CVE-2020-15202: Integer truncation in Shard API usage
(updated )
The Shard
API in TensorFlow expects the last argument to be a function taking two int64
(i.e., long long
) arguments
https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/util/work_sharder.h#L59-L60 However, there are several places in TensorFlow where a lambda taking int
or int32
arguments is being used
https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/random_op.cc#L204-L205 https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/random_op.cc#L317-L318
In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside of heap allocated arrays, stack overflows, or data corruption.
References
- github.com/advisories/GHSA-h6fg-mjxg-hqq4
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2020-282.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2020-317.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2020-125.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/27b417360cbd671ef55915e4bb6bb06af8b8a832
- github.com/tensorflow/tensorflow/commit/ca8c013b5e97b1373b3bb1c97ea655e69f31a575
- github.com/tensorflow/tensorflow/releases/tag/v2.3.1
- github.com/tensorflow/tensorflow/security/advisories/GHSA-h6fg-mjxg-hqq4
- nvd.nist.gov/vuln/detail/CVE-2020-15202
Detect and mitigate CVE-2020-15202 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →