CVE-2021-29583

Name of the Vulnerable Software and Affected Versions TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier

Description The implementation of tf.raw ops.FusedBatchNorm is vulnerable to a heap buffer overflow. If the tensors are empty, the same implementation can trigger undefined behavior by dereferencing null pointers. The implementation fails to validate that scale, offset, mean, and variance all have the same number of elements as the number of channels of x. This results in heap out of bounds reads when the buffers backing these tensors are indexed past their boundary.

Recommendations For TensorFlow versions prior to 2.5.0, update to TensorFlow 2.5.0 or later. For TensorFlow versions 2.4.2 and earlier, update to TensorFlow 2.4.2 or later. For TensorFlow versions 2.3.3 and earlier, update to TensorFlow 2.3.3 or later. For TensorFlow versions 2.2.3 and earlier, update to TensorFlow 2.2.3 or later. For TensorFlow versions 2.1.4 and earlier, update to TensorFlow 2.1.4 or later. As a temporary workaround, consider validating the number of elements in scale, offset, mean, and variance to ensure they match the number of channels of x before calling tf.raw ops.FusedBatchNorm.