CVE-2021-29605: Integer overflow in TFLite memory allocation
(updated )
The TFLite code for allocating TFLiteIntArray
s is vulnerable to an integer overflow issue:
int TfLiteIntArrayGetSizeInBytes(int size) {
static TfLiteIntArray dummy;
return sizeof(dummy) + sizeof(dummy.data[0]) * size;
}
An attacker can craft a model such that the size
multiplier is so large that the return value overflows the int
datatype and becomes negative. In turn, this results in invalid value being given to malloc
:
TfLiteIntArray* TfLiteIntArrayCreate(int size) {
TfLiteIntArray* ret = (TfLiteIntArray*)malloc(TfLiteIntArrayGetSizeInBytes(size));
ret->size = size;
return ret;
}
In this case, ret->size
would dereference an invalid pointer.
References
- github.com/advisories/GHSA-jf7h-7m85-w2v2
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-533.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-731.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-242.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/4ceffae632721e52bf3501b736e4fe9d1221cdfa/tensorflow/lite/c/common.c
- github.com/tensorflow/tensorflow/commit/7c8cc4ec69cd348e44ad6a2699057ca88faad3e5
- github.com/tensorflow/tensorflow/security/advisories/GHSA-jf7h-7m85-w2v2
- nvd.nist.gov/vuln/detail/CVE-2021-29605
Detect and mitigate CVE-2021-29605 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →