CVE-2021-29566: Out-of-bounds Write
(updated )
TensorFlow is an end-to-end open source platform for machine learning. An attacker can write outside the bounds of heap allocated arrays by passing invalid arguments to tf.raw_ops.Dilation2DBackpropInput
. This is because the implementation does not validate before writing to the output array. The values for h_out
and w_out
are guaranteed to be in range for out_backprop
(as they are loop indices bounded by the size of the array). However, there are no similar guarantees relating h_in_max
/w_in_max
and in_backprop
.
References
Detect and mitigate CVE-2021-29566 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →