CVE-2022-29210

Name of the Vulnerable Software and Affected Versions TensorFlow version 2.8.0

Description The issue arises from the TensorKey hash function using total estimated AllocatedBytes(), which is an estimate per tensor and a poor hash function for constants, such as int32 t. It also attempts to access individual tensor bytes through tensor.data() of size AllocatedBytes(), leading to ASAN failures because AllocatedBytes() is an estimate of total bytes allocated by a tensor, including pointed-to constructs like strings, and does not refer to contiguous bytes in the .data() buffer. The discoverers could not use this byte vector anyway because types like tstring include pointers, whereas they needed to hash the string values themselves.

Recommendations For version 2.8.0, update to version 2.8.1 or 2.9.0 to resolve the issue. For versions prior to 2.8.1 and 2.9.0, update to version 2.8.1 or 2.9.0 to resolve the issue.