CVE-2020-15266

Undefined behavior in Tensorflow

CVSS 3.7 LOWEPSS 0.9%CWE-119

In short

TensorFlow's image cropping function crashes when given extremely large box coordinates due to improper handling of invalid floating-point values. This can cause the application to stop working unexpectedly.

Technical detail

The `tf.image.crop_and_resize` function's CPU kernel does not properly validate the `boxes` argument, allowing very large values to be interpreted as NaN floating-point values. Subsequent operations on these invalid values trigger undefined behavior, resulting in a segmentation fault that crashes the process.

Summary generated and translated by AI from the official description.

In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

tensorflow · tensorflow

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/tensorflow/tensorflow/issues/42129 https://github.com/tensorflow/tensorflow/pull/42143/commits/3ade2efec2e90c6237de32a19680caaa3ebc2845 https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xwhf-g6j5-j5gc