Headline
CVE-2022-23565: Remove a `DCHECK`-fail, log an error instead. · tensorflow/tensorflow@c2b31ff
Tensorflow is an Open Source Machine Learning Framework. An attacker can trigger denial of service via assertion failure by altering a SavedModel on disk such that AttrDefs of some operation are duplicated. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Permalink
Browse files
Remove a DCHECK-fail, log an error instead.
`DCHECK` in debug mode results in crashes. TensorFlow has had multiple vulnerabilities due to this.
Outside of debug mode, `DCHECK` is a no-op.
A better alternative is to report an error to the log buffer and continue. This should happen both in debug mode and in prod mode.
PiperOrigin-RevId: 408375925 Change-Id: Id5b3e19c73f3fbe0cc4bba26ca44ff9607bb6356
- Loading branch information
Showing with 4 additions and 3 deletions.
- +4 −3 tensorflow/core/framework/op_def_util.cc