
output = model(x) # crash

This Convolution3DTranspose layer is a very common API in modern neural networks. The ML models containing such vulnerable components could be deployed in ML applications or as cloud services. This failure could be potentially used to trigger a denial of service attack on ML cloud services.

Patches

We have patched the issue in

• GitHub commit 948fe6369a5711d4b4568ea9bbf6015c6dfb77e2
• GitHub commit 85db5d07db54b853484bfd358c3894d948c36baf.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

CVE-2022-41894

Impact

The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result.

Instead of data_ptr += num_channels; it should be data_ptr += output_num_channels; as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > o