漏洞标题
在tensorflow-lite中的越界访问
漏洞描述信息
在TensorFlow Lite的1.15.4、2.0.3、2.1.2、2.2.1和2.3.1版本之前,保存的模型使用扁平缓冲区格式时采用双重索引方案:一个模型包含一组子图,每个子图包含一组运算符,每个运算符又包含一组输入/输出张量。扁平缓冲区格式使用张量的索引,该索引指向属于子图的张量数组。这导致在尝试获取每个张量的数据时出现双重数组索引的模式。然而,有些运算符可能有一些可选的张量。为处理这种情况,扁平缓冲区模型使用负值`-1`作为这些张量的索引。这导致在加载模型时的验证阶段需要特殊处理。不幸的是,这意味着`-1`索引对于任何运算符,包括那些不期望可选输入的运算符以及输出张量,都是有效的张量索引。因此,这允许在堆分配数组的边界之外进行写入和读取,尽管只在这些数组开始的特定偏移量处。这导致了读写 gadgets,尽管其范围非常有限。此问题已在多个提交(46d5b0852、00302787b7、e11f5558、cd31fd0ce、1970c21和fff2c83)中修复,并已发布在TensorFlow的1.15.4、2.0.3、2.1.2、2.2.1或2.3.1版本中。一个可能的临时解决方案是在加载模型代码中添加自定义`Verifier`,以确保只有接受可选输入的运算符使用`-1`特殊值,并且只用于它们期望为可选的张量。但由于这种白名单方法容易出错,我们建议升级到修复后的代码。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
漏洞类别
N/A
漏洞标题
Out of bounds access in tensorflow-lite
漏洞描述信息
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get the data of each tensor. However, some operators can have some tensors be optional. To handle this scenario, the flatbuffer model uses a negative `-1` value as index for these tensors. This results in special casing during validation at model loading time. Unfortunately, this means that the `-1` index is a valid tensor index for any operator, including those that don't expect optional inputs and including for output tensors. Thus, this allows writing and reading from outside the bounds of heap allocated arrays, although only at a specific offset from the start of these arrays. This results in both read and write gadgets, albeit very limited in scope. The issue is patched in several commits (46d5b0852, 00302787b7, e11f5558, cd31fd0ce, 1970c21, and fff2c83), and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to the model loading code to ensure that only operators which accept optional inputs use the `-1` special value and only for the tensors that they expect to be optional. Since this allow-list type approach is erro-prone, we advise upgrading to the patched code.
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
漏洞类别
跨界内存读
漏洞标题
Google TensorFlow 缓冲区错误漏洞
漏洞描述信息
Google TensorFlow是美国谷歌(Google)公司的一套用于机器学习的端到端开源平台。 tensorflow-lite 1.15.4之前版本, 2.0.3版本, 2.1.2版本, 2.2.1版本,2.3.1版本中存在安全漏洞,该漏洞允许攻击者从堆分配的数组的边界之外进行写入和读取。
CVSS信息
N/A
漏洞类别
缓冲区错误