1## TFSA-2021-062: Division by 0 in `MaxPoolGradWithArgmax` 2 3### CVE Number 4CVE-2021-29573 5 6### Impact 7The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` is vulnerable to a 8division by 0: 9 10```python 11import tensorflow as tf 12 13input = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32) 14grad = tf.constant([], shape=[0, 0, 0, 0], dtype=tf.float32) 15argmax = tf.constant([], shape=[0], dtype=tf.int64) 16ksize = [1, 1, 1, 1] 17strides = [1, 1, 1, 1] 18 19tf.raw_ops.MaxPoolGradWithArgmax( 20 input=input, grad=grad, argmax=argmax, ksize=ksize, strides=strides, 21 padding='SAME', include_batch_in_index=False) 22``` 23 24The 25[implementation](https://github.com/tensorflow/tensorflow/blob/279bab6efa22752a2827621b7edb56a730233bd8/tensorflow/core/kernels/maxpooling_op.cc#L1033-L1034) 26fails to validate that the batch dimension of the tensor is non-zero, before 27dividing by this quantity. 28 29### Patches 30We have patched the issue in GitHub commit 31[376c352a37ce5a68b721406dc7e77ac4b6cf483d](https://github.com/tensorflow/tensorflow/commit/376c352a37ce5a68b721406dc7e77ac4b6cf483d). 32 33The fix will be included in TensorFlow 2.5.0. We will also cherrypick this 34commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 352.1.4, as these are also affected and still in supported range. 36 37### For more information 38Please consult [our security 39guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for 40more information regarding the security model and how to contact us with issues 41and questions. 42 43### Attribution 44This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu 45X-Team. 46