fix: validate tensor indices against subgraph bounds in MarkAllocationLifetimes#3591
Open
arunmanni-ai wants to merge 1 commit into
Open
Conversation
Add bounds checks for all tensor indices read from the model flatbuffer in MarkAllocationLifetimes(). Out-of-bounds tensor indices cause direct array access into subgraph_allocation_info[] without validation, triggerable by a crafted model. Validates each index against subgraph->tensors()->size() and returns kTfLiteError on violation. Mirrors the fix in tensorflow/lite/core/subgraph.cc for CVE-2020-15211, which was never applied to the TFLM equivalent. BUG=none
Author
|
@veblush — Could you review or assign this PR for code owner review? This fixes CVE-2020-15211, which has been unfixed in TFLM since 2020. The change mirrors the validation already applied to tensorflow/lite/core/subgraph.cc but was missing from the TFLM equivalent. The fix is a single bounds check in MarkAllocationLifetimes. All checks pass (tests, CLA, GitHub Actions). Google Issue Tracker Reference: [521142176] Happy to address any feedback immediately once assigned. Thanks, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add bounds checks for tensor indices read from the model flatbuffer
in MarkAllocationLifetimes(). Tensor indices from operator inputs,
operator outputs, subgraph inputs, and subgraph outputs are now
validated against subgraph->tensors()->size() before use as array
indices. Returns kTfLiteError with a descriptive message on violation.
Mirrors the validation in tensorflow/lite/core/subgraph.cc added
for CVE-2020-15211, which was not present in the TFLM equivalent.
BUG=none
Refrence= issue tracker [521142176]