• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1## TFSA-2020-007: Null pointer dereference in TFLite
2
3### CVE Number
4CVE-2020-15209
5
6### Impact
7A crafted TFLite model can force a node to have as input a tensor backed by a
8`nullptr` buffer. This can be achieved by changing a buffer index in the
9flatbuffer serialization to convert a read-only tensor to a read-write one. The
10runtime assumes that these buffers are written to before a possible read, hence
11they are [initialized with
12`nullptr`](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/core/subgraph.cc#L1224-L1227):
13```cc
14  TfLiteTensorReset(type, name, ConvertArrayToTfLiteIntArray(rank, dims),
15                    GetLegacyQuantization(quantization),
16                    /*buffer=*/nullptr, required_bytes, allocation_type,
17                    nullptr, is_variable, &tensor);
18```
19
20However, by changing the buffer index for a tensor and implicitly converting
21that tensor to be a read-write one, as there is nothing in the model that writes
22to it, we get a null pointer dereference.
23
24### Vulnerable Versions
25TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1,
262.2.0, 2.3.0.
27
28### Patches
29We have patched the issue in
30[0b5662bc](https://github.com/tensorflow/tensorflow/commit/0b5662bc) and will
31release patch releases for all versions between 1.15 and 2.3.
32
33We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or
342.3.1.
35
36### Workarounds
37A potential workaround would be to add a custom `Verifier` to the model loading
38code to ensure that no operator reuses tensors as both inputs and outputs. Care
39should be taken to check all types of inputs (i.e., constant or variable tensors
40as well as optional tensors).
41
42### For more information
43Please consult [our security
44guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
45more information regarding the security model and how to contact us with issues
46and questions.
47
48### Attribution
49This vulnerability has been discovered by members of the Aivul Team and is also
50discoverable through a variant analysis of [another
51vulnerability reported by members of the Aivul Team from Qihoo
52360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-005.md).
53