Описание
Heap buffer overflow in MaxPool3DGradGrad
Impact
The implementation of tf.raw_ops.MaxPool3DGradGrad is vulnerable to a heap buffer overflow:
The implementation does not check that the initialization of Pool3dParameters completes successfully:
Since the constructor uses OP_REQUIRES to validate conditions, the first assertion that fails interrupts the initialization of params, making it contain invalid data. In turn, this might cause a heap buffer overflow, depending on default initialized values.
Patches
We have patched the issue in GitHub commit 63c6a29d0f2d692b247f7bf81f8732d6442fad09.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
Ссылки
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7cqx-92hp-x6wh
- https://nvd.nist.gov/vuln/detail/CVE-2021-29576
- https://github.com/tensorflow/tensorflow/commit/63c6a29d0f2d692b247f7bf81f8732d6442fad09
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-504.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-702.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-213.yaml
Пакеты
tensorflow
< 2.1.4
2.1.4
tensorflow
>= 2.2.0, < 2.2.3
2.2.3
tensorflow
>= 2.3.0, < 2.3.3
2.3.3
tensorflow
>= 2.4.0, < 2.4.2
2.4.2
tensorflow-cpu
< 2.1.4
2.1.4
tensorflow-cpu
>= 2.2.0, < 2.2.3
2.2.3
tensorflow-cpu
>= 2.3.0, < 2.3.3
2.3.3
tensorflow-cpu
>= 2.4.0, < 2.4.2
2.4.2
tensorflow-gpu
< 2.1.4
2.1.4
tensorflow-gpu
>= 2.2.0, < 2.2.3
2.2.3
tensorflow-gpu
>= 2.3.0, < 2.3.3
2.3.3
tensorflow-gpu
>= 2.4.0, < 2.4.2
2.4.2
Связанные уязвимости
TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPool3DGradGrad` is vulnerable to a heap buffer overflow. The implementation(https://github.com/tensorflow/tensorflow/blob/596c05a159b6fbb9e39ca10b3f7753b7244fa1e9/tensorflow/core/kernels/pooling_ops_3d.cc#L694-L696) does not check that the initialization of `Pool3dParameters` completes successfully. Since the constructor(https://github.com/tensorflow/tensorflow/blob/596c05a159b6fbb9e39ca10b3f7753b7244fa1e9/tensorflow/core/kernels/pooling_ops_3d.cc#L48-L88) uses `OP_REQUIRES` to validate conditions, the first assertion that fails interrupts the initialization of `params`, making it contain invalid data. In turn, this might cause a heap buffer overflow, depending on default initialized values. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and
TensorFlow is an end-to-end open source platform for machine learning. ...