ghsa-8pmx-p244-g88h
Vulnerability from github
6.9 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Impact
The implementation of tf.io.decode_raw produces incorrect results and crashes the Python interpreter when combining fixed_length and wider datatypes.
```python import tensorflow as tf
tf.io.decode_raw(tf.constant(["1","2","3","4"]), tf.uint16, fixed_length=4) ```
The implementation of the padded version is buggy due to a confusion about pointer arithmetic rules.
First, the code computes the width of each output element by dividing the fixed_length value to the size of the type argument:
cc
int width = fixed_length / sizeof(T);
The fixed_length argument is also used to determine the size needed for the output tensor:
```cc TensorShape out_shape = input.shape(); out_shape.AddDim(width); Tensor* output_tensor = nullptr; OP_REQUIRES_OK(context, context->allocate_output("output", out_shape, &output_tensor));
auto out = output_tensor->flat_inner_dims
This is followed by reencoding code:
```cc
for (int64 i = 0; i < flat_in.size(); ++i) {
const T* in_data = reinterpret_cast
if (flat_in(i).size() > fixed_length) { memcpy(out_data, in_data, fixed_length); } else { memcpy(out_data, in_data, flat_in(i).size()); } out_data += fixed_length; } ```
The erroneous code is the last line above: it is moving the out_data pointer by fixed_length * sizeof(T) bytes whereas it only copied at most fixed_length bytes from the input. This results in parts of the input not being decoded into the output.
Furthermore, because the pointer advance is far wider than desired, this quickly leads to writing to outside the bounds of the backing data. This OOB write leads to interpreter crash in the reproducer mentioned here, but more severe attacks can be mounted too, given that this gadget allows writing to periodically placed locations in memory.
Patches
We have patched the issue in GitHub commit 698e01511f62a3c185754db78ebce0eee1f0184d.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29614"
],
"database_specific": {
"cwe_ids": [
"CWE-665",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-17T21:25:08Z",
"nvd_published_at": "2021-05-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe implementation of `tf.io.decode_raw` produces incorrect results and crashes the Python interpreter when combining `fixed_length` and wider datatypes.\n\n```python\nimport tensorflow as tf\n\ntf.io.decode_raw(tf.constant([\"1\",\"2\",\"3\",\"4\"]), tf.uint16, fixed_length=4)\n``` \n \nThe [implementation of the padded version](https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc) is buggy due to a confusion about pointer arithmetic rules.\n\nFirst, the code [computes](https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L61) the width of each output element by dividing the `fixed_length` value to the size of the type argument:\n\n```cc\nint width = fixed_length / sizeof(T);\n```\n\nThe `fixed_length` argument is also used to determine the [size needed for the output tensor](https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L63-L79):\n\n```cc\nTensorShape out_shape = input.shape();\nout_shape.AddDim(width);\nTensor* output_tensor = nullptr;\nOP_REQUIRES_OK(context, context-\u003eallocate_output(\"output\", out_shape, \u0026output_tensor));\n\nauto out = output_tensor-\u003eflat_inner_dims\u003cT\u003e();\nT* out_data = out.data();\nmemset(out_data, 0, fixed_length * flat_in.size());\n```\n\nThis is followed by [reencoding code](https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L85-L94):\n\n```cc\nfor (int64 i = 0; i \u003c flat_in.size(); ++i) {\n const T* in_data = reinterpret_cast\u003cconst T*\u003e(flat_in(i).data());\n\n if (flat_in(i).size() \u003e fixed_length) {\n memcpy(out_data, in_data, fixed_length);\n } else {\n memcpy(out_data, in_data, flat_in(i).size());\n }\n out_data += fixed_length;\n}\n```\n\nThe erroneous code is the last line above: it is moving the `out_data` pointer by `fixed_length * sizeof(T)` bytes whereas it only copied at most `fixed_length` bytes from the input. This results in parts of the input not being decoded into the output.\n\nFurthermore, because the pointer advance is far wider than desired, this quickly leads to writing to outside the bounds of the backing data. This OOB write leads to interpreter crash in the reproducer mentioned here, but more severe attacks can be mounted too, given that this gadget allows writing to periodically placed locations in memory.\n\n### Patches\nWe have patched the issue in GitHub commit [698e01511f62a3c185754db78ebce0eee1f0184d](https://github.com/tensorflow/tensorflow/commit/698e01511f62a3c185754db78ebce0eee1f0184d).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.",
"id": "GHSA-8pmx-p244-g88h",
"modified": "2024-11-13T16:26:19Z",
"published": "2021-05-21T14:28:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-8pmx-p244-g88h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29614"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/698e01511f62a3c185754db78ebce0eee1f0184d"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-542.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-740.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-251.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Interpreter crash from `tf.io.decode_raw`"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.