CVE-2020-15211
Out of bounds access in tensorflow-lite
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of tensors that is owned by the subgraph. This results in a pattern of double array indexing when trying to get the data of each tensor. However, some operators can have some tensors be optional. To handle this scenario, the flatbuffer model uses a negative `-1` value as index for these tensors. This results in special casing during validation at model loading time. Unfortunately, this means that the `-1` index is a valid tensor index for any operator, including those that don't expect optional inputs and including for output tensors. Thus, this allows writing and reading from outside the bounds of heap allocated arrays, although only at a specific offset from the start of these arrays. This results in both read and write gadgets, albeit very limited in scope. The issue is patched in several commits (46d5b0852, 00302787b7, e11f5558, cd31fd0ce, 1970c21, and fff2c83), and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to the model loading code to ensure that only operators which accept optional inputs use the `-1` special value and only for the tensors that they expect to be optional. Since this allow-list type approach is erro-prone, we advise upgrading to the patched code.
En TensorFlow Lite versiones anteriores a 1.15.4, 2.0.3, 2.1.2, 2.2.1 y 2.3.1, los modelos guardados en formato flatbuffer usan un esquema de indexación doble: un modelo tiene un conjunto de subgráficos, cada subgráfico tiene un conjunto de operadores y cada operador tiene un conjunto de tensores de entrada/salida. El formato flatbuffer usa índices para los tensores, indexando en una matriz de tensores que es propiedad del subgráfico. Esto resulta en un patrón de indexación de doble matriz cuando intenta obtener los datos de cada tensor. Sin embargo, algunos operadores pueden tener algunos tensores opcionales. Para manejar este escenario, el modelo flatbuffer usa un valor negativo "-1" como índice para estos tensores. Esto resulta en un cubierta especial durante la comprobación en el momento de la carga del modelo. Desafortunadamente, esto significa que el índice "-1" es un índice tensorial válido para cualquier operador, incluyendo aquellos que no esperan entradas opcionales e incluso para tensores de salida. Por tanto, esto permite escribir y leer desde fuera de los límites de los arreglos asignados de la pila, aunque solo en un desplazamiento específico desde el inicio de estos arreglos. Esto resulta en gadgets de lectura y escritura, aunque con un alcance muy limitado. El problema es parcheado en varias commits (46d5b0852, 00302787b7, e11f5558, cd31fd0ce, 1970c21 y fff2c83) y es publicado en TensorFlow versiones 1.15.4, 2.0.3, 2.1.2, 2.2.1 o 2.3.1. Una solución alternativa potencial sería agregar un "Verifier" personalizado al código de carga del modelo para garantizar que solo los operadores que aceptan entradas opcionales usen el valor especial "-1" y solo para los tensores que esperan que sean opcionales. Dado que este enfoque de tipo allow-list es propenso a errores, recomendamos actualizar al código parcheado
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-25 CVE Reserved
- 2020-09-25 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-08-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-125: Out-of-bounds Read
- CWE-787: Out-of-bounds Write
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cvpc-8phh-8f45 | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html | 2021-09-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | < 1.15.4 Search vendor "Google" for product "Tensorflow" and version " < 1.15.4" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.0.0 < 2.0.3 Search vendor "Google" for product "Tensorflow" and version " >= 2.0.0 < 2.0.3" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.1.0 < 2.1.2 Search vendor "Google" for product "Tensorflow" and version " >= 2.1.0 < 2.1.2" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.2.0 < 2.2.1 Search vendor "Google" for product "Tensorflow" and version " >= 2.2.0 < 2.2.1" | lite |
Affected
| ||||||
| Google Search vendor "Google" | Tensorflow Search vendor "Google" for product "Tensorflow" | >= 2.3.0 < 2.3.1 Search vendor "Google" for product "Tensorflow" and version " >= 2.3.0 < 2.3.1" | lite |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.2 Search vendor "Opensuse" for product "Leap" and version "15.2" | - |
Affected
| ||||||