CVE-2021-37679: Heap OOB in nested `tf.map_fn` with `RaggedTensor`s
(updated )
It is possible to nest a tf.map_fn
within another tf.map_fn
call. However, if the input tensor is a RaggedTensor
and there is no function signature provided, code assumes the output is a fully specified tensor and fills output buffer with uninitialized contents from the heap:
import tensorflow as tf
x = tf.ragged.constant([[1,2,3], [4,5], [6]])
t = tf.map_fn(lambda r: tf.map_fn(lambda y: r, r), x)
z = tf.ragged.constant([[[1,2,3],[1,2,3],[1,2,3]],[[4,5],[4,5]],[[6]]])
The t
and z
outputs should be identical, however this is not the case. The last row of t
contains data from the heap which can be used to leak other memory information.
References
- github.com/advisories/GHSA-g8wg-cjwc-xhhp
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-592.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-790.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-301.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/4e2565483d0ffcadc719bd44893fb7f609bb5f12
- github.com/tensorflow/tensorflow/security/advisories/GHSA-g8wg-cjwc-xhhp
- nvd.nist.gov/vuln/detail/CVE-2021-37679
Detect and mitigate CVE-2021-37679 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →