CVE-2021-29609: Out-of-bounds Write
(updated )
TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in SparseAdd
results in allowing attackers to exploit undefined behavior (dereferencing null pointers) as well as write outside of bounds of heap allocated data. The implementation has a large set of validation for the two sparse tensor inputs (6 tensors in total), but does not validate that the tensors are not empty or that the second dimension of *_indices
matches the size of corresponding *_shape
. This allows attackers to send tensor triples that represent invalid sparse tensors to abuse code assumptions that are not protected by validation.
References
Detect and mitigate CVE-2021-29609 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →