1## TFSA-2021-058: Heap out of bounds read in `RequantizationRange` 2 3### CVE Number 4CVE-2021-29569 5 6### Impact 7The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside 8of bounds of heap allocated data if attacker supplies specially crafted inputs: 9 10```python 11import tensorflow as tf 12 13input = tf.constant([1], shape=[1], dtype=tf.qint32) 14input_max = tf.constant([], dtype=tf.float32) 15input_min = tf.constant([], dtype=tf.float32) 16 17tf.raw_ops.RequantizationRange(input=input, input_min=input_min, input_max=input_max) 18``` 19 20The 21[implementation](https://github.com/tensorflow/tensorflow/blob/ac328eaa3870491ababc147822cd04e91a790643/tensorflow/core/kernels/requantization_range_op.cc#L49-L50) 22assumes that the `input_min` and `input_max` tensors have at least one element, 23as it accesses the first element in two arrays: 24 25```cc 26const float input_min_float = ctx->input(1).flat<float>()(0); 27const float input_max_float = ctx->input(2).flat<float>()(0); 28``` 29 30If the tensors are empty, `.flat<T>()` is an empty object, backed by an empty 31array. Hence, accesing even the 0th element is a read outside the bounds. 32 33### Patches 34We have patched the issue in GitHub commit 35[ef0c008ee84bad91ec6725ddc42091e19a30cf0e](https://github.com/tensorflow/tensorflow/commit/ef0c008ee84bad91ec6725ddc42091e19a30cf0e). 36 37The fix will be included in TensorFlow 2.5.0. We will also cherrypick this 38commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 392.1.4, as these are also affected and still in supported range. 40 41### For more information 42Please consult [our security 43guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for 44more information regarding the security model and how to contact us with issues 45and questions. 46 47### Attribution 48This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu 49X-Team. 50