fix: prevent integer overflow in tensor byte-size calculations#3588
Open
Ashutosh0x wants to merge 1 commit into
Open
fix: prevent integer overflow in tensor byte-size calculations#3588Ashutosh0x wants to merge 1 commit into
Ashutosh0x wants to merge 1 commit into
Conversation
Author
|
Hi @advaitjain — this fixes the integer overflow in tensor byte-size calculations reported in #3552. All three functions (BytesRequiredForTensor, TfLiteEvalTensorByteLength, AllocateOutputDimensionsFromInput) use signed int for the running product of tensor dimensions, which wraps to 0 on shapes like [65536, 65536]. The allocator then gives a 0-byte buffer while the tensor metadata says it's huge — classic heap OOB write. The fix uses size_t with checked multiplication (SIZE_MAX / x) before each multiply, and rejects dimensions <= 0 with kTfLiteError. Happy to adjust! |
BytesRequiredForTensor, TfLiteEvalTensorByteLength, and AllocateOutputDimensionsFromInput use signed int for the running product of tensor dimensions. A model with shape [65536, 65536] over float32 requires 2^32 * 4 = 17 GiB, but the signed int product wraps to 0, causing a 0-byte allocation while the tensor metadata holds the original huge dimensions. This leads to heap OOB read/write during kernel execution. Fix: switch to size_t with checked multiplication (SIZE_MAX / x) before each multiply. Reject dimensions <= 0. Return kTfLiteError on overflow instead of silently wrapping. Fixes tensorflow#3552
Ashutosh0x
force-pushed
the
fix/integer-overflow-memory-helpers
branch
from
73a07d1 to
f49b5e5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix signed integer overflow in
BytesRequiredForTensor,TfLiteEvalTensorByteLength, andAllocateOutputDimensionsFromInputthat leads to heap out-of-bounds read/write when loading untrusted models.Vulnerability (#3552)
All three functions compute a running product of tensor dimensions using signed
intarithmetic. A model with shape[65536, 65536]overfloat32requires 2^34 bytes (17 GiB), but the signedintproduct wraps to0. This causes a 0-byte allocation while the tensor metadata holds the original dimensions, leading to heap OOB read/write during kernel execution.Fix
inttosize_tSIZE_MAX / x) before each multiply<= 0kTfLiteErroron overflow instead of silently wrappingAll three vulnerable functions in
memory_helpers.ccare fixed with the same pattern.BUG=#3552