Intel Optimization For Tensorflow vulnerabilities

CVE-2022-23560 [HIGH] CWE-125 Read and Write outside of bounds in TensorFlow Read and Write outside of bounds in TensorFlow ### Impact An attacker can craft a TFLite model that would allow limited reads and writes outside of arrays in TFLite. This exploits missing validation in [the conversion from sparse tensors to dense tensors](https://github.com/tensorflow/tensorflow/blob/ca6f96b62ad84207fbec580404eaa7dd7403a550/tensorflow/lite/kernels/internal/utils/sparsity_format_converter.cc#L252-L293).

CVE-2022-23565 [HIGH] CWE-617 `CHECK`-failures in Tensorflow `CHECK`-failures in Tensorflow ### Impact An attacker can trigger denial of service via assertion failure by altering a `SavedModel` on disk such that `AttrDef`s of some operation are duplicated. ### Patches We have patched the issue in GitHub commit [c2b31ff2d3151acb230edc3f5b1832d2c713a9e0](https://github.com/tensorflow/tensorflow/commit/c2b31ff2d3151acb230edc3f5b1832d2c713a9e0). The fix will be included in TensorFlow 2.8.0. We wi

CVE-2022-23557 [HIGH] CWE-369 Division by zero in TFLite Division by zero in TFLite ### Impact An attacker can craft a TFLite model that would trigger a division by zero in [`BiasAndClamp` implementation](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/lite/kernels/internal/common.h#L75): ```cc inline void BiasAndClamp(float clamp_min, float clamp_max, int bias_size, const float* bias_data, int array_size, float* array_data) { // ... TFLITE_DCH

CVE-2022-23594 [HIGH] CWE-125 Out of bounds read in Tensorflow Out of bounds read in Tensorflow ### Impact The [TFG dialect of TensorFlow (MLIR)](https://github.com/tensorflow/tensorflow/tree/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/core/ir/importexport) makes several assumptions about the incoming `GraphDef` before converting it to the MLIR-based dialect. If an attacker changes the `SavedModel` format on disk to invalidate these assumptions and the `GraphDef` is then converted to M

CVE-2022-23584 [HIGH] CWE-416 Use after free in `DecodePng` kernel Use after free in `DecodePng` kernel ### Impact A malicious user can cause a use after free behavior when [decoding PNG images](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/image/decode_image_op.cc#L339-L346): ```cc if (/* ... error conditions ... */) { png::CommonFreeDecode(&decode); OP_REQUIRES(context, false, errors::InvalidArgument("PNG size too large for int:

CVE-2022-21736 [HIGH] CWE-476 Undefined behavior in `SparseTensorSliceDataset` Undefined behavior in `SparseTensorSliceDataset` ### Impact The [implementation of `SparseTensorSliceDataset`](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L227-L292) has an undefined behavior: under certain condition it can be made to dereference a `nullptr` value: ```python import tensorflow as tf import numpy

CVE-2022-23571 [HIGH] CWE-617 Reachable Assertion in Tensorflow Reachable Assertion in Tensorflow ### Impact When decoding a tensor from protobuf, a TensorFlow process can encounter cases where a `CHECK` assertion is invalidated based on user controlled arguments, if the tensors have an invalid `dtype` and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow processes. ### Patches We have patched the issue in GitHub commit [5b491cd5e41ad63735161cec9c2

CVE-2022-21737 [HIGH] CWE-617 Assertion failure based denial of service in Tensorflow Assertion failure based denial of service in Tensorflow ### Impact The [implementation of `*Bincount` operations](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/bincount_op.cc) allows malicious users to cause denial of service by passing in arguments which would trigger a `CHECK`-fail: ```python import tensorflow as tf tf.raw_ops.DenseBincount(

CVE-2022-21741 [HIGH] CWE-369 Division by zero in TFLite Division by zero in TFLite ### Impact An attacker can craft a TFLite model that would trigger a division by zero in [the implementation of depthwise convolutions](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/lite/kernels/depthwise_conv.cc#L96). The parameters of the convolution can be user controlled and are also used within a division operation to determine the size of the padding tha

CVE-2022-23587 [HIGH] CWE-190 Integer overflow in TensorFlow Integer overflow in TensorFlow ### Impact Under certain scenarios, Grappler component of TensorFlow is vulnerable to an integer overflow during [cost estimation for crop and resize](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/costs/op_level_cost_estimator.cc#L2621-L2689). Since the cropping parameters are user controlled, a malicious person can trigger undefined behav

CVE-2022-23574 [HIGH] CWE-125 Out of bounds read and write in Tensorflow Out of bounds read and write in Tensorflow ### Impact There is a typo in TensorFlow's [`SpecializeType`](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/full_type_util.cc#L81-L102) which results in heap OOB read/write: ```cc for (int i = 0; i args_size(); j++) { auto* arg = t->mutable_args(i); // ... } } ``` Due to a typo, `arg` is initialized to the `i`th

CVE-2022-21739 [HIGH] CWE-476 Null pointer dereference in TensorFlow Null pointer dereference in TensorFlow ### Impact The [implementation of `QuantizedMaxPool`](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/quantized_pooling_ops.cc#L114-L130) has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer. ```python import tensorflow as tf tf.raw_ops.QuantizedMaxPool( input = tf.constant([

CVE-2022-23593 [HIGH] CWE-754 Segfault in `simplifyBroadcast` in Tensorflow Segfault in `simplifyBroadcast` in Tensorflow ### Impact The [`simplifyBroadcast` function in the MLIR-TFRT infrastructure in TensorFlow](https://github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/compiler/mlir/tfrt/jit/transforms/tf_cpurt_symbolic_shape_optimization.cc#L149-L205) is vulnerable to a segfault (hence, denial of service), if called with scalar shapes. ```cc size_t ma

CVE-2022-21726 [HIGH] CWE-125 Out of bounds read in Tensorflow Out of bounds read in Tensorflow ### Impact The [implementation of `Dequantize`](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/dequantize_op.cc#L92-L153) does not fully validate the value of `axis` and can result in heap OOB accesses: ```python import tensorflow as tf @tf.function def test(): y = tf.raw_ops.Dequantize( input=tf.constant([1,1],dtype=tf.qint32), min_ra

CVE-2022-23591 [HIGH] CWE-400 Stack overflow in TensorFlow Stack overflow in TensorFlow ### Impact The `GraphDef` format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a `GraphDef` containing a fragment such as the following can be consumed when loading a `SavedModel`: ``` library { function { signature { name: "SomeOp" description: "Self recursive op" } node_def { name: "1" op: "SomeOp" } node_def { name: "2" op: "SomeOp"

CVE-2022-21738 [HIGH] CWE-190 Integer overflow leading to crash in Tensorflow Integer overflow leading to crash in Tensorflow ### Impact The [implementation of `SparseCountSparseOutput`](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/count_ops.cc#L168-L273) can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation: ```python import tensorflow as tf import numpy as np tf.raw_

CVE-2022-23573 [HIGH] CWE-908 Uninitialized variable access in Tensorflow Uninitialized variable access in Tensorflow ### Impact The [implementation of `AssignOp`](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/kernels/assign_op.h#L30-L143) can result in copying unitialized data to a new tensor. This later results in undefined behavior. The implementation has a check that the left hand side of the assignment is initialized (to minimize nu

CVE-2022-23564 [HIGH] CWE-617 Reachable Assertion in Tensorflow Reachable Assertion in Tensorflow ### Impact When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a `CHECK` assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes. ### Patches We have patched the issue in GitHub commit [14fea662350e7c26eb5fe1be2ac31704e5682ee6](https://github.com/tensorflow/tensorflow/com

CVE-2022-23586 [MEDIUM] CWE-617 Multiple `CHECK`-fails in `function.cc` in TensowFlow Multiple `CHECK`-fails in `function.cc` in TensowFlow ### Impact A malicious user can cause a denial of service by altering a `SavedModel` such that [assertions in `function.cc`](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/function.cc) would be falsified and crash the Python interpreter. ### Patches We have patched the issue in GitHub commits

CVE-2022-23588 [MEDIUM] CWE-617 `CHECK`-fails due to attempting to build a reference tensor `CHECK`-fails due to attempting to build a reference tensor ### Impact A malicious user can cause a denial of service by altering a `SavedModel` such that [Grappler optimizer would attempt to build a tensor using a reference `dtype`](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/optimizers/constant_folding.cc#L1328-L1402). This would resul