1## TFSA-2020-004: Out of bounds access in TFLite implementation of segment sum
2
3### CVE Number
4CVE-2020-15212
5
6### Impact
7In TensorFlow Lite models using segment sum can trigger [writes outside of
8bounds of heap allocated
9buffers](https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/reference/reference_ops.h#L2625-L2631)
10by inserting negative elements in the segment ids tensor:
11```cc
12  for (int i = 0; i < input_shape.Dims(0); i++) {
13    int output_index = segment_ids_data[i];
14    for (int j = 0; j < segment_flat_size; ++j) {
15      output_data[output_index * segment_flat_size + j] +=
16          input_data[i * segment_flat_size + j];
17    }
18  }
19```
20
21Users having access to `segment_ids_data` can alter `output_index` and then
22write to outside of `output_data` buffer.
23
24This might result in a segmentation fault but it can also be used to further
25corrupt the memory and can be chained with other vulnerabilities to create more
26advanced exploits.
27
28### Vulnerable Versions
29TensorFlow 2.2.0, 2.3.0.
30
31### Patches
32We have patched the issue in
33[204945b](https://github.com/tensorflow/tensorflow/commit/204945b) and will
34release patch releases for all affected versions.
35
36We recommend users to upgrade to TensorFlow 2.2.1, or 2.3.1.
37
38### Workarounds
39A potential workaround would be to add a custom `Verifier` to the model loading
40code to ensure that the segment ids are all positive, although this only handles
41the case when the segment ids are stored statically in the model.
42
43A similar validation could be done if the segment ids are generated at runtime
44between inference steps.
45
46If the segment ids are generated as outputs of a tensor during inference steps,
47then there are no possible workaround and users are advised to upgrade to
48patched code.
49
50### For more information
51Please consult [our security
52guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
53more information regarding the security model and how to contact us with issues
54and questions.
55
56### Attribution
57This vulnerability has been discovered through a variant analysis of [a
58vulnerability reported by members of the Aivul Team from Qihoo
59360](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2020-002.md).
60