Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03ajNtLThnM2MtOXFxcc4AAu2N
TensorFlow vulnerable to null-dereference in `mlir::tfg::TFOp::nameAttr`
Impact
When mlir::tfg::TFOp::nameAttr receives null type list attributes, it crashes.
StatusOr<unsigned> GraphDefImporter::ArgNumType(const NamedAttrList &attrs,
const OpDef::ArgDef &arg_def,
SmallVectorImpl<Type> &types) {
// Check whether a type list attribute is specified.
if (!arg_def.type_list_attr().empty()) {
if (auto v = attrs.get(arg_def.type_list_attr()).dyn_cast<ArrayAttr>()) {
for (Attribute attr : v) {
if (auto dtype = attr.dyn_cast<TypeAttr>()) {
types.push_back(UnrankedTensorType::get(dtype.getValue()));
} else {
return InvalidArgument("Expected '", arg_def.type_list_attr(),
"' to be a list of types");
}
}
return v.size();
}
return NotFound("Type attr not found: ", arg_def.type_list_attr());
}
unsigned num = 1;
// Check whether a number attribute is specified.
if (!arg_def.number_attr().empty()) {
if (auto v = attrs.get(arg_def.number_attr()).dyn_cast<IntegerAttr>()) {
num = v.getValue().getZExtValue();
} else {
return NotFound("Type attr not found: ", arg_def.number_attr());
}
}
// Check for a type or type attribute.
Type dtype;
if (arg_def.type() != DataType::DT_INVALID) {
TF_RETURN_IF_ERROR(ConvertDataType(arg_def.type(), b_, &dtype));
} else if (arg_def.type_attr().empty()) {
return InvalidArgument("Arg '", arg_def.name(),
"' has invalid type and no type attribute");
} else {
if (auto v = attrs.get(arg_def.type_attr()).dyn_cast<TypeAttr>()) {
dtype = v.getValue();
} else {
return NotFound("Type attr not found: ", arg_def.type_attr());
}
}
types.append(num, UnrankedTensorType::get(dtype));
return num;
}
Patches
We have patched the issue in GitHub commits 3a754740d5414e362512ee981eefba41561a63a6 and a0f0b9a21c9270930457095092f558fbad4c03e5.
The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Permalink: https://github.com/advisories/GHSA-7j3m-8g3c-9qqqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ajNtLThnM2MtOXFxcc4AAu2N
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 10 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-7j3m-8g3c-9qqq, CVE-2022-36014
References:
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-7j3m-8g3c-9qqq
- https://github.com/tensorflow/tensorflow/commit/3a754740d5414e362512ee981eefba41561a63a6
- https://github.com/tensorflow/tensorflow/commit/a0f0b9a21c9270930457095092f558fbad4c03e5
- https://github.com/tensorflow/tensorflow/releases/tag/v2.10.0
- https://nvd.nist.gov/vuln/detail/CVE-2022-36014
- https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ir/importexport/graphdef_import.cc
- https://github.com/advisories/GHSA-7j3m-8g3c-9qqq
Affected Packages
pypi:tensorflow-gpu
Versions: >= 2.9.0, < 2.9.1, >= 2.8.0, < 2.8.1, < 2.7.2Fixed in: 2.9.1, 2.8.1, 2.7.2
pypi:tensorflow-cpu
Versions: >= 2.9.0, < 2.9.1, >= 2.8.0, < 2.8.1, < 2.7.2Fixed in: 2.9.1, 2.8.1, 2.7.2
pypi:tensorflow
Versions: >= 2.9.0, < 2.9.1, >= 2.8.0, < 2.8.1, < 2.7.2Fixed in: 2.9.1, 2.8.1, 2.7.2