CVE-2021-29585: Division by zero in padding computation in TFLite
(updated )
The TFLite computation for size of output after padding, ComputeOutSize
, does not check that the stride
argument is not 0 before doing the division.
inline int ComputeOutSize(TfLitePadding padding, int image_size,
int filter_size, int stride, int dilation_rate = 1) {
int effective_filter_size = (filter_size - 1) * dilation_rate + 1;
switch (padding) {
case kTfLitePaddingSame:
return (image_size + stride - 1) / stride;
case kTfLitePaddingValid:
return (image_size + stride - effective_filter_size) / stride;
default:
return 0;
}
}
Users can craft special models such that ComputeOutSize
is called with stride
set to 0.
References
- github.com/advisories/GHSA-mv78-g7wq-mhp4
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/0c9692ae7b1671c983569e5d3de5565843d500cf/tensorflow/lite/kernels/padding.h
- github.com/tensorflow/tensorflow/commit/49847ae69a4e1a97ae7f2db5e217c77721e37948
- github.com/tensorflow/tensorflow/security/advisories/GHSA-mv78-g7wq-mhp4
- nvd.nist.gov/vuln/detail/CVE-2021-29585
Detect and mitigate CVE-2021-29585 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →