Update new security advisories

PiperOrigin-RevId: 390179076
Change-Id: I47d52cf11e356dc6ce2307f25119d6bad79d7bd4

Author: mihaimaruseac

SECURITY.md

@@ -193,13 +193,16 @@ Once an issue is reported, TensorFlow uses the following disclosure process:
   that require mitigation before publication, those projects will be notified.
 * An advisory is prepared (but not published) which details the problem and
   steps for mitigation.
-* Wherever possible, fixes are prepared for the last minor release of the two
-  latest major releases, as well as the master branch. We will attempt to
-  commit these fixes as soon as possible, and as close together as
-  possible.
+* The vulnerability is fixed and potential workarounds are identified.
+* Wherever possible, the fix is also prepared for the branches corresponding to
+  all releases of TensorFlow at most one year old. We will attempt to commit
+  these fixes as soon as possible, and as close together as possible.
 * Patch releases are published for all fixed released versions, a
   notification is sent to [email protected], and the advisory is published.
 
+Note that we mostly do patch releases for security reasons and each version of
+TensorFlow is supported for only 1 year after the release.
+
 Past security advisories are listed below. We credit reporters for identifying
 security issues, although we keep your name confidential if you request it.
 

tensorflow/security/README.md

@@ -0,0 +1,41 @@
+## TFSA-2021-109: Heap out of bounds access in sparse reduction operations
+
+### CVE Number
+CVE-2021-37635
+
+### Impact
+The implementation of sparse reduction operations in TensorFlow can trigger
+accesses outside of bounds of heap allocated data:
+
+```python
+import tensorflow as tf
+
+x = tf.SparseTensor(
+      indices=[[773, 773, 773], [773, 773, 773]],
+      values=[1, 1],
+      dense_shape=[337, 337, 337])
+tf.sparse.reduce_sum(x, 1)
+```
+
+The
+[implementation](https://github.com/tensorflow/tensorflow/blob/a1bc56203f21a5a4995311825ffaba7a670d7747/tensorflow/core/kernels/sparse_reduce_op.cc#L217-L228)
+fails to validate that each reduction group does not overflow and that each
+corresponding index does not point to outside the bounds of the input tensor.
+
+### Patches
+We have patched the issue in GitHub commit
+[87158f43f05f2720a374f3e6d22a7aaa3a33f750](https://github.com/tensorflow/tensorflow/commit/87158f43f05f2720a374f3e6d22a7aaa3a33f750).
+
+The fix will be included in TensorFlow 2.6.0. We will also cherrypick this
+commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are
+also affected and still in supported range.
+
+### For more information
+Please consult [our security
+guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
+more information regarding the security model and how to contact us with issues
+and questions.
+
+### Attribution
+This vulnerability has been reported by members of the Aivul Team from Qihoo
+360.

tensorflow/security/advisory/tfsa-2021-109.md

@@ -0,0 +1,42 @@
+## TFSA-2021-110: Floating point exception in `SparseDenseCwiseDiv`
+
+### CVE Number
+CVE-2021-37636
+
+### Impact
+The implementation of `tf.raw_ops.SparseDenseCwiseDiv` is vulnerable to a
+division by 0 error:
+
+```python
+import tensorflow as tf
+import numpy as np
+
+tf.raw_ops.SparseDenseCwiseDiv(
+  sp_indices=np.array([[4]]),
+  sp_values=np.array([-400]),
+  sp_shape=np.array([647.]),
+  dense=np.array([0]))
+```
+
+The
+[implementation](https://github.com/tensorflow/tensorflow/blob/a1bc56203f21a5a4995311825ffaba7a670d7747/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc#L56)
+uses a common class for all binary operations but fails to treat the division by
+0 case separately.
+
+### Patches
+We have patched the issue in GitHub commit
+[d9204be9f49520cdaaeb2541d1dc5187b23f31d9](https://github.com/tensorflow/tensorflow/commit/d9204be9f49520cdaaeb2541d1dc5187b23f31d9).
+
+The fix will be included in TensorFlow 2.6.0. We will also cherrypick this
+commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are
+also affected and still in supported range.
+
+### For more information
+Please consult [our security
+guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
+more information regarding the security model and how to contact us with issues
+and questions.
+
+### Attribution
+This vulnerability has been reported by members of the Aivul Team from Qihoo
+360.

tensorflow/security/advisory/tfsa-2021-110.md

@@ -0,0 +1,38 @@
+## TFSA-2021-111: Null pointer dereference in `CompressElement`
+
+### CVE Number
+CVE-2021-37637
+
+### Impact
+It is possible to trigger a null pointer dereference in TensorFlow by passing an
+invalid input to `tf.raw_ops.CompressElement`:
+
+```python
+import tensorflow as tf
+
+tf.raw_ops.CompressElement(components=[[]])
+```
+
+The
+[implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/data/compression_utils.cc#L34)
+was accessing the size of a buffer obtained from the return of a separate
+function call before validating that said buffer is valid.
+
+### Patches
+We have patched the issue in GitHub commit
+[5dc7f6981fdaf74c8c5be41f393df705841fb7c5](https://github.com/tensorflow/tensorflow/commit/5dc7f6981fdaf74c8c5be41f393df705841fb7c5).
+
+The fix will be included in TensorFlow 2.6.0. We will also cherrypick this
+commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are
+also affected and still in supported range.
+
+### For more information
+Please consult [our security
+guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
+more information regarding the security model and how to contact us with issues
+and questions.
+
+### Attribution
+This vulnerability has been reported by members of the Aivul Team from Qihoo
+360. Concurrently, it was resolved in `master` branch as it was also discovered
+internally and fixed before the report was handled.

tensorflow/security/advisory/tfsa-2021-111.md

@@ -0,0 +1,43 @@
+## TFSA-2021-112: Null pointer dereference in `RaggedTensorToTensor`
+
+### CVE Number
+CVE-2021-37638
+
+### Impact
+Sending invalid argument for `row_partition_types` of
+`tf.raw_ops.RaggedTensorToTensor` API results in a null pointer dereference and
+undefined behavior:
+
+```python
+import tensorflow as tf
+
+tf.raw_ops.RaggedTensorToTensor(
+  shape=1,
+  values=10,
+  default_value=21,
+  row_partition_tensors=tf.constant([0,0,0,0]),
+  row_partition_types=[])
+```
+
+The
+[implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L328)
+accesses the first element of a user supplied list of values without validating
+that the provided list is not empty.
+
+### Patches
+We have patched the issue in GitHub commit
+[301ae88b331d37a2a16159b65b255f4f9eb39314](https://github.com/tensorflow/tensorflow/commit/301ae88b331d37a2a16159b65b255f4f9eb39314).
+
+The fix will be included in TensorFlow 2.6.0. We will also cherrypick this
+commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are
+also affected and still in supported range.
+
+### For more information
+Please consult [our security
+guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
+more information regarding the security model and how to contact us with issues
+and questions.
+
+### Attribution
+This vulnerability has been reported by members of the Aivul Team from Qihoo
+360.

tensorflow/security/advisory/tfsa-2021-112.md

@@ -0,0 +1,75 @@
+## TFSA-2021-113: Null pointer dereference and heap OOB read in operations restoring tensors
+
+### CVE Number
+CVE-2021-37639
+
+### Impact
+When restoring tensors via raw APIs, if the tensor name is not provided,
+TensorFlow can be tricked into dereferencing a null pointer:
+
+```python
+import tensorflow as tf
+
+tf.raw_ops.Restore(
+  file_pattern=['/tmp'],
+  tensor_name=[],
+  default_value=21,
+  dt=tf.int,
+  preferred_shard=1)
+```
+
+The same undefined behavior can be triggered by `tf.raw_ops.RestoreSlice`:
+
+```python
+import tensorflow as tf
+
+tf.raw_ops.RestoreSlice(
+  file_pattern=['/tmp'],
+  tensor_name=[],
+  shape_and_slice='2',
+  dt=inp.array([tf.int]),
+  preferred_shard=1)
+```
+
+Alternatively, attackers can read memory outside the bounds of heap allocated
+data by providing some tensor names but not enough for a successful restoration:
+
+```python
+import tensorflow as tf
+
+tf.raw_ops.Restore(
+  file_pattern=['/tmp'],
+  tensor_name=['x'],
+  default_value=21,
+  dt=tf.int,
+  preferred_shard=42)
+```
+
+The
+[implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/kernels/save_restore_tensor.cc#L158-L159)
+retrieves the tensor list corresponding to the `tensor_name` user controlled
+input and immediately retrieves the tensor at the restoration index (controlled
+via `preferred_shard` argument). This occurs without validating that the
+provided list has enough values.
+
+If the list is empty this results in dereferencing a null pointer (undefined
+behavior). If, however, the list has some elements, if the restoration index is
+outside the bounds this results in heap OOB read.
+
+### Patches
+We have patched the issue in GitHub commit
+[9e82dce6e6bd1f36a57e08fa85af213e2b2f2622](https://github.com/tensorflow/tensorflow/commit/9e82dce6e6bd1f36a57e08fa85af213e2b2f2622).
+
+The fix will be included in TensorFlow 2.6.0. We will also cherrypick this
+commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are
+also affected and still in supported range.
+
+### For more information
+Please consult [our security
+guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
+more information regarding the security model and how to contact us with issues
+and questions.
+
+### Attribution
+This vulnerability has been reported by members of the Aivul Team from Qihoo
+360.

tensorflow/security/advisory/tfsa-2021-113.md

@@ -0,0 +1,45 @@
+## TFSA-2021-114: Integer division by 0 in sparse reshaping
+
+### CVE Number
+CVE-2021-37640
+
+### Impact
+The implementation of `tf.raw_ops.SparseReshape` can be made to trigger an
+integral division by 0 exception:
+
+```python
+import tensorflow as tf
+
+tf.raw_ops.SparseReshape(
+  input_indices = np.ones((1,3)),
+  input_shape = np.array([1,1,0]),
+  new_shape = np.array([1,0]))
+```
+
+The
+[implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/reshape_util.cc#L176-L181)
+calls the reshaping functor whenever there is at least an index in the input but
+does not check that shape of the input or the target shape have both a non-zero
+number of elements.
+
+The [reshape
+functor](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/reshape_util.cc#L40-L78)
+blindly divides by the dimensions of the target shape. Hence, if this is not
+checked, code will result in a division by 0.
+
+### Patches
+We have patched the issue in GitHub commit
+[4923de56ec94fff7770df259ab7f2288a74feb41](https://github.com/tensorflow/tensorflow/commit/4923de56ec94fff7770df259ab7f2288a74feb41).
+
+The fix will be included in TensorFlow 2.6.0. We will also cherrypick this
+commit on TensorFlow 2.5.1 as this is the other affected version.
+
+### For more information
+Please consult [our security
+guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
+more information regarding the security model and how to contact us with issues
+and questions.
+
+### Attribution
+This vulnerability has been reported by members of the Aivul Team from Qihoo
+360.

tensorflow/security/advisory/tfsa-2021-114.md

@@ -0,0 +1,41 @@
+## TFSA-2021-115: Division by 0 in `ResourceScatterDiv`
+
+### CVE Number
+CVE-2021-37642
+
+### Impact
+The implementation of `tf.raw_ops.ResourceScatterDiv` is vulnerable to a
+division by 0 error:
+
+```python
+import tensorflow as tf
+
+v= tf.Variable([1,2,3])
+tf.raw_ops.ResourceScatterDiv(
+  resource=v.handle,
+  indices=[1],
+  updates=[0])
+```
+
+The
+[implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/resource_variable_ops.cc#L865)
+uses a common class for all binary operations but fails to treat the division by
+0 case separately.
+
+### Patches
+We have patched the issue in GitHub commit
+[4aacb30888638da75023e6601149415b39763d76](https://github.com/tensorflow/tensorflow/commit/4aacb30888638da75023e6601149415b39763d76).
+
+The fix will be included in TensorFlow 2.6.0. We will also cherrypick this
+commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are
+also affected and still in supported range.
+
+### For more information
+Please consult [our security
+guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
+more information regarding the security model and how to contact us with issues
+and questions.
+
+### Attribution
+This vulnerability has been reported by members of the Aivul Team from Qihoo
+360.

tensorflow/security/advisory/tfsa-2021-115.md

@@ -0,0 +1,45 @@
+## TFSA-2021-116: Heap OOB in `RaggedGather`
+
+### CVE Number
+CVE-2021-37641
+
+### Impact
+If the arguments to `tf.raw_ops.RaggedGather` don't determine a valid ragged
+tensor code can trigger a read from outside of bounds of heap allocated buffers.
+
+```python
+import tensorflow as tf
+
+tf.raw_ops.RaggedGather(
+  params_nested_splits = [0,0,0],
+  params_dense_values = [1,1],
+  indices = [0,0,9,0,0],
+  OUTPUT_RAGGED_RANK=0)
+```
+
+In debug mode, the same code triggers a `CHECK` failure.
+
+The
+[implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/ragged_gather_op.cc#L70)
+directly reads the first dimension of a tensor shape before checking that said
+tensor has rank of at least 1 (i.e., it is not a scalar). Furthermore, the
+implementation does not check that the list given by `params_nested_splits` is
+not an empty list of tensors.
+
+### Patches
+We have patched the issue in GitHub commit
+[a2b743f6017d7b97af1fe49087ae15f0ac634373](https://github.com/tensorflow/tensorflow/commit/a2b743f6017d7b97af1fe49087ae15f0ac634373).
+
+The fix will be included in TensorFlow 2.6.0. We will also cherrypick this
+commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are
+also affected and still in supported range.
+
+### For more information
+Please consult [our security
+guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
+more information regarding the security model and how to contact us with issues
+and questions.
+
+### Attribution
+This vulnerability has been reported by members of the Aivul Team from Qihoo
+360.