Описание
Heap buffer overflow in Conv3DBackprop*
Impact
Missing validation between arguments to tf.raw_ops.Conv3DBackprop* operations can result in heap buffer overflows:
This is because the implementation assumes that the input, filter_sizes and out_backprop tensors have the same shape, as they are accessed in parallel.
Patches
We have patched the issue in GitHub commit 8f37b52e1320d8d72a9529b2468277791a261197.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our securityguide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.
Ссылки
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-wcv5-qrj6-9pfm
- https://nvd.nist.gov/vuln/detail/CVE-2021-29520
- https://github.com/tensorflow/tensorflow/commit/8f37b52e1320d8d72a9529b2468277791a261197
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-448.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-646.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-157.yaml
Пакеты
tensorflow
< 2.1.4
2.1.4
tensorflow
>= 2.2.0, < 2.2.3
2.2.3
tensorflow
>= 2.3.0, < 2.3.3
2.3.3
tensorflow
>= 2.4.0, < 2.4.2
2.4.2
tensorflow-cpu
< 2.1.4
2.1.4
tensorflow-cpu
>= 2.2.0, < 2.2.3
2.2.3
tensorflow-cpu
>= 2.3.0, < 2.3.3
2.3.3
tensorflow-cpu
>= 2.4.0, < 2.4.2
2.4.2
tensorflow-gpu
< 2.1.4
2.1.4
tensorflow-gpu
>= 2.2.0, < 2.2.3
2.2.3
tensorflow-gpu
>= 2.3.0, < 2.3.3
2.3.3
tensorflow-gpu
>= 2.4.0, < 2.4.2
2.4.2
Связанные уязвимости
TensorFlow is an end-to-end open source platform for machine learning. Missing validation between arguments to `tf.raw_ops.Conv3DBackprop*` operations can result in heap buffer overflows. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/4814fafb0ca6b5ab58a09411523b2193fed23fed/tensorflow/core/kernels/conv_grad_shape_utils.cc#L94-L153) assumes that the `input`, `filter_sizes` and `out_backprop` tensors have the same shape, as they are accessed in parallel. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
TensorFlow is an end-to-end open source platform for machine learning. ...