Intel Optimization For Tensorflow vulnerabilities

CVE-2020-15202 [HIGH] CWE-197 Integer truncation in Shard API usage Integer truncation in Shard API usage ### Impact The `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/util/work_sharder.h#L59-L60 However, there are several places in TensorFlow where a lambda taking `int` or `int32` arguments is being used: https://github.

CVE-2020-15200 [HIGH] CWE-122 Segfault in Tensorflow Segfault in Tensorflow ### Impact The `RaggedCountSparseOutput` implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the `splits` tensor generate a valid partitioning of the `values` tensor. Thus, the [following code](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/count_ops.cc#L248-L265 ) se

CVE-2020-15193 [HIGH] CWE-908 Memory corruption in Tensorflow Memory corruption in Tensorflow ### Impact The implementation of `dlpack.to_dlpack` can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/python/tfe_wrapper.cc#L1361 However, there is nothing stopping users from passing in a Python ob

CVE-2020-15209 [HIGH] CWE-476 Null pointer dereference in tensorflow-lite Null pointer dereference in tensorflow-lite ### Impact A crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one. The runtime assumes that these buffers are written to before a possible read, hence they are initialized with `nullptr`: https://github.com/ten

CVE-2020-15206 [HIGH] CWE-20 Denial of Service in Tensorflow Denial of Service in Tensorflow ### Impact Changing the TensorFlow's `SavedModel` protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using `tensorflow-serving` or other inference-as-a-service installments. We have added fixes to this in f760f88b4267d981e13f4b302c437ae800445968 and fcfef195637c6e365577829c4d67681695956e

CVE-2020-15208 [HIGH] CWE-125 Data corruption in tensorflow-lite Data corruption in tensorflow-lite ### Impact When determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/types.h#L437-L442 Since the function always returns the dimension of the first tensor, malicious attackers can craft cases where this

CVE-2020-15197 [MEDIUM] CWE-20 Denial of Service in Tensorflow Denial of Service in Tensorflow ### Impact The `SparseCountSparseOutput` implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the `indices` tensor has rank 2. This tensor must be a matrix because code assumes its elements are accessed as elements of a matrix: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/co

CVE-2020-15191 [MEDIUM] CWE-20 Undefined behavior in Tensorflow Undefined behavior in Tensorflow ### Impact If a user passes an invalid argument to `dlpack.to_dlpack` the expected validations will cause variables to bind to `nullptr` while setting a `status` variable to the error condition. However, this `status` argument is not properly checked: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L265-L267 Hence, code following

CVE-2020-15205 [MEDIUM] CWE-119 Data leak in Tensorflow Data leak in Tensorflow ### Impact The `data_splits` argument of [`tf.raw_ops.StringNGrams`](https://www.tensorflow.org/api_docs/python/tf/raw_ops/StringNGrams) lacks validation. This allows a user to pass values that can cause heap overflow errors and even leak contents of memory ```python >>> tf.raw_ops.StringNGrams(data=["aa", "bb", "cc", "dd", "ee", "ff"], data_splits=[0,8], separator=" ", ngram_widths=[3], left_pad="", right_pad="", p

CVE-2020-15195 [MEDIUM] CWE-119 Heap buffer overflow in Tensorflow Heap buffer overflow in Tensorflow ### Impact The implementation of `SparseFillEmptyRowsGrad` uses a double indexing pattern: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/sparse_fill_empty_rows_op.cc#L263-L269 It is possible for `reverse_index_map(i)` to be an index outside of bounds of `grad_values`, thus resulting in a heap buffer overflow. ### Patches We have

CVE-2020-15196 [MEDIUM] CWE-119 Heap buffer overflow in Tensorflow Heap buffer overflow in Tensorflow ### Impact The `SparseCountSparseOutput` and `RaggedCountSparseOutput` implementations don't validate that the `weights` tensor has the same shape as the data. The check exists for `DenseCountSparseOutput`, where both tensors are fully specified: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/count_ops.cc#L110-L117 In the sparse a

CVE-2020-15192 [MEDIUM] CWE-20 Memory leak in Tensorflow Memory leak in Tensorflow ### Impact If a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak following an expected validation failure: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L100-L104 The allocated memory is from https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L256 The i

CVE-2020-15194 [MEDIUM] CWE-20 Denial of Service in Tensorflow Denial of Service in Tensorflow ### Impact The `SparseFillEmptyRowsGrad` implementation has incomplete validation of the shapes of its arguments: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/sparse_fill_empty_rows_op.cc#L235-L241 Although `reverse_index_map_t` and `grad_values_t` are accessed in a similar pattern, only `reverse_index_map_t` is validated to be of prop

CVE-2020-15213 [MEDIUM] CWE-119 Denial of service in tensorflow-lite Denial of service in tensorflow-lite ### Impact In TensorFlow Lite models using segment sum can trigger a denial of service by causing an out of memory allocation in the implementation of segment sum. Since code uses the last element of the tensor holding them to determine the dimensionality of output tensor, attackers can use a very large value to trigger a large allocation: https://github.com/tensorflow/tensorflow/blob/0e68f

CVE-2020-15190 [MEDIUM] CWE-20 Segfault in Tensorflow Segfault in Tensorflow ### Impact The [`tf.raw_ops.Switch`](https://www.tensorflow.org/api_docs/python/tf/raw_ops/Switch) operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. However, the eager runtime traverses all tensors in the output: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295

CVE-2020-15198 [MEDIUM] CWE-119 Heap buffer overflow in Tensorflow Heap buffer overflow in Tensorflow ### Impact The `SparseCountSparseOutput` implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the `indices` tensor has the same shape as the `values` one. The values in these tensors are always accessed in parallel: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/ke

CVE-2020-15201 [MEDIUM] CWE-122 Heap buffer overflow in Tensorflow Heap buffer overflow in Tensorflow ### Impact The `RaggedCountSparseOutput` implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the `splits` tensor generate a valid partitioning of the `values` tensor. Hence, this code is prone to heap buffer overflow: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/t

CVE-2020-15204 [MEDIUM] CWE-476 Segfault in Tensorflow Segfault in Tensorflow ### Impact In eager mode, TensorFlow does not set the session state. Hence, calling `tf.raw_ops.GetSessionHandle` or `tf.raw_ops.GetSessionHandleV2` results in a null pointer dereference: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/session_ops.cc#L45 In the above snippet, in eager mode, `ctx->session_state()` returns `nullptr`. Since code immediately

CVE-2020-15211 [MEDIUM] CWE-125 Out of bounds access in tensorflow-lite Out of bounds access in tensorflow-lite ### Impact In TensorFlow Lite, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexin

CVE-2020-15207 [MEDIUM] CWE-119 Segfault and data corruption in tensorflow-lite Segfault and data corruption in tensorflow-lite ### Impact To mimic Python's indexing with negative values, TFLite uses `ResolveAxis` to convert negative values to positive indices. However, the only check that the converted index is now valid is only present in debug builds: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/reference/reduce.h#L68