1## TFSA-2021-124: Segfault and heap buffer overflow in `{Experimental,}DatasetToTFRecord` 2 3### CVE Number 4CVE-2021-37650 5 6### Impact 7The implementation for `tf.raw_ops.ExperimentalDatasetToTFRecord` and 8`tf.raw_ops.DatasetToTFRecord` can trigger heap buffer overflow and segmentation 9fault: 10 11```python 12import tensorflow as tf 13 14dataset = tf.data.Dataset.range(3) 15dataset = tf.data.experimental.to_variant(dataset) 16tf.raw_ops.ExperimentalDatasetToTFRecord( 17 input_dataset=dataset, 18 filename='/tmp/output', 19 compression_type='') 20``` 21 22The 23[implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/data/experimental/to_tf_record_op.cc#L93-L102) 24assumes that all records in the dataset are of string type. However, there is no 25check for that, and the example given above uses numeric types. 26 27### Patches 28We have patched the issue in GitHub commit 29[e0b6e58c328059829c3eb968136f17aa72b6c876](https://github.com/tensorflow/tensorflow/commit/e0b6e58c328059829c3eb968136f17aa72b6c876). 30 31The fix will be included in TensorFlow 2.6.0. We will also cherrypick this 32commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are 33also affected and still in supported range. 34 35### For more information 36Please consult [our security 37guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for 38more information regarding the security model and how to contact us with issues 39and questions. 40 41### Attribution 42This vulnerability has been reported by members of the Aivul Team from Qihoo 43360. 44