CVE-2021-29614— Google TensorFlow 缓冲区错误漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2021-29614の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Interpreter crash from `tf.io.decode_raw`
ソース: NVD (National Vulnerability Database)
脆弱性説明
TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.io.decode_raw` produces incorrect results and crashes the Python interpreter when combining `fixed_length` and wider datatypes. The implementation of the padded version(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc) is buggy due to a confusion about pointer arithmetic rules. First, the code computes(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L61) the width of each output element by dividing the `fixed_length` value to the size of the type argument. The `fixed_length` argument is also used to determine the size needed for the output tensor(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L63-L79). This is followed by reencoding code(https://github.com/tensorflow/tensorflow/blob/1d8903e5b167ed0432077a3db6e462daf781d1fe/tensorflow/core/kernels/decode_padded_raw_op.cc#L85-L94). The erroneous code is the last line above: it is moving the `out_data` pointer by `fixed_length * sizeof(T)` bytes whereas it only copied at most `fixed_length` bytes from the input. This results in parts of the input not being decoded into the output. Furthermore, because the pointer advance is far wider than desired, this quickly leads to writing to outside the bounds of the backing data. This OOB write leads to interpreter crash in the reproducer mentioned here, but more severe attacks can be mounted too, given that this gadget allows writing to periodically placed locations in memory. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
初始化不恰当
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Google TensorFlow 缓冲区错误漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Google TensorFlow是美国谷歌(Google)公司的一套用于机器学习的端到端开源平台。 Google TensorFlow 2.4.2,2.3.3,2.2.3,2.1.4版本存在安全漏洞,该漏洞源于tf.io.decode_raw的实现会产生不正确的结果,并在组合固定长度和更宽的数据类型时导致Python解释器崩溃。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| tensorflow | tensorflow | < 2.1.4 | - |
II. CVE-2021-29614の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2021-29614のインテリジェンス情報
请登录查看更多情报信息。
Same Patch Batch · tensorflow · 2021-05-14 · 108 CVEs total
| CVE-2021-29591 | 7.3 HIGH | Stack overflow due to looping TFLite subgraph |
| CVE-2021-29605 | 7.1 HIGH | Integer overflow in TFLite memory allocation |
| CVE-2021-29606 | 7.1 HIGH | Heap OOB read in TFLite |
| CVE-2021-29601 | 6.3 MEDIUM | Integer overflow in TFLite concatentation |
| CVE-2021-29613 | 6.3 MEDIUM | Incomplete validation in `tf.raw_ops.CTCLoss` |
| CVE-2021-29607 | 5.3 MEDIUM | Incomplete validation in `SparseSparseMinimum` |
| CVE-2021-29608 | 5.3 MEDIUM | Heap OOB and null pointer dereference in `RaggedTensorToTensor` |
| CVE-2021-29609 | 5.3 MEDIUM | Incomplete validation in `SparseAdd` |
| CVE-2021-29571 | 4.5 MEDIUM | Memory corruption in `DrawBoundingBoxesV2` |
| CVE-2021-29592 | 4.4 MEDIUM | Null pointer dereference in TFLite's `Reshape` operator |
| CVE-2021-29610 | 3.6 LOW | Invalid validation in `QuantizeAndDequantizeV2` |
| CVE-2021-29612 | 3.6 LOW | Heap buffer overflow in `BandedTriangularSolve` |
| CVE-2021-29611 | 3.6 LOW | Incomplete validation in `SparseReshape` |
| CVE-2021-29526 | 2.5 LOW | Division by 0 in `Conv2D` |
| CVE-2021-29528 | 2.5 LOW | Division by 0 in `QuantizedMul` |
| CVE-2021-29525 | 2.5 LOW | Division by 0 in `Conv2DBackpropInput` |
| CVE-2021-29584 | 2.5 LOW | CHECK-fail due to integer overflow |
| CVE-2021-29583 | 2.5 LOW | Heap buffer overflow and undefined behavior in `FusedBatchNorm` |
| CVE-2021-29574 | 2.5 LOW | Undefined behavior in `MaxPool3DGradGrad` |
| CVE-2021-29573 | 2.5 LOW | Division by 0 in `MaxPoolGradWithArgmax` |
Showing 20 of 108 CVEs. View all on vendor page →
IV. 関連脆弱性
同じベンダー: tensorflow
- CVE-2026-2492
TensorFlow HDF5 Library Uncontrolled Search Path Element Loc - CVE-2023-33976
TensorFlow segfault in array_ops.upper_bound - CVE-2024-3660
Arbitrary code injection vulnerability in Keras framework < - CVE-2023-25661
Denial of Service in TensorFlow - CVE-2023-25660
TensorFlow vulnerable to seg fault in `tf.raw_ops.Print`
V. CVE-2021-29614へのコメント
まだコメントはありません