CVE-2022-41902— Google TensorFlow 缓冲区错误漏洞

Out of bounds write in grappler in Tensorflow

TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.8.4, 2.9.3, and 2.10.1.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

跨界内存写

Google TensorFlow 缓冲区错误漏洞

Google TensorFlow是美国谷歌（Google）公司的一套用于机器学习的端到端开源平台。 Google TensorFlow 2.11.0之前版本存在缓冲区错误漏洞，该漏洞源于函数MakeGrapplerFunctionItem采用确定输入和输出大小的参数，如果给定的输入大于或等于输出的大小，则会触发越界内存读取或崩溃。

N/A

N/A