Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhjNmMtNzVwNC1obXE0
Reference binding to null pointer in `MatrixDiag*` ops
Impact
The implementation of MatrixDiag* operations does not validate that the tensor arguments are non-empty:
num_rows = context->input(2).flat<int32>()(0);
num_cols = context->input(3).flat<int32>()(0);
padding_value = context->input(4).flat<T>()(0);
Thus, users can trigger null pointer dereferences if any of the above tensors are null:
import tensorflow as tf
d = tf.convert_to_tensor([],dtype=tf.float32)
p = tf.convert_to_tensor([],dtype=tf.float32)
tf.raw_ops.MatrixDiagV2(diagonal=d, k=0, num_rows=0, num_cols=0, padding_value=p)
Changing from tf.raw_ops.MatrixDiagV2 to tf.raw_ops.MatrixDiagV3 still reproduces the issue.
Patches
We have patched the issue in GitHub commit a7116dd3913c4a4afd2a3a938573aa7c785fdfc6.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Ye Zhang and Yakun Zhang of Baidu X-Team.
Permalink: https://github.com/advisories/GHSA-hc6c-75p4-hmq4JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhjNmMtNzVwNC1obXE0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: 10 months ago
CVSS Score: 2.5
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-hc6c-75p4-hmq4, CVE-2021-29515
References:
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-hc6c-75p4-hmq4
- https://nvd.nist.gov/vuln/detail/CVE-2021-29515
- https://github.com/tensorflow/tensorflow/commit/a7116dd3913c4a4afd2a3a938573aa7c785fdfc6
- https://github.com/advisories/GHSA-hc6c-75p4-hmq4
Affected Packages
pypi:tensorflow-gpu
Versions: >= 2.4.0, < 2.4.2, >= 2.3.0, < 2.3.3, >= 2.2.0, < 2.2.3, < 2.1.4Fixed in: 2.4.2, 2.3.3, 2.2.3, 2.1.4
pypi:tensorflow-cpu
Versions: >= 2.4.0, < 2.4.2, >= 2.3.0, < 2.3.3, >= 2.2.0, < 2.2.3, < 2.1.4Fixed in: 2.4.2, 2.3.3, 2.2.3, 2.1.4
pypi:tensorflow
Versions: >= 2.4.0, < 2.4.2, >= 2.3.0, < 2.3.3, >= 2.2.0, < 2.2.3, < 2.1.4Fixed in: 2.4.2, 2.3.3, 2.2.3, 2.1.4