Add advisories that I missed in previous change
PiperOrigin-RevId: 338308560 Change-Id: I00fcba98e8ea614634ae80c7108048b656ddce12
This commit is contained in:
parent
ff2b5434ec
commit
cb0d520b49
52
tensorflow/security/advisory/tfsa-2020-027.md
Normal file
52
tensorflow/security/advisory/tfsa-2020-027.md
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
## TFSA-2020-027: Segfault in `tf.quantization.quantize_and_dequantize`
|
||||||
|
|
||||||
|
### CVE Number
|
||||||
|
CVE-2020-15265
|
||||||
|
|
||||||
|
### Impact
|
||||||
|
An attacker can pass an invalid `axis` value to
|
||||||
|
`tf.quantization.quantize_and_dequantize`:
|
||||||
|
|
||||||
|
```python
|
||||||
|
tf.quantization.quantize_and_dequantize(
|
||||||
|
input=[2.5, 2.5], input_min=[0,0], input_max=[1,1], axis=10)
|
||||||
|
```
|
||||||
|
|
||||||
|
This results in accessing [a dimension outside the rank of the input
|
||||||
|
tensor](https://github.com/tensorflow/tensorflow/blob/0225022b725993bfc19b87a02a2faaad9a53bc17/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L74)
|
||||||
|
in the C++ kernel implementation:
|
||||||
|
```cc
|
||||||
|
const int depth = (axis_ == -1) ? 1 : input.dim_size(axis_);
|
||||||
|
```
|
||||||
|
|
||||||
|
However, [`dim_size` only does a
|
||||||
|
`DCHECK`](https://github.com/tensorflow/tensorflow/blob/0225022b725993bfc19b87a02a2faaad9a53bc17/tensorflow/core/framework/tensor_shape.cc#L292-L307)
|
||||||
|
to validate the argument and then uses it to access the corresponding element of
|
||||||
|
an array:
|
||||||
|
```cc
|
||||||
|
int64 TensorShapeBase<Shape>::dim_size(int d) const {
|
||||||
|
DCHECK_GE(d, 0);
|
||||||
|
DCHECK_LT(d, dims());
|
||||||
|
DoStuffWith(dims_[d]);
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Since in normal builds, `DCHECK`-like macros are no-ops, this results in
|
||||||
|
segfault and access out of bounds of the array.
|
||||||
|
|
||||||
|
### Patches
|
||||||
|
|
||||||
|
We have patched the issue in
|
||||||
|
[eccb7ec454e6617738554a255d77f08e60ee0808](https://github.com/tensorflow/tensorflow/commit/eccb7ec454e6617738554a255d77f08e60ee0808)
|
||||||
|
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
|
||||||
|
packages after this commit will also have the issue resolved.
|
||||||
|
|
||||||
|
### For more information
|
||||||
|
Please consult [our security
|
||||||
|
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
|
||||||
|
more information regarding the security model and how to contact us with issues
|
||||||
|
and questions.
|
||||||
|
|
||||||
|
### Attribution
|
||||||
|
This vulnerability has been reported in
|
||||||
|
[#42105](https://github.com/tensorflow/issues/42105).
|
27
tensorflow/security/advisory/tfsa-2020-028.md
Normal file
27
tensorflow/security/advisory/tfsa-2020-028.md
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
## TFSA-2020-028: Float cast overflow undefined behavior
|
||||||
|
|
||||||
|
### CVE Number
|
||||||
|
CVE-2020-15266
|
||||||
|
|
||||||
|
### Impact
|
||||||
|
When the `boxes` argument of `tf.image.crop_and_resize` has a very large value,
|
||||||
|
the CPU kernel implementation receives it as a C++ `nan` floating point value.
|
||||||
|
Attempting to operate on this is undefined behavior which later produces a
|
||||||
|
segmentation fault.
|
||||||
|
|
||||||
|
### Patches
|
||||||
|
|
||||||
|
We have patched the issue in
|
||||||
|
[c0319231333f0f16e1cc75ec83660b01fedd4182](https://github.com/tensorflow/tensorflow/commit/c0319231333f0f16e1cc75ec83660b01fedd4182)
|
||||||
|
and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
|
||||||
|
packages after this commit will also have the issue resolved.
|
||||||
|
|
||||||
|
### For more information
|
||||||
|
Please consult [our security
|
||||||
|
guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
|
||||||
|
more information regarding the security model and how to contact us with issues
|
||||||
|
and questions.
|
||||||
|
|
||||||
|
### Attribution
|
||||||
|
This vulnerability has been reported in
|
||||||
|
[#42129](https://github.com/tensorflow/issues/42129).
|
Loading…
Reference in New Issue
Block a user