Integer overflow in TFLite memory allocation
Moderate severity
GitHub Reviewed
Published
May 13, 2021
in
tensorflow/tensorflow
•
Updated Nov 13, 2024
Package
Affected versions
< 2.1.4
>= 2.2.0, < 2.2.3
>= 2.3.0, < 2.3.3
>= 2.4.0, < 2.4.2
Patched versions
2.1.4
2.2.3
2.3.3
2.4.2
< 2.1.4
>= 2.2.0, < 2.2.3
>= 2.3.0, < 2.3.3
>= 2.4.0, < 2.4.2
2.1.4
2.2.3
2.3.3
2.4.2
< 2.1.4
>= 2.2.0, < 2.2.3
>= 2.3.0, < 2.3.3
>= 2.4.0, < 2.4.2
2.1.4
2.2.3
2.3.3
2.4.2
Description
Published by the National Vulnerability Database
May 14, 2021
Reviewed
May 17, 2021
Published to the GitHub Advisory Database
May 21, 2021
Last updated
Nov 13, 2024
Impact
The TFLite code for allocating
TFLiteIntArray
s is vulnerable to an integer overflow issue:An attacker can craft a model such that the
size
multiplier is so large that the return value overflows theint
datatype and becomes negative. In turn, this results in invalid value being given tomalloc
:In this case,
ret->size
would dereference an invalid pointer.Patches
We have patched the issue in GitHub commit 7c8cc4ec69cd348e44ad6a2699057ca88faad3e5.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
References