Miggo Logo

CVE-2021-29614: Interpreter crash from `tf.io.decode_raw`

7.1

CVSS Score
3.1

Basic Information

EPSS Score
0.0254%
Published
5/21/2021
Updated
11/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
tensorflowpip< 2.1.42.1.4
tensorflowpip>= 2.2.0, < 2.2.32.2.3
tensorflowpip>= 2.3.0, < 2.3.32.3.3
tensorflowpip>= 2.4.0, < 2.4.22.4.2
tensorflow-cpupip< 2.1.42.1.4
tensorflow-cpupip>= 2.2.0, < 2.2.32.2.3
tensorflow-cpupip>= 2.3.0, < 2.3.32.3.3
tensorflow-cpupip>= 2.4.0, < 2.4.22.4.2
tensorflow-gpupip< 2.1.42.1.4
tensorflow-gpupip>= 2.2.0, < 2.2.32.2.3
tensorflow-gpupip>= 2.3.0, < 2.3.32.3.3
tensorflow-gpupip>= 2.4.0, < 2.4.22.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incorrect pointer arithmetic in the reencoding loop of DecodePaddedRawOp::Compute. The code calculates 'width = fixed_length / sizeof(T)' but then advances the output pointer by 'fixed_length' raw bytes instead of 'width' elements. This mismatch causes the pointer to advance sizeof(T) times further than intended, leading to buffer overflow. The patch explicitly changes 'fixed_length' to 'width' in pointer advancement, confirming this as the root cause. The function's direct manipulation of memory buffers and pointer arithmetic makes it the clear vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** impl*m*nt*tion o* `t*.io.***o**_r*w` pro*u**s in*orr**t r*sults *n* *r*s**s t** Pyt*on int*rpr*t*r w**n *om*inin* `*ix**_l*n*t*` *n* wi**r **t*typ*s. ```pyt*on import t*nsor*low *s t* t*.io.***o**_r*w(t*.*onst*nt(["*","*","*","*"]),

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t point*r *rit*m*ti* in t** r**n*o*in* loop o* ***o**P*****R*wOp::*omput*. T** *o** **l*ul*t*s 'wi*t* = *ix**_l*n*t* / siz*o*(T)' *ut t**n **v*n**s t** output point*r *y '*ix**_l*n*t*' r*w *yt*s inst*** o* 'wi*t*'