CVE-2021-37692

Segfault on strings tensors with mistmatched dimensions in TensorFlow

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

TensorFlow is an end-to-end open source platform for machine learning. In affected versions under certain conditions, Go code can trigger a segfault in string deallocation. For string tensors, `C.TF_TString_Dealloc` is called during garbage collection within a finalizer function. However, tensor structure isn't checked until encoding to avoid a performance penalty. The current method for dealloc assumes that encoding succeeded, but segfaults when a string tensor is garbage collected whose encoding failed (e.g., due to mismatched dimensions). To fix this, the call to set the finalizer function is deferred until `NewTensor` returns and, if encoding failed for a string tensor, deallocs are determined based on bytes written. We have patched the issue in GitHub commit 8721ba96e5760c229217b594f6d2ba332beedf22. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, which is the other affected version.

TensorFlow es una plataforma de código abierto de extremo a extremo para el aprendizaje automático. En las versiones afectadas bajo determinadas condiciones, el código Go puede desencadenar un error de segmentación en la desasignación de cadenas. Para tensores de cadena, se llama a "C.TF_TString_Dealloc" durante la recolección de basura dentro de una función finalizer. Sin embargo, la estructura del tensor no es comprobada hasta la codificación para impedir que se lleve a cabo una penalización del rendimiento. El método actual para dealloc asume que la codificación tuvo éxito, pero segfaults cuando se recolecta basura un tensor de cadena cuya codificación falló (por ejemplo, debido a dimensiones no coincidentes). Para solucionar este problema, la llamada para establecer la función finalizer se aplaza hasta que regrese "NewTensor" y, si la codificación presenta un fallo para un tensor de cadena, las deslocalizaciones se determinan en función de los bytes escritos. Hemos solucionado el problema en GitHub commit 8721ba96e5760c229217b594f6d2ba332beedf22. La corrección será incluida en TensorFlow versión 2.6.0. También seleccionaremos este commit en TensorFlow versión 2.5.1, que es la otra versión afectada.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-07-29 CVE Reserved
2021-08-12 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (3)

URL	Tag	Source
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cmgw-8vpc-rc59	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/tensorflow/tensorflow/commit/8721ba96e5760c229217b594f6d2ba332beedf22	2021-08-31
https://github.com/tensorflow/tensorflow/pull/50508	2021-08-31

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Google Search vendor "Google"		Tensorflow Search vendor "Google" for product "Tensorflow"				>= 2.5.0 < 2.6.0 Search vendor "Google" for product "Tensorflow" and version " >= 2.5.0 < 2.6.0"		-		Affected