CVE-2021-37661

Advisory

Tensorflow-rocm 2.3.4, 2.4.3, 2.5.1 and 2.6.0 include a fix for CVE-2021-37661: In affected versions an attacker can cause a denial of service in 'boosted_trees_create_quantile_stream_resource' by using negative arguments. The implementation (https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/quantile_ops.cc#L96) does not validate that 'num_streams' only contains non-negative numbers. In turn, this results in using this value to allocate memory (https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/boosted_trees/quantiles/quantile_stream_resource.h#L31-L40). However, 'reserve' receives an unsigned integer so there is an implicit conversion from a negative value to a large positive unsigned. This results in a crash from the standard library. The Tensorflow team has patched the issue in GitHub commit 8a84f7a2b5a2b27ecf88d25bad9ac777cd2f7992.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gf88-j2mg-cc82
• https://github.com/tensorflow/tensorflow/commit/8a84f7a2b5a2b27ecf88d25bad9ac777cd2f7992
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37661