CVE-2021-29591: Stack overflow due to looping TFLite subgraph
(updated )
TFlite graphs must not have loops between nodes. However, this condition was not checked and an attacker could craft models that would result in infinite loop during evaluation. In certain cases, the infinite loop would be replaced by stack overflow due to too many recursive calls.
References
- github.com/advisories/GHSA-cwv3-863g-39vx
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-519.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-717.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-228.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/106d8f4fb89335a2c52d7c895b7a7485465ca8d9/tensorflow/lite/kernels/while.cc
- github.com/tensorflow/tensorflow/commit/9c1dc920d8ffb4893d6c9d27d1f039607b326743
- github.com/tensorflow/tensorflow/commit/c6173f5fe66cdbab74f4f869311fe6aae2ba35f4
- github.com/tensorflow/tensorflow/security/advisories/GHSA-cwv3-863g-39vx
- nvd.nist.gov/vuln/detail/CVE-2021-29591
Detect and mitigate CVE-2021-29591 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →