{ "schema_version": "1.4.0", "id": "GHSA-jvhc-5hhr-w3v5", "modified": "2022-09-19T19:06:13Z", "published": "2022-09-16T21:19:48Z", "aliases": [ "CVE-2022-36012" ], "summary": "TensorFlow vulnerable to assertion fail on MLIR empty edge names", "details": "### Impact\nWhen [`mlir::tfg::ConvertGenericFunctionToFunctionDef`](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ir/importexport/functiondef_import.cc) is given empty function attributes, it crashes.\n```cpp\n// We pre-allocate the array of operands and populate it using the\n// `output_name_to_position` and `control_output_to_position` populated\n// previously.\nSmallVector ret_vals(func.ret_size() + func.control_ret_size(),\n Value());\nfor (const auto& ret_val : func.ret()) {\n auto position = output_name_to_position.find(ret_val.first);\n if (position == output_name_to_position.end())\n return InvalidArgument(\n \"Can't import function, returned value references unknown output \"\n \"argument \",\n ret_val.first);\n ret_vals[position->second] =\n value_manager.GetValueOrCreatePlaceholder(ret_val.second);\n}\nfor (const auto& ret_val : func.control_ret()) {\n auto position = control_output_to_position.find(ret_val.first);\n if (position == control_output_to_position.end())\n return InvalidArgument(\n \"Can't import function, returned value references unknown output \"\n \"argument \",\n ret_val.first);\n Value result = value_manager.GetValueOrCreatePlaceholder(\n (Twine(\"^\") + ret_val.second).str());\n```\n`ret_val.second` cannot be empty. Neither can `input`.\n```cpp\n// Process every node and create a matching MLIR operation\nfor (const NodeDef& node : nodes) {\n if (node.op().empty()) return InvalidArgument(\"empty op type\");\n OperationState state(unknown_loc, absl::StrCat(\"tfg.\", node.op()));\n // Fetch the inputs, creating placeholder if an input hasn't been visited.\n for (const std::string& input : node.input())\n state.operands.push_back(\n value_manager.GetValueOrCreatePlaceholder(input));\n```\n\n\n### Patches\nWe have patched the issue in GitHub commit [ad069af92392efee1418c48ff561fd3070a03d7b](https://github.com/tensorflow/tensorflow/commit/ad069af92392efee1418c48ff561fd3070a03d7b).\n\nThe fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range.\n\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "tensorflow" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.2" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "tensorflow" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.1" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "tensorflow" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.1" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "tensorflow-cpu" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.2" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "tensorflow-cpu" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.1" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "tensorflow-cpu" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.1" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "tensorflow-gpu" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.2" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "tensorflow-gpu" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.1" } ] } ] }, { "package": { "ecosystem": "PyPI", "name": "tensorflow-gpu" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.1" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jvhc-5hhr-w3v5" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36012" }, { "type": "WEB", "url": "https://github.com/tensorflow/tensorflow/commit/ad069af92392efee1418c48ff561fd3070a03d7b" }, { "type": "PACKAGE", "url": "https://github.com/tensorflow/tensorflow" }, { "type": "WEB", "url": "https://github.com/tensorflow/tensorflow/blob/master/tensorflow/core/ir/importexport/functiondef_import.cc" }, { "type": "WEB", "url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.10.0" } ], "database_specific": { "cwe_ids": [ "CWE-617" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-09-16T21:19:48Z", "nvd_published_at": "2022-09-16T23:15:00Z" } }