CVE-2021-29590 in TensorFlowinfo

Summary

by MITRE • 05/15/2021

TensorFlow is an end-to-end open source platform for machine learning. The implementations of the `Minimum` and `Maximum` TFLite operators can be used to read data outside of bounds of heap allocated objects, if any of the two input tensor arguments are empty. This is because the broadcasting implementation(https://github.com/tensorflow/tensorflow/blob/0d45ea1ca641b21b73bcf9c00e0179cda284e7e7/tensorflow/lite/kernels/internal/reference/maximum_minimum.h#L52-L56) indexes in both tensors with the same index but does not validate that the index is within bounds. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/19/2021

The vulnerability CVE-2021-29590 affects TensorFlow Lite implementations of the Minimum and Maximum operators, representing a critical memory safety issue that could enable unauthorized data access through buffer over-read conditions. This flaw exists within the broadcasting implementation of these operators when processing empty tensor arguments, creating a scenario where the indexing mechanism operates beyond the allocated heap memory boundaries. The vulnerability specifically manifests when either of the two input tensor arguments contains no elements, allowing the implementation to access memory locations that should remain inaccessible.

The technical root cause stems from inadequate bounds checking within the reference implementation of the maximum and minimum operations in TensorFlow Lite. The code at line 52-56 of the maximum_minimum.h file performs indexing operations on both tensors using identical index values without validating whether these indices fall within the valid range of either tensor's allocated memory. This design flaw creates a path where an attacker could craft malicious input tensors with empty dimensions, causing the operator to traverse memory locations beyond the intended data boundaries. The vulnerability aligns with CWE-125: Out-of-bounds Read, which specifically addresses situations where software reads data past the end of a buffer, and also relates to CWE-787: Out-of-bounds Write, as the same indexing pattern could potentially enable write operations beyond bounds.

The operational impact of this vulnerability extends across multiple TensorFlow versions, affecting TensorFlow 2.5.0 and earlier releases including 2.4.2, 2.3.3, 2.2.3, and 2.1.4, all of which remain within supported release ranges. This widespread impact means that any application utilizing TensorFlow Lite with these versions could be susceptible to memory corruption attacks, potentially leading to information disclosure, denial of service, or even arbitrary code execution depending on the specific implementation context. The vulnerability is particularly concerning in environments where TensorFlow Lite processes untrusted input data, as the bounds checking failure could be exploited to read sensitive memory contents or disrupt application functionality.

Mitigation strategies for this vulnerability require immediate patching of affected TensorFlow versions to include proper bounds validation in the broadcasting implementation. The fix implemented in TensorFlow 2.5.0 addresses the core indexing issue by ensuring that tensor indices are validated against the actual dimensions of each input tensor before any memory access operations occur. Organizations should prioritize upgrading to TensorFlow 2.5.0 or applying the cherrypicked patches to older supported versions to prevent exploitation. Additionally, defensive programming practices such as implementing input validation for tensor dimensions and monitoring for unusual memory access patterns should be considered as supplementary measures. This vulnerability demonstrates the importance of thorough bounds checking in mathematical operations within machine learning frameworks, particularly when dealing with dynamic tensor shapes and broadcasting behaviors that are fundamental to neural network computations. The ATT&CK framework categorizes this as a memory corruption technique under T1070.004: File Deletion, as the vulnerability could potentially enable attackers to manipulate memory contents through improper bounds checking in mathematical operations.

Responsible

GitHub, Inc.

Reservation

03/30/2021

Disclosure

05/15/2021

Moderation

accepted

CPE

ready

EPSS

0.00198

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!