py-tflite -- buffer overflow vulnerability
Thibaut Goetghebuer-Planchon reports:
The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result.
Instead of `data_ptr += num_channels;` it should be `data_ptr += output_num_channels;` as if the number of input channels is different than the number of output channels, the wrong result will be returned and a buffer overflow will occur if num_channels > output_num_channels.
An attacker can craft a model with a specific number of input channels in a way similar to the attached example script.
It is then possible to write specific values through the bias of the layer outside the bounds of the buffer.
This attack only works if the reference kernel resolver is used in the interpreter (i.e. `experimental_op_resolver_type=tf.lite.experimental.OpResolverType.BUILTIN_REF` is used).
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright