experiments/STT-tensorflow
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Security advisories for 2.4 releases.

Browse Source 
For several of these, we also patch previous releases.

PiperOrigin-RevId: 346617124
Change-Id: I0e88fb02e1d7a98a1df3446c7251d3fcdfe3b8fc
This commit is contained in:
Mihai Maruseac 2020-12-09 12:55:12 -08:00 committed by TensorFlower Gardener
parent e410b97339
commit faf6ea6f28
7 changed files with 321 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
tensorflow/security/README.md
View File

@ -10,10 +10,16 @@ in [SECURITY.md](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.m
| Advisory Number | Type | Versions affected | Reported by | Additional Information |
|-----------------|--------------------|:-----------------:|-----------------------|-----------------------------|
| [TFSA-2020-028](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-028.md) | Float cast overflow undefined behavior | <= 2.3 | (Reported on GitHub) | [issue report](https://github.com/tensorflow/tensorflow/issues/42129) |
| [TFSA-2020-027](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-027.md) | Segfault in `tf.quantization.quantize_and_dequantize`| <= 2.3 | (Reported on GitHub) | [issue report](https://github.com/tensorflow/tensorflow/issues/42105) |
| [TFSA-2020-026](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-026.md) | Segfault in `tf.raw_ops.Switch` in eager mode | 2.2.0, 2.3.0 | Aivul Team from Qihoo 360 | |
| [TFSA-2020-025](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-025.md) | Undefined behavior in `dlpack.to_dlpack` | 2.2.0, 2.3.0 | Aivul Team from Qihoo 360 | |
| [TFSA-2020-034](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-034.md) | Heap out of bounds access in MakeEdge | >= 1.15.0, <= 2.3.0 | (discovered internally) | |
| [TFSA-2020-033](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-033.md) | CHECK-fail in LSTM with zero-length input | >= 1.15.0, <= 2.3.0 | (discovered internally) | |
| [TFSA-2020-032](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-032.md) | Heap out of bounds read in filesystem glob matching | 2.4.0-rc{0,1,2,3} | Aivul Team from Qihoo 360 | |
| [TFSA-2020-031](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-031.md) | Write to immutable memory region | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 | |
| [TFSA-2020-030](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-030.md) | Lack of validation in data format attributes | >= 1.15.0, <= 2.3.0 | Aivul Team from Qihoo 360 | |
| [TFSA-2020-029](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-029.md) | Uninitialized memory access in Eigen types | >= 1.15.0, <= 2.3.0 | (discovered internally) | |
| [TFSA-2020-028](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-028.md) | Float cast overflow undefined behavior | <= 2.3 | (Reported on GitHub) | [issue report](https://github.com/tensorflow/tensorflow/issues/42129) |
| [TFSA-2020-027](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-027.md) | Segfault in `tf.quantization.quantize_and_dequantize `| <= 2.3 | (Reported on GitHub) | [issue report](https://github.com/tensorflow/tensorflow/issues/42105) |
| [TFSA-2020-026](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-026.md) | Segfault in `tf.raw_ops.Switch` in eager mode | 2.2.0, 2.3.0 | Aivul Team from Qihoo 360 | |
| [TFSA-2020-025](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-025.md) | Undefined behavior in `dlpack.to_dlpack` | 2.2.0, 2.3.0 | Aivul Team from Qihoo 360 | |
| [TFSA-2020-024](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-024.md) | Memory leak in `dlpack.to_dlpack` | 2.2.0, 2.3.0 | Aivul Team from Qihoo 360 | |
| [TFSA-2020-023](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-023.md) | Memory corruption in `dlpack.to_dlpack` | 2.2.0, 2.3.0 | Aivul Team from Qihoo 360 | |
| [TFSA-2020-022](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-022.md) | Crash due to invalid shape of `grad_values` in SparseFillEmptyRowsGrad | >= 1.15.0, <= 2.3.0 | (variant analysis, Aivul Team from Qihoo 360) | |

53
tensorflow/security/advisory/tfsa-2020-029.md Normal file
View File

@ -0,0 +1,53 @@
## TFSA-2020-029: Uninitialized memory access in Eigen types
### CVE Number
CVE-2020-26266
### Impact
Under certain cases, a saved model can trigger use of uninitialized values
during code execution. This is caused by having tensor buffers be filled with
the default value of the type but forgetting to [default initialize the
quantized floating point types in
Eigen](https://github.com/tensorflow/tensorflow/blob/f70160322a579144950dff1537dcbe3c7c09d6f5/third_party/eigen3/unsupported/Eigen/CXX11/src/FixedPoint/FixedPointTypes.h#L61-L104):
```cc
struct QUInt8 {
QUInt8() {}
// ...
uint8_t value;
};
struct QInt16 {
QInt16() {}
// ...
int16_t value;
};
struct QUInt16 {
QUInt16() {}
// ...
uint16_t value;
};
struct QInt32 {
QInt32() {}
// ...
int32_t value;
};
```
### Patches
We have patched the issue in GitHub commit
[ace0c15a22f7f054abcc1f53eabbcb0a1239a9e2](https://github.com/tensorflow/tensorflow/commit/ace0c15a22f7f054abcc1f53eabbcb0a1239a9e2)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases
between 1.15 and 2.3 inclusive.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.

89
tensorflow/security/advisory/tfsa-2020-030.md Normal file
View File

@ -0,0 +1,89 @@
## TFSA-2020-030: Lack of validation in data format attributes
### CVE Number
CVE-2020-26267
### Impact
The `tf.raw_ops.DataFormatVecPermute` API does not validate the `src_format` and
`dst_format` attributes. [The
code](https://github.com/tensorflow/tensorflow/blob/304b96815324e6a73d046df10df6626d63ac12ad/tensorflow/core/kernels/data_format_ops.cc)
assumes that these two arguments define a permutation of `NHWC`.
However, these assumptions are not checked and this can result in uninitialized
memory accesses, read outside of bounds and even crashes.
```python
>>> import tensorflow as tf
>>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='1234', dst_format='1234')
<tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 757100143], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='HHHH', dst_format='WWWW')
<tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 32701], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='H', dst_format='W')
<tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 32701], dtype=int32)>
>>> tf.raw_ops.DataFormatVecPermute(x=[1,2,3,4],
src_format='1234', dst_format='1253')
<tf.Tensor: shape=(4,), dtype=int32, numpy=array([4, 2, 939037184, 3], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,2,3,4],
src_format='1234', dst_format='1223')
<tf.Tensor: shape=(4,), dtype=int32, numpy=array([4, 32701, 2, 3], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,2,3,4],
src_format='1224', dst_format='1423')
<tf.Tensor: shape=(4,), dtype=int32, numpy=array([1, 4, 3, 32701], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,2,3,4], src_format='1234', dst_format='432')
<tf.Tensor: shape=(4,), dtype=int32, numpy=array([4, 3, 2, 32701], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[1,2,3,4],
src_format='12345678', dst_format='87654321')
munmap_chunk(): invalid pointer
Aborted
...
>>> tf.raw_ops.DataFormatVecPermute(x=[[1,5],[2,6],[3,7],[4,8]],
src_format='12345678', dst_format='87654321')
<tf.Tensor: shape=(4, 2), dtype=int32, numpy=
array([[71364624, 0],
[71365824, 0],
[ 560, 0],
[ 48, 0]], dtype=int32)>
...
>>> tf.raw_ops.DataFormatVecPermute(x=[[1,5],[2,6],[3,7],[4,8]],
src_format='12345678', dst_format='87654321')
free(): invalid next size (fast)
Aborted
```
A similar issue occurs in `tf.raw_ops.DataFormatDimMap`, for the same reasons:
```python
>>> tf.raw_ops.DataFormatDimMap(x=[[1,5],[2,6],[3,7],[4,8]], src_format='1234',
>>> dst_format='8765')
<tf.Tensor: shape=(4, 2), dtype=int32, numpy=
array([[1954047348, 1954047348],
[1852793646, 1852793646],
[1954047348, 1954047348],
[1852793632, 1852793632]], dtype=int32)>
```
### Patches
We have patched the issue in GitHub commit
[ebc70b7a592420d3d2f359e4b1694c236b82c7ae](https://github.com/tensorflow/tensorflow/commit/ebc70b7a592420d3d2f359e4b1694c236b82c7ae)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases
between 1.15 and 2.3 inclusive.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.

47
tensorflow/security/advisory/tfsa-2020-031.md Normal file
View File

@ -0,0 +1,47 @@
## TFSA-2020-031: Write to immutable memory region
### CVE Number
CVE-2020-26268
### Impact
The `tf.raw_ops.ImmutableConst` operation returns a constant tensor created from
a memory mapped file which is assumed immutable. However, if the type of the
tensor is not an integral type, the operation crashes the Python interpreter as
it tries to write to the memory area:
```python
>>> import tensorflow as tf
>>> with open('/tmp/test.txt','w') as f: f.write('a'*128)
>>> tf.raw_ops.ImmutableConst(dtype=tf.string,shape=2,
memory_region_name='/tmp/test.txt')
```
If the file is too small, TensorFlow properly returns an error as the memory
area has fewer bytes than what is needed for the tensor it creates. However, as
soon as there are enough bytes, the above snippet causes a segmentation fault.
This is because the alocator used to return the buffer data is not marked as
returning an opaque handle since the [needed virtual
method](https://github.com/tensorflow/tensorflow/blob/c1e1fc899ad5f8c725dcbb6470069890b5060bc7/tensorflow/core/framework/typed_allocator.h#L78-L85)
is [not
overriden](https://github.com/tensorflow/tensorflow/blob/acdf3c04fcfa767ae8d109b9e1f727ef050dba4d/tensorflow/core/kernels/immutable_constant_op.cc).
### Patches
We have patched the issue in GitHub commit
[c1e1fc899ad5f8c725dcbb6470069890b5060bc7](https://github.com/tensorflow/tensorflow/commit/c1e1fc899ad5f8c725dcbb6470069890b5060bc7)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases
between 1.15 and 2.3 inclusive.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.

51
tensorflow/security/advisory/tfsa-2020-032.md Normal file
View File

@ -0,0 +1,51 @@
## TFSA-2020-032: Heap out of bounds read in filesystem glob matching
### CVE Number
CVE-2020-26269
### Impact
The general implementation for matching filesystem paths to globbing pattern is
vulnerable to an access out of bounds of [the array holding the
directories](https://github.com/tensorflow/tensorflow/blob/458c6260265c46ebaf18052d6c61aea4b6b40926/tensorflow/core/platform/file_system_helper.cc#L127):
```cc
if (!fs->Match(child_path, dirs[dir_index])) { ... }
```
Since `dir_index` is [unconditionaly
incremented](https://github.com/tensorflow/tensorflow/blob/458c6260265c46ebaf18052d6c61aea4b6b40926/tensorflow/core/platform/file_system_helper.cc#L106)
outside of the lambda function where the vulnerable pattern occurs, this results
in an access out of bounds issue under certain scenarios. For example, if
`/tmp/x` is a directory that only contains a single file `y`, then the following
snippet will cause a crash due to the out of bounds read:
```python
>>> tf.io.gfile.glob('/tmp/x/')
Segmentation fault
```
There are multiple invariants and preconditions that are assumed by the parallel
implementation of `GetMatchingPaths` but are not verified by the PRs introducing
it ([#40861](https://github.com/tensorflow/tensorflow/pull/40861) and
[#44310](https://github.com/tensorflow/tensorflow/pull/44310)). Thus, we are
completely rewriting the implementation to fully specify and validate these.
### Patches
We have patched the issue in GitHub commit
[8b5b9dc96666a3a5d27fad7179ff215e3b74b67c](https://github.com/tensorflow/tensorflow/commit/8b5b9dc96666a3a5d27fad7179ff215e3b74b67c)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
This issue only impacts master branch and the release candidates for TF version
2.4. The final release of the 2.4 release will be patched.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo
360.

27
tensorflow/security/advisory/tfsa-2020-033.md Normal file
View File

@ -0,0 +1,27 @@
## TFSA-2020-033: CHECK-fail in LSTM with zero-length input
### CVE Number
CVE-2020-26270
### Impact
Running an LSTM/GRU model where the LSTM/GRU layer receives an input with
zero-length results in a `CHECK` failure when using the CUDA backend.
This can result in a query-of-death vulnerability, via denial of service, if
users can control the input to the layer.
### Patches
We have patched the issue in GitHub commit
[14755416e364f17fb1870882fa778c7fec7f16e3](https://github.com/tensorflow/tensorflow/commit/14755416e364f17fb1870882fa778c7fec7f16e3)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases
between 1.15 and 2.3 inclusive.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.

44
tensorflow/security/advisory/tfsa-2020-034.md Normal file
View File

@ -0,0 +1,44 @@
## TFSA-2020-034: Heap out of bounds access in MakeEdge
### CVE Number
CVE-2020-26271
### Impact
Under certain cases, loading a saved model can result in accessing uninitialized
memory while building the computation graph. The [`MakeEdge`
function](https://github.com/tensorflow/tensorflow/blob/3616708cb866365301d8e67b43b32b46d94b08a0/tensorflow/core/common_runtime/graph_constructor.cc#L1426-L1438)
creates an edge between one output tensor of the `src` node (given by
`output_index`) and the input slot of the `dst` node (given by `input_index`).
This is only possible if the types of the tensors on both sides coincide, so the
function begins by obtaining the corresponding `DataType` values and comparing
these for equality:
```cc
DataType src_out = src->output_type(output_index);
DataType dst_in = dst->input_type(input_index);
//...
```
However, there is no check that the indices point to inside of the arrays they
index into. Thus, this can result in accessing data out of bounds of the
corresponding heap allocated arrays.
In most scenarios, this can manifest as unitialized data access, but if the
index points far away from the boundaries of the arrays this can be used to leak
addresses from the library.
### Patches
We have patched the issue in GitHub commit
[0cc38aaa4064fd9e79101994ce9872c6d91f816b](https://github.com/tensorflow/tensorflow/commit/0cc38aaa4064fd9e79101994ce9872c6d91f816b)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
Since this issue also impacts TF versions before 2.4, we will patch all releases
between 1.15 and 2.3 inclusive.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.