CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37637 – Null pointer dereference in `CompressElement` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37637
TensorFlow is an end-to-end open source platform for machine learning. It is possible to trigger a null pointer dereference in TensorFlow by passing an invalid input to `tf.raw_ops.CompressElement`. The [implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/data/compression_utils.cc#L34) was accessing the size of a buffer obtained from the return of a separate function call before validating that said buffer is valid. We have patched the issue in GitHub commit 5dc7f6981fdaf74c8c5be41f393df705841fb7c5. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/5dc7f6981fdaf74c8c5be41f393df705841fb7c5 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c9qf-r67m-p7cg • CWE-476: NULL Pointer Dereference •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37649 – Null pointer dereference in `UncompressElement` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37649
TensorFlow is an end-to-end open source platform for machine learning. The code for `tf.raw_ops.UncompressElement` can be made to trigger a null pointer dereference. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/data/experimental/compression_ops.cc#L50-L53) obtains a pointer to a `CompressedElement` from a `Variant` tensor and then proceeds to dereference it for decompressing. There is no check that the `Variant` tensor contained a `CompressedElement`, so the pointer is actually `nullptr`. We have patched the issue in GitHub commit 7bdf50bb4f5c54a4997c379092888546c97c3ebd. • https://github.com/tensorflow/tensorflow/commit/7bdf50bb4f5c54a4997c379092888546c97c3ebd https://github.com/tensorflow/tensorflow/security/advisories/GHSA-6gv8-p3vj-pxvr • CWE-476: NULL Pointer Dereference •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37647 – Null pointer dereference in `SparseTensorSliceDataset` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37647
TensorFlow is an end-to-end open source platform for machine learning. When a user does not supply arguments that determine a valid sparse tensor, `tf.raw_ops.SparseTensorSliceDataset` implementation can be made to dereference a null pointer. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L240-L251) has some argument validation but fails to consider the case when either `indices` or `values` are provided for an empty sparse tensor when the other is not. If `indices` is empty, then [code that performs validation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L260-L261) (i.e., checking that the indices are monotonically increasing) results in a null pointer dereference. If `indices` as provided by the user is empty, then `indices` in the C++ code above is backed by an empty `std::vector`, hence calling `indices->dim_size(0)` results in null pointer dereferencing (same as calling `std::vector::at()` on an empty vector). • https://github.com/tensorflow/tensorflow/commit/02cc160e29d20631de3859c6653184e3f876b9d7 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c5x2-p679-95wc • CWE-476: NULL Pointer Dereference •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37643 – Null pointer dereference in `MatrixDiagPartOp` in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37643
TensorFlow is an end-to-end open source platform for machine learning. If a user does not provide a valid padding value to `tf.raw_ops.MatrixDiagPartOp`, then the code triggers a null pointer dereference (if input is empty) or produces invalid behavior, ignoring all values after the first. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/linalg/matrix_diag_op.cc#L89) reads the first value from a tensor buffer without first checking that the tensor has values to read from. We have patched the issue in GitHub commit 482da92095c4d48f8784b1f00dda4f81c28d2988. The fix will be included in TensorFlow 2.6.0. • https://github.com/tensorflow/tensorflow/commit/482da92095c4d48f8784b1f00dda4f81c28d2988 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-fcwc-p4fc-c5cc • CWE-476: NULL Pointer Dereference •
CVSS: 8.4EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37639 – Null pointer dereference and heap OOB read in TensorFlow
https://notcve.org/view.php?id=CVE-2021-37639
TensorFlow is an end-to-end open source platform for machine learning. When restoring tensors via raw APIs, if the tensor name is not provided, TensorFlow can be tricked into dereferencing a null pointer. Alternatively, attackers can read memory outside the bounds of heap allocated data by providing some tensor names but not enough for a successful restoration. The [implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/kernels/save_restore_tensor.cc#L158-L159) retrieves the tensor list corresponding to the `tensor_name` user controlled input and immediately retrieves the tensor at the restoration index (controlled via `preferred_shard` argument). This occurs without validating that the provided list has enough values. • https://github.com/tensorflow/tensorflow/commit/9e82dce6e6bd1f36a57e08fa85af213e2b2f2622 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gh6x-4whr-2qv4 • CWE-125: Out-of-bounds Read CWE-476: NULL Pointer Dereference •