google tensorflow 释放后使用

CVE编号

CVE-2021-37652

利用情况

暂无

补丁情况

N/A

披露时间

2021-08-13

漏洞描述

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation for `tf.raw_ops.BoostedTreesCreateEnsemble` can result in a use after free error if an attacker supplies specially crafted arguments. The [implementation](https://github.com/tensorflow/tensorflow/blob/f24faa153ad31a4b51578f8181d3aaab77a1ddeb/tensorflow/core/kernels/boosted_trees/resource_ops.cc#L55) uses a reference counted resource and decrements the refcount if the initialization fails, as it should. However, when the code was written, the resource was represented as a naked pointer but later refactoring has changed it to be a smart pointer. Thus, when the pointer leaves the scope, a subsequent `free`-ing of the resource occurs, but this fails to take into account that the refcount has already reached 0, thus the resource has been already freed. During this double-free process, members of the resource object are accessed for cleanup but they are invalid as the entire resource has been freed. We have patched the issue in GitHub commit 5ecec9c6fbdbc6be03295685190a45e7eee726ab. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/tensorflow/tensorflow/commit/5ecec9c6fbdbc6be03295685190a4...
https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m7fm-4jfh-jrg6

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	google	tensorflow	*	From (including) 2.3.0	Up to (excluding) 2.3.4
	运行在以下环境
	应用	google	tensorflow	*	From (including) 2.4.0	Up to (excluding) 2.4.3
	运行在以下环境
	应用	google	tensorflow	2.5.0	-
	运行在以下环境
	应用	google	tensorflow	2.6.0	-

CVSS3评分 7.8

• 攻击路径 本地
• 攻击复杂度 低
• 权限要求 低
• 影响范围 未更改
• 用户交互 无
• 可用性 高
• 保密性 高
• 完整性 高

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-ID 漏洞类型 CWE-416 释放后使用