The implementation of SparseFillEmptyRowsGrad
uses a double indexing pattern:
https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/sparsefillemptyrowsop.cc#L263-L269
It is possible for reverse_index_map(i)
to be an index outside of bounds of grad_values
, thus resulting in a heap buffer overflow.
We have patched the issue in 390611e0d45c5793c7066110af37c8514e6a6c54 and will release a patch release for all affected versions.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
{ "nvd_published_at": "2020-09-25T19:15:00Z", "cwe_ids": [ "CWE-119", "CWE-122", "CWE-787" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-09-25T17:15:00Z" }