CVE-2020-15265: Out-of-bounds Read
(updated )
In Tensorflow, an attacker can pass an invalid axis
value to tf.quantization.quantize_and_dequantize
.This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However,
dim_sizeonly does a
DCHECKto validate the argument and then uses it to access the corresponding element of an array. Since in normal builds,
DCHECK`-like macros are no-ops, this results in segfault and access out-of-bounds of the array.
References
Detect and mitigate CVE-2020-15265 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →