CVE-2022-23595: Null pointer dereference in TensorFlow
(updated )
When building an XLA compilation cache, if default settings are used, TensorFlow triggers a null pointer dereference:
string allowed_gpus =
flr->config_proto()->gpu_options().visible_device_list();
In the default scenario, all devices are allowed, so flr->config_proto
is nullptr
.
References
- github.com/advisories/GHSA-fpcp-9h7m-ffpx
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-103.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-158.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/compiler/jit/xla_platform_info.cc
- github.com/tensorflow/tensorflow/commit/e21af685e1828f7ca65038307df5cc06de4479e8
- github.com/tensorflow/tensorflow/security/advisories/GHSA-fpcp-9h7m-ffpx
- nvd.nist.gov/vuln/detail/CVE-2022-23595
Detect and mitigate CVE-2022-23595 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →