diff --git a/CVE-2022-23565.patch b/CVE-2022-23565.patch new file mode 100644 index 0000000000000000000000000000000000000000..d0d538d5bfead300c635eea235aab7eb10a3e776 --- /dev/null +++ b/CVE-2022-23565.patch @@ -0,0 +1,35 @@ +From b7b1a154aeeffd605c89c502a1a86e0caf4dee6f Mon Sep 17 00:00:00 2001 +From: Mihai Maruseac +Date: Mon, 8 Nov 2021 10:14:10 -0800 +Subject: [PATCH] Remove a `DCHECK`-fail, log an error instead. + +`DCHECK` in debug mode results in crashes. TensorFlow has had multiple vulnerabilities due to this. + +Outside of debug mode, `DCHECK` is a no-op. + +A better alternative is to report an error to the log buffer and continue. This should happen both in debug mode and in prod mode. + +PiperOrigin-RevId: 408375925 +Change-Id: Id5b3e19c73f3fbe0cc4bba26ca44ff9607bb6356 +--- + tensorflow/core/framework/op_def_util.cc | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/tensorflow/core/framework/op_def_util.cc b/tensorflow/core/framework/op_def_util.cc +index 486f92b3b20fd..8500f247bf071 100644 +--- a/tensorflow/core/framework/op_def_util.cc ++++ b/tensorflow/core/framework/op_def_util.cc +@@ -818,9 +818,10 @@ bool RepeatedAttrDefEqual( + const protobuf::RepeatedPtrField& a2) { + std::unordered_map a1_set; + for (const OpDef::AttrDef& def : a1) { +- DCHECK(a1_set.find(def.name()) == a1_set.end()) +- << "AttrDef names must be unique, but '" << def.name() +- << "' appears more than once"; ++ if (a1_set.find(def.name()) != a1_set.end()) { ++ LOG(ERROR) << "AttrDef names must be unique, but '" << def.name() ++ << "' appears more than once"; ++ } + a1_set[def.name()] = &def; + } + for (const OpDef::AttrDef& def : a2) { diff --git a/CVE-2022-23567-1.patch b/CVE-2022-23567-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..2f7a768670c60188dfe02aef050ad76b0341bbad --- /dev/null +++ b/CVE-2022-23567-1.patch @@ -0,0 +1,40 @@ +From e4cc80bcd0877acdc34d3d943b2c029e99f70dcb Mon Sep 17 00:00:00 2001 +From: Mihai Maruseac +Date: Fri, 10 Dec 2021 09:46:39 -0800 +Subject: [PATCH] Add missing validation to sparse dense cwise ops. + +PiperOrigin-RevId: 415543133 +Change-Id: I5baf3284e919338afb96178c468ad3d3cb0d956c +--- + .../core/kernels/sparse_dense_binary_op_shared.cc | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc b/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc +index dda05dbc3b8cb..c7b1afdcca36b 100644 +--- a/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc ++++ b/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc +@@ -78,11 +78,24 @@ class SparseDenseBinaryOpShared : public OpKernel { + "but received shapes: ", + values_t->shape().DebugString(), " and ", + shape_t->shape().DebugString())); ++ OP_REQUIRES( ++ ctx, TensorShapeUtils::IsVector(shape_t->shape()), ++ errors::InvalidArgument("Input sp_shape must be a vector. Got: ", ++ shape_t->shape().DebugString())); + OP_REQUIRES( + ctx, values_t->dim_size(0) == indices_t->dim_size(0), + errors::InvalidArgument( + "The first dimension of values and indices should match. (", + values_t->dim_size(0), " vs. ", indices_t->dim_size(0), ")")); ++ OP_REQUIRES( ++ ctx, shape_t->shape().dim_size(0) == indices_t->shape().dim_size(1), ++ errors::InvalidArgument( ++ "Number of dimensions must match second dimension of indices. ", ++ "Got ", shape_t->shape().dim_size(0), ++ " dimensions, indices shape: ", indices_t->shape().DebugString())); ++ OP_REQUIRES(ctx, shape_t->NumElements() > 0, ++ errors::InvalidArgument( ++ "The shape argument requires at least one element.")); + + const auto indices_mat = indices_t->matrix(); + const auto shape_vec = shape_t->vec(); diff --git a/CVE-2022-23567-2.patch b/CVE-2022-23567-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..088b96d22b0402965f3abb6503a9edb6034a677e --- /dev/null +++ b/CVE-2022-23567-2.patch @@ -0,0 +1,26 @@ +From 5c5cdbd809ec58f0c76176778a8ed29024a78acc Mon Sep 17 00:00:00 2001 +From: Mihai Maruseac +Date: Fri, 10 Dec 2021 09:46:48 -0800 +Subject: [PATCH] Prevent overflow in sparse dense cwise ops. + +PiperOrigin-RevId: 415543171 +Change-Id: I22dab7c41be2121ab5efe5403ca0e2f9b7cb24b8 +--- + tensorflow/core/kernels/sparse_dense_binary_op_shared.cc | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc b/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc +index c7b1afdcca36b..6e3f4969bcf14 100644 +--- a/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc ++++ b/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc +@@ -99,7 +99,9 @@ class SparseDenseBinaryOpShared : public OpKernel { + + const auto indices_mat = indices_t->matrix(); + const auto shape_vec = shape_t->vec(); +- const auto lhs_dims = BCast::FromShape(TensorShape(shape_vec)); ++ TensorShape lhs_shape; ++ OP_REQUIRES_OK(ctx, TensorShape::BuildTensorShape(shape_vec, &lhs_shape)); ++ const auto lhs_dims = BCast::FromShape(lhs_shape); + const auto rhs_dims = BCast::FromShape(dense_t->shape()); + BCast b(lhs_dims, rhs_dims, false); // false for keeping the same num dims. + diff --git a/tensorflow.spec b/tensorflow.spec index 49af647ddde8852ff24b149afa3c8592426d0163..97cc94201135189773b77fced24e7ab7cdaad365 100644 --- a/tensorflow.spec +++ b/tensorflow.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: tensorflow Version: 2.3.1 -Release: 12 +Release: 13 Summary: An Open Source Machine Learning Framework for Everyone License: Apache License 2.0 URL: https://www.tensorflow.org/ @@ -191,6 +191,9 @@ Patch0179: CVE-2021-37690-3.patch Patch0180: CVE-2021-41210.patch Patch0181: CVE-2021-41219.patch Patch0182: CVE-2021-41223.patch +Patch0183: CVE-2022-23565.patch +Patch0184: CVE-2022-23567-1.patch +Patch0185: CVE-2022-23567-2.patch Requires: python3-future Requires: python3-numpy @@ -259,6 +262,9 @@ echo "%{_libdir}/openmpi/lib" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.c %changelog +* Thu Feb 10 2022 yaoxin - 2.3.1-13 +- Fix CVE-2022-23565 CVE-2022-23567 + * Wed Nov 10 2021 houyingchao - 2.3.1-12 - Fix CVE-2021-41210 CVE-2021-41219 CVE-2021-41223