Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJjcHgtNDI3eC1xMmM2
CHECK-fail in AddManySparseToTensorsMap
Impact
An attacker can trigger a denial of service via a CHECK
-fail in tf.raw_ops.AddManySparseToTensorsMap
:
import tensorflow as tf
import numpy as np
sparse_indices = tf.constant(530, shape=[1, 1], dtype=tf.int64)
sparse_values = tf.ones([1], dtype=tf.int64)
shape = tf.Variable(tf.ones([55], dtype=tf.int64))
shape[:8].assign(np.array([855, 901, 429, 892, 892, 852, 93, 96], dtype=np.int64))
tf.raw_ops.AddManySparseToTensorsMap(sparse_indices=sparse_indices,
sparse_values=sparse_values,
sparse_shape=shape)
This is because the implementation takes the values specified in sparse_shape
as dimensions for the output shape:
TensorShape tensor_input_shape(input_shape->vec<int64>());
The TensorShape
constructor uses a CHECK
operation which triggers when InitDims
returns a non-OK status.
template <class Shape>
TensorShapeBase<Shape>::TensorShapeBase(gtl::ArraySlice<int64> dim_sizes) {
set_tag(REP16);
set_data_type(DT_INVALID);
TF_CHECK_OK(InitDims(dim_sizes));
}
In our scenario, this occurs when adding a dimension from the argument results in overflow:
template <class Shape>
Status TensorShapeBase<Shape>::InitDims(gtl::ArraySlice<int64> dim_sizes) {
...
Status status = Status::OK();
for (int64 s : dim_sizes) {
status.Update(AddDimWithStatus(internal::SubtleMustCopy(s)));
if (!status.ok()) {
return status;
}
}
}
template <class Shape>
Status TensorShapeBase<Shape>::AddDimWithStatus(int64 size) {
...
int64 new_num_elements;
if (kIsPartial && (num_elements() < 0 || size < 0)) {
new_num_elements = -1;
} else {
new_num_elements = MultiplyWithoutOverflow(num_elements(), size);
if (TF_PREDICT_FALSE(new_num_elements < 0)) {
return errors::Internal("Encountered overflow when multiplying ",
num_elements(), " with ", size,
", result: ", new_num_elements);
}
}
...
}
This is a legacy implementation of the constructor and operations should use BuildTensorShapeBase
or AddDimWithStatus
to prevent CHECK
-failures in the presence of overflows.
Patches
We have patched the issue in GitHub commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.
Permalink: https://github.com/advisories/GHSA-2cpx-427x-q2c6JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJjcHgtNDI3eC1xMmM2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: 13 days ago
CVSS Score: 2.5
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-2cpx-427x-q2c6, CVE-2021-29523
References:
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2cpx-427x-q2c6
- https://nvd.nist.gov/vuln/detail/CVE-2021-29523
- https://github.com/tensorflow/tensorflow/commit/69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-451.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-649.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-160.yaml
- https://github.com/advisories/GHSA-2cpx-427x-q2c6
Blast Radius: 12.2
Affected Packages
pypi:tensorflow-gpu
Dependent packages: 155Dependent repositories: 11,499
Downloads: 430,308 last month
Affected Version Ranges: >= 2.4.0, < 2.4.2, >= 2.3.0, < 2.3.3, >= 2.2.0, < 2.2.3, < 2.1.4
Fixed in: 2.4.2, 2.3.3, 2.2.3, 2.1.4
All affected versions: 0.12.0, 0.12.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.12.2, 1.12.3, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1
All unaffected versions: 2.1.4, 2.2.3, 2.3.3, 2.3.4, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.11.0, 2.12.0
pypi:tensorflow-cpu
Dependent packages: 88Dependent repositories: 2,483
Downloads: 948,316 last month
Affected Version Ranges: >= 2.4.0, < 2.4.2, >= 2.3.0, < 2.3.3, >= 2.2.0, < 2.2.3, < 2.1.4
Fixed in: 2.4.2, 2.3.3, 2.2.3, 2.1.4
All affected versions: 1.15.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1
All unaffected versions: 2.1.4, 2.2.3, 2.3.3, 2.3.4, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.15.0, 2.15.1, 2.16.1, 2.16.2, 2.17.0, 2.17.1, 2.18.0
pypi:tensorflow
Dependent packages: 2,172Dependent repositories: 73,755
Downloads: 18,843,694 last month
Affected Version Ranges: >= 2.4.0, < 2.4.2, >= 2.3.0, < 2.3.3, >= 2.2.0, < 2.2.3, < 2.1.4
Fixed in: 2.4.2, 2.3.3, 2.2.3, 2.1.4
All affected versions: 0.12.0, 0.12.1, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.12.2, 1.12.3, 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1
All unaffected versions: 2.1.4, 2.2.3, 2.3.3, 2.3.4, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.15.0, 2.15.1, 2.16.1, 2.16.2, 2.17.0, 2.17.1, 2.18.0