2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
12.8%
Specifying a negative dense shape in tf.raw_ops.SparseCountSparseOutput
results in a segmentation fault being thrown out from the standard library as std::vector
invariants are broken.
import tensorflow as tf
indices = tf.constant([], shape=[0, 0], dtype=tf.int64)
values = tf.constant([], shape=[0, 0], dtype=tf.int64)
dense_shape = tf.constant([-100, -100, -100], shape=[3], dtype=tf.int64)
weights = tf.constant([], shape=[0, 0], dtype=tf.int64)
tf.raw_ops.SparseCountSparseOutput(indices=indices, values=values, dense_shape=dense_shape, weights=weights, minlength=79, maxlength=96, binary_output=False)
This is because the implementation assumes the first element of the dense shape is always positive and uses it to initialize a BatchedMap<T>
(i.e., std::vector<absl::flat_hash_map<int64,T>>
) data structure.
bool is_1d = shape.NumElements() == 1;
int num_batches = is_1d ? 1 : shape.flat<int64>()(0);
...
auto per_batch_counts = BatchedMap<W>(num_batches);
If the shape
tensor has more than one element, num_batches
is the first value in shape
.
Ensuring that the dense_shape
argument is a valid tensor shape (that is, all elements are non-negative) solves this issue.
We have patched the issue in GitHub commit c57c0b9f3a4f8684f3489dd9a9ec627ad8b599f5.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 and TensorFlow 2.3.3.
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.
CPE | Name | Operator | Version |
---|---|---|---|
tensorflow-gpu | lt | 2.4.2 | |
tensorflow-gpu | lt | 2.3.3 | |
tensorflow-cpu | lt | 2.4.2 | |
tensorflow-cpu | lt | 2.3.3 | |
tensorflow | lt | 2.4.2 | |
tensorflow | lt | 2.3.3 |
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
12.8%