exploitDog

GHSA-8r7c-3cm2-3h8f

Опубликовано: 10 фев. 2022

Источник: github

Github: Прошло ревью

CVSS4: 5.3

CVSS3: 4.3

Описание

Memory leak in Tensorflow

Impact

If a graph node is invalid, TensorFlow can leak memory in the implementation of ImmutableExecutorState::Initialize:

Status s = params_.create_kernel(n->properties(), &item->kernel); if (!s.ok()) { item->kernel = nullptr; s = AttachDef(s, *n); return s; }

Here, we set item->kernel to nullptr but it is a simple OpKernel* pointer so the memory that was previously allocated to it would leak.

Patches

We have patched the issue in GitHub commit c79ccba517dbb1a0ccb9b01ee3bd2a63748b60dd. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Ссылки

Пакеты

Наименование

tensorflow

pip

Затронутые версииВерсия исправления

< 2.5.3

2.5.3

Наименование

tensorflow

pip

Затронутые версииВерсия исправления

>= 2.6.0, < 2.6.3

2.6.3

Наименование

tensorflow

pip

Затронутые версииВерсия исправления

= 2.7.0

2.7.1

Наименование

tensorflow-cpu

pip

Затронутые версииВерсия исправления

< 2.5.3

2.5.3

Наименование

tensorflow-cpu

pip

Затронутые версииВерсия исправления

>= 2.6.0, < 2.6.3

2.6.3

Наименование

tensorflow-cpu

pip

Затронутые версииВерсия исправления

= 2.7.0

2.7.1

Наименование

tensorflow-gpu

pip

Затронутые версииВерсия исправления

< 2.5.3

2.5.3

Наименование

tensorflow-gpu

pip

Затронутые версииВерсия исправления

>= 2.6.0, < 2.6.3

2.6.3

Наименование

tensorflow-gpu

pip

Затронутые версииВерсия исправления

= 2.7.0

2.7.1

EPSS

Процентиль: 42%

0.002

Низкий

5.3 Medium

CVSS4

4.3 Medium

CVSS3

CVE ID

Дефекты

CWE-401

Связанные уязвимости

CVE-2022-23578

CVSS3: 4.3

nvd

около 4 лет назад

Tensorflow is an Open Source Machine Learning Framework. If a graph node is invalid, TensorFlow can leak memory in the implementation of `ImmutableExecutorState::Initialize`. Here, we set `item->kernel` to `nullptr` but it is a simple `OpKernel*` pointer so the memory that was previously allocated to it would leak. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

CVE-2022-23578

CVSS3: 4.3

debian

около 4 лет назад

Tensorflow is an Open Source Machine Learning Framework. If a graph no ...

EPSS

Процентиль: 42%

0.002

Низкий

5.3 Medium

CVSS4

4.3 Medium

CVSS3

CVE ID

Дефекты

CWE-401