CVE-2021-37647 in TensorFlow
Summary
by MITRE • 08/12/2021
TensorFlow is an end-to-end open source platform for machine learning. When a user does not supply arguments that determine a valid sparse tensor, `tf.raw_ops.SparseTensorSliceDataset` implementation can be made to dereference a null pointer. The [implementation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L240-L251) has some argument validation but fails to consider the case when either `indices` or `values` are provided for an empty sparse tensor when the other is not. If `indices` is empty, then [code that performs validation](https://github.com/tensorflow/tensorflow/blob/8d72537c6abf5a44103b57b9c2e22c14f5f49698/tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc#L260-L261) (i.e., checking that the indices are monotonically increasing) results in a null pointer dereference. If `indices` as provided by the user is empty, then `indices` in the C++ code above is backed by an empty `std::vector`, hence calling `indices->dim_size(0)` results in null pointer dereferencing (same as calling `std::vector::at()` on an empty vector). We have patched the issue in GitHub commit 02cc160e29d20631de3859c6653184e3f876b9d7. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/17/2021
The vulnerability CVE-2021-37647 affects TensorFlow's implementation of the `tf.raw_ops.SparseTensorSliceDataset` operation, which represents a critical null pointer dereference flaw in the machine learning framework's data processing pipeline. This issue occurs when users provide sparse tensor arguments that do not properly define a valid sparse tensor structure, specifically when either the indices or values components are provided for an empty sparse tensor while the other component is omitted. The vulnerability stems from inadequate input validation within the TensorFlow kernel implementation that fails to account for edge cases involving empty tensor components.
The technical flaw manifests in the C++ implementation located in tensorflow/core/kernels/data/sparse_tensor_slice_dataset_op.cc at lines 240-251, where the code performs argument validation but does not consider the scenario where indices are empty while values are provided, or vice versa. When indices are empty, the code attempts to access `indices->dim_size(0)` on what becomes an empty std::vector, resulting in a null pointer dereference. This occurs because the validation code path that checks for monotonically increasing indices (lines 260-261) assumes that the indices tensor contains valid data, but when indices are empty, the underlying std::vector structure cannot safely provide dimension information without causing a segmentation fault.
This vulnerability presents significant operational impact as it can be exploited through crafted inputs to TensorFlow applications that process sparse tensors, potentially leading to application crashes or denial of service conditions. The flaw affects multiple TensorFlow versions including 2.3.4, 2.4.3, 2.5.1, and prior versions, making it particularly concerning for organizations maintaining legacy systems. The null pointer dereference represents a classic software security weakness that can be leveraged to disrupt service availability or potentially escalate to more severe exploits depending on the execution context. This vulnerability aligns with CWE-476 which describes null pointer dereference conditions, and could be categorized under ATT&CK technique T1499.004 for network denial of service attacks.
The TensorFlow team addressed this vulnerability through a specific fix implemented in GitHub commit 02cc160e29d20631de3859c6653184e3f876b9d7, which was included in the TensorFlow 2.6.0 release and backported to the supported maintenance versions 2.5.1, 2.4.3, and 2.3.4. The mitigation involves enhanced input validation that properly handles cases where sparse tensor components are empty, ensuring that the code does not attempt to dereference null pointers when processing sparse tensor data structures. Organizations should immediately update to the patched versions or implement the backported fixes to protect their machine learning infrastructure from potential exploitation of this denial of service vulnerability.