Headline
CVE-2022-35965: Fix empty inputs for Upper/LowerBound. · tensorflow/tensorflow@bce3717
TensorFlow is an open source platform for machine learning. If LowerBound or UpperBound is given an emptysorted_inputs input, it results in a nullptr dereference, leading to a segfault that can be used to trigger a denial of service attack. We have patched the issue in GitHub commit bce3717eaef4f769019fd18e990464ca4a2efeea. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.
@@ -22,6 +22,7 @@ limitations under the License.
#include “tensorflow/core/framework/register_types.h”
#include “tensorflow/core/framework/tensor.h”
#include “tensorflow/core/framework/tensor_shape.h”
#include “tensorflow/core/kernels/fill_functor.h”
#include “tensorflow/core/lib/core/bits.h”
#include “tensorflow/core/platform/logging.h”
#include “tensorflow/core/platform/threadpool.h”
@@ -129,6 +130,14 @@ class UpperBoundOp : public OpKernel {
auto output = output_t->template flat<OutType>();
const auto sorted_inputs = sorted_inputs_t.template flat<T>();
const auto values = values_t.template flat<T>();
// For empty inputs, all values will be placed at the zeroth position.
if (sorted_inputs.size() == 0) {
functor::SetZeroFunctor<Device, OutType> set_zero;
set_zero(ctx->eigen_device<Device>(), output);
return;
}
OP_REQUIRES_OK(
ctx, functor::UpperBoundFunctor<Device, T, OutType>::Compute(
ctx, sorted_inputs, values, sorted_inputs_t.dim_size(0),
@@ -174,6 +183,14 @@ class LowerBoundOp : public OpKernel {
auto output = output_t->template flat<OutType>();
const auto sorted_inputs = sorted_inputs_t.template flat<T>();
const auto values = values_t.template flat<T>();
// For empty inputs, all values will be placed at the zeroth position.
if (sorted_inputs.size() == 0) {
functor::SetZeroFunctor<Device, OutType> set_zero;
set_zero(ctx->eigen_device<Device>(), output);
return;
}
OP_REQUIRES_OK(
ctx, functor::LowerBoundFunctor<Device, T, OutType>::Compute(
ctx, sorted_inputs, values, sorted_inputs_t.dim_size(0),
Related news
### Impact If `LowerBound` or `UpperBound` is given an empty`sorted_inputs` input, it results in a `nullptr` dereference, leading to a segfault that can be used to trigger a denial of service attack. ```python import tensorflow as tf out_type = tf.int32 sorted_inputs = tf.constant([], shape=[10,0], dtype=tf.float32) values = tf.constant([], shape=[10,10,0,10,0], dtype=tf.float32) tf.raw_ops.LowerBound(sorted_inputs=sorted_inputs, values=values, out_type=out_type) ``` ```python import tensorflow as tf out_type = tf.int64 sorted_inputs = tf.constant([], shape=[2,2,0,0,0,0,0,2], dtype=tf.float32) values = tf.constant(0.372660398, shape=[2,4], dtype=tf.float32) tf.raw_ops.UpperBound(sorted_inputs=sorted_inputs, values=values, out_type=out_type) ``` ### Patches We have patched the issue in GitHub commit [bce3717eaef4f769019fd18e990464ca4a2efeea](https://github.com/tensorflow/tensorflow/commit/bce3717eaef4f769019fd18e990464ca4a2efeea). The fix will be included in TensorFlow 2.10.0. We wi...