GHSA-2cpx-427x-q2c6
Vulnerability from github
Published
2021-05-21 14:21
Modified
2024-10-30 23:14
Summary
CHECK-fail in AddManySparseToTensorsMap
Details

Impact

An attacker can trigger a denial of service via a CHECK-fail in tf.raw_ops.AddManySparseToTensorsMap:

```python import tensorflow as tf import numpy as np

sparse_indices = tf.constant(530, shape=[1, 1], dtype=tf.int64) sparse_values = tf.ones([1], dtype=tf.int64)

shape = tf.Variable(tf.ones([55], dtype=tf.int64)) shape[:8].assign(np.array([855, 901, 429, 892, 892, 852, 93, 96], dtype=np.int64))

tf.raw_ops.AddManySparseToTensorsMap(sparse_indices=sparse_indices, sparse_values=sparse_values, sparse_shape=shape) ```

This is because the implementation takes the values specified in sparse_shape as dimensions for the output shape:

cc TensorShape tensor_input_shape(input_shape->vec<int64>());

The TensorShape constructor uses a CHECK operation which triggers when InitDims returns a non-OK status.

cc template <class Shape> TensorShapeBase<Shape>::TensorShapeBase(gtl::ArraySlice<int64> dim_sizes) { set_tag(REP16); set_data_type(DT_INVALID); TF_CHECK_OK(InitDims(dim_sizes)); }

In our scenario, this occurs when adding a dimension from the argument results in overflow:

```cc template Status TensorShapeBase::InitDims(gtl::ArraySlice dim_sizes) { ... Status status = Status::OK(); for (int64 s : dim_sizes) { status.Update(AddDimWithStatus(internal::SubtleMustCopy(s))); if (!status.ok()) { return status; } } }

template Status TensorShapeBase::AddDimWithStatus(int64 size) { ... int64 new_num_elements; if (kIsPartial && (num_elements() < 0 || size < 0)) { new_num_elements = -1; } else { new_num_elements = MultiplyWithoutOverflow(num_elements(), size); if (TF_PREDICT_FALSE(new_num_elements < 0)) { return errors::Internal("Encountered overflow when multiplying ", num_elements(), " with ", size, ", result: ", new_num_elements); } } ... } ```

This is a legacy implementation of the constructor and operations should use BuildTensorShapeBase or AddDimWithStatus to prevent CHECK-failures in the presence of overflows.

Patches

We have patched the issue in GitHub commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c.

The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-18T23:20:56Z",
    "nvd_published_at": "2021-05-14T20:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nAn attacker can trigger a denial of service via a `CHECK`-fail in  `tf.raw_ops.AddManySparseToTensorsMap`:\n\n```python\nimport tensorflow as tf\nimport numpy as np\n\nsparse_indices = tf.constant(530, shape=[1, 1], dtype=tf.int64)\nsparse_values = tf.ones([1], dtype=tf.int64)\n\nshape = tf.Variable(tf.ones([55], dtype=tf.int64))\nshape[:8].assign(np.array([855, 901, 429, 892, 892, 852, 93, 96], dtype=np.int64))\n\ntf.raw_ops.AddManySparseToTensorsMap(sparse_indices=sparse_indices,\n                    sparse_values=sparse_values,\n                    sparse_shape=shape)\n```\n\nThis is because the [implementation](https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/kernels/sparse_tensors_map_ops.cc#L257) takes the values specified in `sparse_shape` as dimensions for the output shape: \n\n```cc\n    TensorShape tensor_input_shape(input_shape-\u003evec\u003cint64\u003e());\n```\n\nThe [`TensorShape` constructor](https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L183-L188) uses a `CHECK` operation which triggers when [`InitDims`](https://github.com/tensorflow/tensorflow/blob/6f9896890c4c703ae0a0845394086e2e1e523299/tensorflow/core/framework/tensor_shape.cc#L212-L296) returns a non-OK status.\n  \n```cc\ntemplate \u003cclass Shape\u003e\nTensorShapeBase\u003cShape\u003e::TensorShapeBase(gtl::ArraySlice\u003cint64\u003e dim_sizes) {\n  set_tag(REP16);\n  set_data_type(DT_INVALID);\n  TF_CHECK_OK(InitDims(dim_sizes));\n}\n```\n\nIn our scenario, this occurs when adding a dimension from the argument results in overflow:\n\n```cc\ntemplate \u003cclass Shape\u003e\nStatus TensorShapeBase\u003cShape\u003e::InitDims(gtl::ArraySlice\u003cint64\u003e dim_sizes) {\n  ...\n  Status status = Status::OK();\n  for (int64 s : dim_sizes) {\n    status.Update(AddDimWithStatus(internal::SubtleMustCopy(s)));\n    if (!status.ok()) {\n      return status;\n    }\n  }\n}\n\ntemplate \u003cclass Shape\u003e\nStatus TensorShapeBase\u003cShape\u003e::AddDimWithStatus(int64 size) {\n  ...\n  int64 new_num_elements;\n  if (kIsPartial \u0026\u0026 (num_elements() \u003c 0 || size \u003c 0)) {\n    new_num_elements = -1;\n  } else {\n    new_num_elements = MultiplyWithoutOverflow(num_elements(), size);\n    if (TF_PREDICT_FALSE(new_num_elements \u003c 0)) {\n        return errors::Internal(\"Encountered overflow when multiplying \",\n                                num_elements(), \" with \", size,\n                                \", result: \", new_num_elements);\n      }\n  }\n  ...\n}\n```\n\nThis is a legacy implementation of the constructor and operations should use `BuildTensorShapeBase` or `AddDimWithStatus` to prevent `CHECK`-failures in the presence of overflows.\n\n### Patches\nWe have patched the issue in GitHub commit [69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c](https://github.com/tensorflow/tensorflow/commit/69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.",
  "id": "GHSA-2cpx-427x-q2c6",
  "modified": "2024-10-30T23:14:31Z",
  "published": "2021-05-21T14:21:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-2cpx-427x-q2c6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29523"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-451.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-649.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-160.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CHECK-fail in AddManySparseToTensorsMap"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.