tensorflow/CVE-2021-29576.patch

From 63c6a29d0f2d692b247f7bf81f8732d6442fad09 Mon Sep 17 00:00:00 2001
From: Mihai Maruseac <mihaimaruseac@google.com>
Date: Wed, 5 May 2021 18:07:02 -0700
Subject: [PATCH] Add missing validation, prevent heap OOB

PiperOrigin-RevId: 372246723
Change-Id: I1a454a643810e77d7d14821b342098c56a09fbbf
---
 tensorflow/core/kernels/pooling_ops_3d.cc | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tensorflow/core/kernels/pooling_ops_3d.cc b/tensorflow/core/kernels/pooling_ops_3d.cc
index 7d133b66a1ebd..9da2d62b0a21d 100644
--- a/tensorflow/core/kernels/pooling_ops_3d.cc
+++ b/tensorflow/core/kernels/pooling_ops_3d.cc
@@ -693,6 +693,7 @@ class MaxPooling3dGradGradOp : public OpKernel {
 
     Pool3dParameters params{context,  ksize_,       stride_,
                             padding_, data_format_, tensor_in.shape()};
+    if (!context->status().ok()) return;  // params is invalid
 
     Tensor* output = nullptr;
     OP_REQUIRES_OK(context, context->forward_input_or_allocate_output(
@@ -710,6 +711,17 @@ class MaxPooling3dGradGradOp : public OpKernel {
         context, out_grad_backprop.NumElements() > 0,
         errors::InvalidArgument("received empty tensor out_grad_backprop: ",
                                 out_grad_backprop.DebugString()));
+    OP_REQUIRES(context,
+                tensor_in.NumElements() == out_grad_backprop.NumElements(),
+                errors::InvalidArgument("tensor_in and out_grad_backprop must "
+                                        "have same number of elements, got <",
+                                        tensor_in.DebugString(), "> and <",
+                                        out_grad_backprop.DebugString(), ">"));
+    OP_REQUIRES(
+        context, tensor_out.NumElements() == output->NumElements(),
+        errors::InvalidArgument(
+            "tensor_out and output must have same number of elements, got <",
+            tensor_out.DebugString(), "> and <", output->DebugString(), ">"));
 
     LaunchMaxPooling3dGradGradOp<Device, T>::launch(
         context, params, tensor_in, tensor_out, out_grad_backprop, output);
fix CVE-2021-29512 CVE-2021-29514 CVE-2021-29519 CVE-2021-29520 CVE-2021-29522 CVE-2021-29524 CVE-2021-29527-to-CVE-2021-29530 CVE-2021-29532 CVE-2021-29536 CVE-2021-29539 CVE-2021-29541-to-CVE-2021-29543 CVE-2021-29545-to-CVE-2021-29547 CVE-2021-29549 CVE-2021-29550 CVE-2021-29552-to-CVE-2021-29559 CVE-2021-29561-to-CVE-2021-29564 CVE-2021-29567-to-CVE-2021-29570 CVE-2021-29572-to-CVE-2021-29582 CVE-2021-29585-to-CVE-2021-29588 CVE-2021-29590-to-CVE-2021-29593 CVE-2021-29596-to-CVE-2021-29601 CVE-2021-29603 CVE-2021-29605-to-CVE-2021-29609 CVE-2021-29613 CVE-2021-29615-to-CVE-2021-29617 CVE-2021-29619 CVE-2021-37637-to-CVE-2021-37639 CVE-2021-37641 CVE-2021-37644 CVE-2021-37646-to-CVE-2021-37649 CVE-2021-37652 CVE-2021-37656 CVE-2021-37659 CVE-2021-37660 CVE-2021-37663 CVE-2021-37667 CVE-2021-37670-to-CVE-2021-37673 CVE-2021-37676 CVE-2021-37677 CVE-2021-37680 CVE-2021-37682 CVE-2021-37685 CVE-2021-37687-to-CVE-2021-37689 2021-08-26 16:45:57 +08:00			`From 63c6a29d0f2d692b247f7bf81f8732d6442fad09 Mon Sep 17 00:00:00 2001`
			`From: Mihai Maruseac <mihaimaruseac@google.com>`
			`Date: Wed, 5 May 2021 18:07:02 -0700`
			`Subject: [PATCH] Add missing validation, prevent heap OOB`

			`PiperOrigin-RevId: 372246723`
			`Change-Id: I1a454a643810e77d7d14821b342098c56a09fbbf`
			`---`
			`tensorflow/core/kernels/pooling_ops_3d.cc \| 12 ++++++++++++`
			`1 file changed, 12 insertions(+)`

			`diff --git a/tensorflow/core/kernels/pooling_ops_3d.cc b/tensorflow/core/kernels/pooling_ops_3d.cc`
			`index 7d133b66a1ebd..9da2d62b0a21d 100644`
			`--- a/tensorflow/core/kernels/pooling_ops_3d.cc`
			`+++ b/tensorflow/core/kernels/pooling_ops_3d.cc`
			`@@ -693,6 +693,7 @@ class MaxPooling3dGradGradOp : public OpKernel {`

			`Pool3dParameters params{context, ksize_, stride_,`
			`padding_, data_format_, tensor_in.shape()};`
			`+ if (!context->status().ok()) return; // params is invalid`

			`Tensor* output = nullptr;`
			`OP_REQUIRES_OK(context, context->forward_input_or_allocate_output(`
			`@@ -710,6 +711,17 @@ class MaxPooling3dGradGradOp : public OpKernel {`
			`context, out_grad_backprop.NumElements() > 0,`
			`errors::InvalidArgument("received empty tensor out_grad_backprop: ",`
			`out_grad_backprop.DebugString()));`
			`+ OP_REQUIRES(context,`
			`+ tensor_in.NumElements() == out_grad_backprop.NumElements(),`
			`+ errors::InvalidArgument("tensor_in and out_grad_backprop must "`
			`+ "have same number of elements, got <",`
			`+ tensor_in.DebugString(), "> and <",`
			`+ out_grad_backprop.DebugString(), ">"));`
			`+ OP_REQUIRES(`
			`+ context, tensor_out.NumElements() == output->NumElements(),`
			`+ errors::InvalidArgument(`
			`+ "tensor_out and output must have same number of elements, got <",`
			`+ tensor_out.DebugString(), "> and <", output->DebugString(), ">"));`

			`LaunchMaxPooling3dGradGradOp<Device, T>::launch(`
			`context, params, tensor_in, tensor_out, out_grad_backprop, output);`