CVE-2021-41217: Null pointer exception when `Exit` node is not preceded by `Enter` op
(updated )
The process of building the control flow graph for a TensorFlow model is vulnerable to a null pointer exception when nodes that should be paired are not:
import tensorflow as tf
@tf.function
def func():
return tf.raw_ops.Exit(data=[False,False])
func()
This occurs because the code assumes that the first node in the pairing (e.g., an Enter
node) always exists when encountering the second node (e.g., an Exit
node):
...
} else if (IsExit(curr_node)) {
// Exit to the parent frame.
parent = parent_nodes[curr_id];
frame_name = cf_info->frame_names[parent->id()];
...
When this is not the case, parent
is nullptr
so dereferencing it causes a crash.
References
- github.com/advisories/GHSA-5crj-c72x-m7gq
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-626.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-824.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-409.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/05cbebd3c6bb8f517a158b0155debb8df79017ff
- github.com/tensorflow/tensorflow/security/advisories/GHSA-5crj-c72x-m7gq
- nvd.nist.gov/vuln/detail/CVE-2021-41217
Detect and mitigate CVE-2021-41217 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →