CVE-2022-23578: Memory leak in Tensorflow
(updated )
If a graph node is invalid, TensorFlow can leak memory in the implementation of ImmutableExecutorState::Initialize:
Status s = params_.create_kernel(n->properties(), &item->kernel);
if (!s.ok()) {
item->kernel = nullptr;
s = AttachDef(s, *n);
return s;
}
Here, we set item->kernel to nullptr but it is a simple OpKernel* pointer so the memory that was previously allocated to it would leak.
References
- github.com/advisories/GHSA-8r7c-3cm2-3h8f
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-87.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-142.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/common_runtime/immutable_executor_state.cc
- github.com/tensorflow/tensorflow/commit/c79ccba517dbb1a0ccb9b01ee3bd2a63748b60dd
- github.com/tensorflow/tensorflow/security/advisories/GHSA-8r7c-3cm2-3h8f
- nvd.nist.gov/vuln/detail/CVE-2022-23578
Detect and mitigate CVE-2022-23578 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →