Null pointer dereference

2021-05-1420:15:00

PRIOn knowledge base

www.prio-n.com

7.5 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.8%

JSON

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.raw_ops.MaxPool3DGradGrad exhibits undefined behavior by dereferencing null pointers backing attacker-supplied empty tensors. The implementation(https://github.com/tensorflow/tensorflow/blob/72fe792967e7fd25234342068806707bbc116618/tensorflow/core/kernels/pooling_ops_3d.cc#L679-L703) fails to validate that the 3 tensor inputs are not empty. If any of them is empty, then accessing the elements in the tensor results in dereferencing a null pointer. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

CPENameOperatorVersion
tensorflowge2.4.0
tensorflowlt2.4.2
tensorflowge2.3.0
tensorflowlt2.3.3
tensorflowge2.2.0
tensorflowlt2.2.3
tensorflowlt2.1.4

Name	Operator	Version
tensorflow	ge	2.4.0
tensorflow	lt	2.4.2
tensorflow	ge	2.3.0
tensorflow	lt	2.3.3
tensorflow	ge	2.2.0
tensorflow	lt	2.2.3
tensorflow	lt	2.1.4

References

github.com/tensorflow/tensorflow/commit/a3d9f9be9ac2296615644061b40cefcee341dcc4

github.com/tensorflow/tensorflow/security/advisories/GHSA-828x-qc2p-wprq