GHSA-M4HF-J54P-P353

Vulnerability from github – Published: 2022-02-10 00:19 – Updated: 2024-11-13 22:12
VLAI?
Summary
Type confusion leading to segfault in Tensorflow
Details

Impact

The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion:

import tensorflow as tf

@tf.function
def test():
  y = tf.raw_ops.ConcatV2(
    values=[[1,2,3],[4,5,6]],
    axis = 0xb500005b)
  return y

test()

The axis argument is translated into concat_dim in the ConcatShapeHelper helper function. Then, a value for min_rank is computed based on concat_dim. This is then used to validate that the values tensor has at least the required rank:

  int64_t concat_dim;
  if (concat_dim_t->dtype() == DT_INT32) {
    concat_dim = static_cast<int64_t>(concat_dim_t->flat<int32>()(0));
  } else {
    concat_dim = concat_dim_t->flat<int64_t>()(0);
  }

  // Minimum required number of dimensions.
  const int min_rank = concat_dim < 0 ? -concat_dim : concat_dim + 1;

  // ...
  ShapeHandle input = c->input(end_value_index - 1);
  TF_RETURN_IF_ERROR(c->WithRankAtLeast(input, min_rank, &input));

However, WithRankAtLeast receives the lower bound as a 64-bits value and then compares it against the maximum 32-bits integer value that could be represented:

Status InferenceContext::WithRankAtLeast(ShapeHandle shape, int64_t rank,
                                         ShapeHandle* out) {
  if (rank > kint32max) {
    return errors::InvalidArgument("Rank cannot exceed kint32max");
  }
  // ...
}

Due to the fact that min_rank is a 32-bits value and the value of axis, the rank argument is a negative value, so the error check is bypassed.

Patches

We have patched the issue in GitHub commit 08d7b00c0a5a20926363849f611729f53f3ec022.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.7.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.7.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.7.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21731"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754",
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-03T19:01:09Z",
    "nvd_published_at": "2022-02-03T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact \nThe [implementation of shape inference for `ConcatV2`](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/common_shape_fns.cc#L1961-L2059) can be used to trigger a denial of service attack via a segfault caused by a type confusion:\n\n```python\nimport tensorflow as tf\n\n@tf.function\ndef test():\n  y = tf.raw_ops.ConcatV2(\n    values=[[1,2,3],[4,5,6]],\n    axis = 0xb500005b)\n  return y\n\ntest()\n```\n\nThe `axis` argument is translated into `concat_dim` in the `ConcatShapeHelper` helper function. Then, a value for `min_rank` is computed based on `concat_dim`. This is then used to validate that the `values` tensor has at least the required rank:\n\n```cc\n  int64_t concat_dim;\n  if (concat_dim_t-\u003edtype() == DT_INT32) {\n    concat_dim = static_cast\u003cint64_t\u003e(concat_dim_t-\u003eflat\u003cint32\u003e()(0));\n  } else {\n    concat_dim = concat_dim_t-\u003eflat\u003cint64_t\u003e()(0);\n  }\n\n  // Minimum required number of dimensions.\n  const int min_rank = concat_dim \u003c 0 ? -concat_dim : concat_dim + 1;\n\n  // ...\n  ShapeHandle input = c-\u003einput(end_value_index - 1);\n  TF_RETURN_IF_ERROR(c-\u003eWithRankAtLeast(input, min_rank, \u0026input));\n```\n\nHowever, [`WithRankAtLeast`](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/shape_inference.cc#L345-L358) receives the lower bound as a 64-bits value and then compares it against the maximum 32-bits integer value that could be represented:\n\n```cc\nStatus InferenceContext::WithRankAtLeast(ShapeHandle shape, int64_t rank,\n                                         ShapeHandle* out) {\n  if (rank \u003e kint32max) {\n    return errors::InvalidArgument(\"Rank cannot exceed kint32max\");\n  }\n  // ...\n}\n```\n\nDue to the fact that `min_rank` is a 32-bits value and the value of `axis`, the `rank` argument is a [negative value](https://godbolt.org/z/Gcr5haMob), so the error check is bypassed.\n\n### Patches\nWe have patched the issue in GitHub commit [08d7b00c0a5a20926363849f611729f53f3ec022](https://github.com/tensorflow/tensorflow/commit/08d7b00c0a5a20926363849f611729f53f3ec022).\n\nThe fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team.",
  "id": "GHSA-m4hf-j54p-p353",
  "modified": "2024-11-13T22:12:12Z",
  "published": "2022-02-10T00:19:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m4hf-j54p-p353"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21731"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/08d7b00c0a5a20926363849f611729f53f3ec022"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-55.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-110.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/common_shape_fns.cc#L1961-L2059"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/shape_inference.cc#L345-L358"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Type confusion leading to segfault in Tensorflow"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.