Skip to content

security: Multiple Integer Overflows in Tensor Dimension Calculations and Quantization Allocation #3582

Description

@deezsecc

Description:

I have identified two integer overflow issues within the model loading and allocation code that can lead to memory corruption (heap out-of-bounds read/write).


Issue 1: Signed Integer Overflow in BytesRequiredForTensor

  • Location: tensorflow/lite/micro/memory_helpers.cc
  • Function: tflite::BytesRequiredForTensor
  • Details:
    When calculating the element count of a tensor shape, the dimension values are multiplied sequentially using signed int arithmetic without boundary checks:
    if (flatbuffer_tensor.shape() != nullptr) {
      for (size_t n = 0; n < flatbuffer_tensor.shape()->size(); ++n) {
        element_count *= flatbuffer_tensor.shape()->Get(n);
      }
    }
    If a model specifies large/overflowing dimensions (e.g. [65536, 65536]), the product overflows, wrapping around to 0 or negative values. This leads to 0-byte allocation for the tensor's activation buffer in the arena while the tensor metadata (allocated_tensor.dims) holds the original huge sizes, resulting in heap out-of-bounds read/write access during kernel execution.

Issue 2: Integer Overflow in Quantization Channels Allocation

  • Location: tensorflow/lite/micro/micro_allocator.cc
  • Function: tflite::internal::InitializeTfLiteTensorFromFlatbuffer
  • Details:
    When allocating space for per-channel quantization parameters (zero points), the code calls TfLiteIntArrayGetSizeInBytes(channels). On 32-bit platforms, if the number of channels (src_quantization->scale()->size()) is controlled (e.g. 0x3fffffff), the calculation 4 + 4 * channels overflows to 0 modulo $2^{32}$.
    The allocator returns a valid pointer to a 0-byte buffer, but the loop continues writing up to 0x3fffffff zero point elements into the buffer, triggering a massive heap out-of-bounds write.

Suggested Fix

I have created patches that add standard checked integer multiplication and boundaries checks to reject malformed/overflowing shape and channel parameters with kTfLiteError.

A Pull Request containing these fixes and accompanying regression tests will be submitted shortly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions