1## TFSA-2020-002: Out of bounds write in TFLite implementation of segment sum 2 3### CVE Number 4CVE-2020-15214 5 6### Impact 7In TensorFlow Lite models using segment sum can trigger a write out bounds / 8segmentation fault if the segment ids are not sorted. Code assumes that the 9segment ids are in increasing order, [using the last element of the tensor 10holding them to determine the dimensionality of output 11tensor](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/segment_sum.cc#L39-L44): 12```cc 13 if (segment_id_size > 0) { 14 max_index = segment_ids->data.i32[segment_id_size - 1]; 15 } 16 TfLiteIntArray* output_shape = TfLiteIntArrayCreate(NumDimensions(data)); 17 output_shape->data[0] = max_index + 1; 18``` 19 20This results in allocating insufficient memory for the output tensor and in a 21[write outside the bounds of the output 22array](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/reference/reference_ops.h#L2625-L2631): 23```cc 24 memset(output_data, 0, sizeof(T) * output_shape.FlatSize()); 25 for (int i = 0; i < input_shape.Dims(0); i++) { 26 int output_index = segment_ids_data[i]; 27 for (int j = 0; j < segment_flat_size; ++j) { 28 output_data[output_index * segment_flat_size + j] += 29 input_data[i * segment_flat_size + j]; 30 } 31 } 32``` 33 34This usually results in a segmentation fault, but depending on runtime 35conditions it can provide for a write gadget to be used in future memory 36corruption-based exploits. 37 38### Vulnerable Versions 39TensorFlow 2.2.0, 2.3.0. 40 41### Patches 42We have patched the issue in 43[204945b](https://github.com/tensorflow/tensorflow/commit/204945b) and will 44release patch releases for all affected versions. 45 46We recommend users to upgrade to TensorFlow 2.2.1, or 2.3.1. 47 48### Workarounds 49A potential workaround would be to add a custom `Verifier` to the model loading 50code to ensure that the segment ids are sorted, although this only handles the 51case when the segment ids are stored statically in the model. 52 53A similar validation could be done if the segment ids are generated at runtime 54between inference steps. 55 56If the segment ids are generated as outputs of a tensor during inference steps, 57then there are no possible workaround and users are advised to upgrade to 58patched code. 59 60### For more information 61Please consult [our security 62guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for 63more information regarding the security model and how to contact us with issues 64and questions. 65 66### Attribution 67This vulnerability has been reported by members of the Aivul Team from Qihoo 68360. 69