CVE-2021-29589: Division by zero in TFLite's implementation of `GatherNd`
(updated )
The reference implementation of the GatherNd TFLite operator is vulnerable to a division by zero error:
ret.dims_to_count[i] = remain_flat_size / params_shape.Dims(i);
An attacker can craft a model such that params input would be an empty tensor. In turn, params_shape.Dims(.) would be zero, in at least one dimension.
References
- github.com/advisories/GHSA-3w67-q784-6w7c
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-517.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-715.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-226.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/reference/reference_ops.h
- github.com/tensorflow/tensorflow/commit/8e45822aa0b9f5df4b4c64f221e64dc930a70a9d
- github.com/tensorflow/tensorflow/security/advisories/GHSA-3w67-q784-6w7c
- nvd.nist.gov/vuln/detail/CVE-2021-29589
Detect and mitigate CVE-2021-29589 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →