experiments/STT-tensorflow
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add advisories that I missed in previous change

Browse Source 
PiperOrigin-RevId: 338308560
Change-Id: I00fcba98e8ea614634ae80c7108048b656ddce12
This commit is contained in:
Mihai Maruseac 2020-10-21 11:50:05 -07:00 committed by TensorFlower Gardener
parent ff2b5434ec
commit cb0d520b49
2 changed files with 79 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
tensorflow/security/advisory/tfsa-2020-027.md Normal file
View File

@ -0,0 +1,52 @@
## TFSA-2020-027: Segfault in `tf.quantization.quantize_and_dequantize`
### CVE Number
CVE-2020-15265
### Impact
An attacker can pass an invalid `axis` value to
`tf.quantization.quantize_and_dequantize`:
```python
tf.quantization.quantize_and_dequantize(
input=[2.5, 2.5], input_min=[0,0], input_max=[1,1], axis=10)
```
This results in accessing [a dimension outside the rank of the input
tensor](https://github.com/tensorflow/tensorflow/blob/0225022b725993bfc19b87a02a2faaad9a53bc17/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L74)
in the C++ kernel implementation:
```cc
const int depth = (axis_ == -1) ? 1 : input.dim_size(axis_);
```
However, [`dim_size` only does a
`DCHECK`](https://github.com/tensorflow/tensorflow/blob/0225022b725993bfc19b87a02a2faaad9a53bc17/tensorflow/core/framework/tensor_shape.cc#L292-L307)
to validate the argument and then uses it to access the corresponding element of
an array:
```cc
int64 TensorShapeBase<Shape>::dim_size(int d) const {
DCHECK_GE(d, 0);
DCHECK_LT(d, dims());
DoStuffWith(dims_[d]);
}
```
Since in normal builds, `DCHECK`-like macros are no-ops, this results in
segfault and access out of bounds of the array.
### Patches
We have patched the issue in
[eccb7ec454e6617738554a255d77f08e60ee0808](https://github.com/tensorflow/tensorflow/commit/eccb7ec454e6617738554a255d77f08e60ee0808)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported in
[#42105](https://github.com/tensorflow/issues/42105).

27
tensorflow/security/advisory/tfsa-2020-028.md Normal file
View File

@ -0,0 +1,27 @@
## TFSA-2020-028: Float cast overflow undefined behavior
### CVE Number
CVE-2020-15266
### Impact
When the `boxes` argument of `tf.image.crop_and_resize` has a very large value,
the CPU kernel implementation receives it as a C++ `nan` floating point value.
Attempting to operate on this is undefined behavior which later produces a
segmentation fault.
### Patches
We have patched the issue in
[c0319231333f0f16e1cc75ec83660b01fedd4182](https://github.com/tensorflow/tensorflow/commit/c0319231333f0f16e1cc75ec83660b01fedd4182)
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
packages after this commit will also have the issue resolved.
### For more information
Please consult [our security
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
more information regarding the security model and how to contact us with issues
and questions.
### Attribution
This vulnerability has been reported in
[#42129](https://github.com/tensorflow/issues/42129).