CVE-2020-15193: Use of Uninitialized Resource
(updated )
In Tensorflow, the implementation of dlpack.to_dlpack
can be made to use uninitialized memory resulting in further memory corruption. This is because the pybind11 glue code assumes that the argument is a tensor. However, there is nothing stopping users from passing in a Python object instead of a tensor. The uninitialized memory address is due to a reinterpret_cast
Since the PyObject
is a Python object, not a TensorFlow Tensor, the cast to EagerTensor
fails.
References
Detect and mitigate CVE-2020-15193 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →