experiments/STT-tensorflow
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
mm-llvm-bazel
STT-tensorflow/tensorflow/security/advisory/tfsa-2020-012.md
Mihai Maruseac c06650b697 Fix rendering of security advisories. 
GitHub does not insert automatic links and smart code snippets in these files, so we have to do it manually.

PiperOrigin-RevId: 333195707
Change-Id: I1e2fed8ff207fbfce6eb8fb2b910d12bcab4100c
2020-09-22 17:56:00 -07:00

1.4 KiB
Raw Permalink Blame History

TFSA-2020-012: Segfault by calling session-only ops in eager mode

CVE Number

CVE-2020-15204

Impact

In eager mode, TensorFlow does not set the session state. Hence, calling tf.raw_ops.GetSessionHandle or tf.raw_ops.GetSessionHandleV2 results in a null pointer dereference:

  int64 id = ctx->session_state()->GetNewId();

In the above snippet, in eager mode, ctx->session_state() returns nullptr. Since code immediately dereferences this, we get a segmentation fault.

Vulnerable Versions

TensorFlow 1.15.0, 1.15.1, 1.15.2, 1.15.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.2.0, 2.3.0.

Patches

We have patched the issue in 9a133d73ae4b4664d22bd1aa6d654fec13c52ee1 and will release patch releases for all versions between 1.15 and 2.3.

We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by members of the Aivul Team from Qihoo 360.