Integer overflow due to conversion to unsigned in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.QuantizeAndDequantizeV4Grad` is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L126) uses the `axis` value as the size argument to `absl::InlinedVector` constructor. But, the constructor uses an unsigned type for the argument, so the implicit conversion transforms the negative value to a large integer. We have patched the issue in GitHub commit 96f364a1ca3009f98980021c4b32be5fdcca33a1. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, and TensorFlow 2.4.3, as these are also affected and still in supported range.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

数值类型间的不正确转换

Google TensorFlow 数字错误漏洞

Google TensorFlow是美国谷歌（Google）公司的一套用于机器学习的端到端开源平台。 Google TensorFlow存在数字错误漏洞，该漏洞源于在受影响的版本中，“tf.raw_ops.QuantizeAndDequantizeV4Grad”的实现容易受到整数溢出问题的攻击，这是由于将有符号整数值转换为无符号整数值，然后根据该值分配内存而导致的。

N/A

N/A