Description:
I have identified two integer overflow issues within the model loading and allocation code that can lead to memory corruption (heap out-of-bounds read/write).
Issue 1: Signed Integer Overflow in BytesRequiredForTensor
- Location:
tensorflow/lite/micro/memory_helpers.cc
- Function:
tflite::BytesRequiredForTensor
- Details:
When calculating the element count of a tensor shape, the dimension values are multiplied sequentially using signed int arithmetic without boundary checks:
if (flatbuffer_tensor.shape() != nullptr) {
for (size_t n = 0; n < flatbuffer_tensor.shape()->size(); ++n) {
element_count *= flatbuffer_tensor.shape()->Get(n);
}
}
If a model specifies large/overflowing dimensions (e.g. [65536, 65536]), the product overflows, wrapping around to 0 or negative values. This leads to 0-byte allocation for the tensor's activation buffer in the arena while the tensor metadata (allocated_tensor.dims) holds the original huge sizes, resulting in heap out-of-bounds read/write access during kernel execution.
Issue 2: Integer Overflow in Quantization Channels Allocation
-
Location:
tensorflow/lite/micro/micro_allocator.cc
-
Function:
tflite::internal::InitializeTfLiteTensorFromFlatbuffer
-
Details:
When allocating space for per-channel quantization parameters (zero points), the code calls TfLiteIntArrayGetSizeInBytes(channels). On 32-bit platforms, if the number of channels (src_quantization->scale()->size()) is controlled (e.g. 0x3fffffff), the calculation 4 + 4 * channels overflows to 0 modulo $2^{32}$.
The allocator returns a valid pointer to a 0-byte buffer, but the loop continues writing up to 0x3fffffff zero point elements into the buffer, triggering a massive heap out-of-bounds write.
Suggested Fix
I have created patches that add standard checked integer multiplication and boundaries checks to reject malformed/overflowing shape and channel parameters with kTfLiteError.
A Pull Request containing these fixes and accompanying regression tests will be submitted shortly.
Description:
I have identified two integer overflow issues within the model loading and allocation code that can lead to memory corruption (heap out-of-bounds read/write).
Issue 1: Signed Integer Overflow in
BytesRequiredForTensortensorflow/lite/micro/memory_helpers.cctflite::BytesRequiredForTensorWhen calculating the element count of a tensor shape, the dimension values are multiplied sequentially using signed
intarithmetic without boundary checks:[65536, 65536]), the product overflows, wrapping around to0or negative values. This leads to0-byte allocation for the tensor's activation buffer in the arena while the tensor metadata (allocated_tensor.dims) holds the original huge sizes, resulting in heap out-of-bounds read/write access during kernel execution.Issue 2: Integer Overflow in Quantization Channels Allocation
tensorflow/lite/micro/micro_allocator.cctflite::internal::InitializeTfLiteTensorFromFlatbufferWhen allocating space for per-channel quantization parameters (zero points), the code calls
TfLiteIntArrayGetSizeInBytes(channels). On 32-bit platforms, if the number of channels (src_quantization->scale()->size()) is controlled (e.g.0x3fffffff), the calculation4 + 4 * channelsoverflows to0moduloThe allocator returns a valid pointer to a
0-byte buffer, but the loop continues writing up to0x3fffffffzero point elements into the buffer, triggering a massive heap out-of-bounds write.Suggested Fix
I have created patches that add standard checked integer multiplication and boundaries checks to reject malformed/overflowing shape and channel parameters with
kTfLiteError.A Pull Request containing these fixes and accompanying regression tests will be submitted shortly.