CVE-2021-29605: Integer overflow in TFLite memory allocation
(updated )
The TFLite code for allocating TFLiteIntArrays is vulnerable to an integer overflow issue:
int TfLiteIntArrayGetSizeInBytes(int size) {
static TfLiteIntArray dummy;
return sizeof(dummy) + sizeof(dummy.data[0]) * size;
}
An attacker can craft a model such that the size multiplier is so large that the return value overflows the int datatype and becomes negative. In turn, this results in invalid value being given to malloc:
TfLiteIntArray* TfLiteIntArrayCreate(int size) {
TfLiteIntArray* ret = (TfLiteIntArray*)malloc(TfLiteIntArrayGetSizeInBytes(size));
ret->size = size;
return ret;
}
In this case, ret->size would dereference an invalid pointer.
References
- github.com/advisories/GHSA-jf7h-7m85-w2v2
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-533.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-731.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-242.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/4ceffae632721e52bf3501b736e4fe9d1221cdfa/tensorflow/lite/c/common.c
- github.com/tensorflow/tensorflow/commit/7c8cc4ec69cd348e44ad6a2699057ca88faad3e5
- github.com/tensorflow/tensorflow/security/advisories/GHSA-jf7h-7m85-w2v2
- nvd.nist.gov/vuln/detail/CVE-2021-29605
Detect and mitigate CVE-2021-29605 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →