CVE-2021-41196 – Crash in `max_pool3d` when size argument is 0 or negative
https://notcve.org/view.php?id=CVE-2021-41196
TensorFlow is an open source platform for machine learning. In affected versions the Keras pooling layers can trigger a segfault if the size of the pool is 0 or if a dimension is negative. This is due to the TensorFlow's implementation of pooling operations where the values in the sliding window are not checked to be strictly positive. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range. • https://github.com/tensorflow/tensorflow/commit/12b1ff82b3f26ff8de17e58703231d5a02ef1b8b https://github.com/tensorflow/tensorflow/issues/51936 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m539-j985-hcr8 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVE-2021-41195 – Crash in `tf.math.segment_*` operations
https://notcve.org/view.php?id=CVE-2021-41195
TensorFlow is an open source platform for machine learning. In affected versions the implementation of `tf.math.segment_*` operations results in a `CHECK`-fail related abort (and denial of service) if a segment id in `segment_ids` is large. This is similar to CVE-2021-29584 (and similar other reported vulnerabilities in TensorFlow, localized to specific APIs): the implementation (both on CPU and GPU) computes the output shape using `AddDim`. However, if the number of elements in the tensor overflows an `int64_t` value, `AddDim` results in a `CHECK` failure which provokes a `std::abort`. Instead, code should use `AddDimWithStatus`. • https://github.com/tensorflow/tensorflow/commit/e9c81c1e1a9cd8dd31f4e83676cab61b60658429 https://github.com/tensorflow/tensorflow/issues/46888 https://github.com/tensorflow/tensorflow/pull/51733 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cq76-mxrc-vchh • CWE-190: Integer Overflow or Wraparound •
CVE-2021-37690 – Use after free and segfault in shape inference functions in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37690
TensorFlow is an end-to-end open source platform for machine learning. In affected versions when running shape functions, some functions (such as `MutableHashTableShape`) produce extra output information in the form of a `ShapeAndType` struct. The shapes embedded in this struct are owned by an inference context that is cleaned up almost immediately; if the upstream code attempts to access this shape information, it can trigger a segfault. `ShapeRefiner` is mitigating this for normal output shapes by cloning them (and thus putting the newly created shape under ownership of an inference context that will not die), but we were not doing the same for shapes and types. This commit fixes that by doing similar logic on output shapes and types. • https://github.com/tensorflow/tensorflow/commit/ee119d4a498979525046fba1c3dd3f13a039fbb1 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-3hxh-8cp2-g4hg • CWE-416: Use After Free •
CVE-2021-37678 – Arbitrary code execution due to YAML deserialization
https://notcve.org/view.php?id=CVE-2021-37678
TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/python/keras/saving/model_config.py#L66-L104) uses `yaml.unsafe_load` which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, we have removed it for now. We have patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012. • https://github.com/tensorflow/tensorflow/commit/23d6383eb6c14084a8fc3bdf164043b974818012 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-r6jx-9g48-2r5r • CWE-502: Deserialization of Untrusted Data •
CVE-2021-37692 – Segfault on strings tensors with mistmatched dimensions in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37692
TensorFlow is an end-to-end open source platform for machine learning. In affected versions under certain conditions, Go code can trigger a segfault in string deallocation. For string tensors, `C.TF_TString_Dealloc` is called during garbage collection within a finalizer function. However, tensor structure isn't checked until encoding to avoid a performance penalty. The current method for dealloc assumes that encoding succeeded, but segfaults when a string tensor is garbage collected whose encoding failed (e.g., due to mismatched dimensions). • https://github.com/tensorflow/tensorflow/commit/8721ba96e5760c229217b594f6d2ba332beedf22 https://github.com/tensorflow/tensorflow/pull/50508 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cmgw-8vpc-rc59 • CWE-20: Improper Input Validation •