26 lines
1.3 KiB
Diff
26 lines
1.3 KiB
Diff
From 5ecec9c6fbdbc6be03295685190a45e7eee726ab Mon Sep 17 00:00:00 2001
|
|
From: Mihai Maruseac <mihaimaruseac@google.com>
|
|
Date: Fri, 30 Jul 2021 19:13:19 -0700
|
|
Subject: [PATCH] Prevent use after free.
|
|
|
|
A very old version of the code used `result` as a simple pointer to a resource. Two years later, the pointer got changed to a `unique_ptr` but author forgot to remove the call to `Unref`. Three years after that, we finally uncover the UAF.
|
|
|
|
PiperOrigin-RevId: 387924872
|
|
Change-Id: I70fb6f199164de49fac20c168132a07b84903f9b
|
|
---
|
|
tensorflow/core/kernels/boosted_trees/resource_ops.cc | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/tensorflow/core/kernels/boosted_trees/resource_ops.cc b/tensorflow/core/kernels/boosted_trees/resource_ops.cc
|
|
index d50885fa3f511..f2c60b9b4511d 100644
|
|
--- a/tensorflow/core/kernels/boosted_trees/resource_ops.cc
|
|
+++ b/tensorflow/core/kernels/boosted_trees/resource_ops.cc
|
|
@@ -53,6 +53,7 @@ class BoostedTreesCreateEnsembleOp : public OpKernel {
|
|
if (!result->InitFromSerialized(
|
|
tree_ensemble_serialized_t->scalar<tstring>()(), stamp_token)) {
|
|
result->Unref();
|
|
+ result.release(); // Needed due to the `->Unref` above, to prevent UAF
|
|
OP_REQUIRES(
|
|
context, false,
|
|
errors::InvalidArgument("Unable to parse tree ensemble proto."));
|