CVE-2020-15192

MEDIUM4.3EPSS 0.23%

Memory leak in Tensorflow

發布日:2020/9/25修改日:2026/3/13
也稱為:GHSA-8fxw-76px-3rxvBIT-tensorflow-2020-15192PYSEC-2020-115PYSEC-2020-272PYSEC-2020-307

描述

### Impact If a user passes a list of strings to `dlpack.to_dlpack` there is a memory leak following an expected validation failure: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L100-L104 The allocated memory is from https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L256 The issue occurs because the `status` argument during validation failures is not properly checked: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/c/eager/dlpack.cc#L265-L267 Since each of the above methods can return an error status, the `status` value must be checked before continuing. ### Patches We have patched the issue in 22e07fb204386768e5bcbea563641ea11f96ceb8 and will release a patch release for all affected versions. We recommend users to upgrade to TensorFlow 2.2.1 or 2.3.1. ### For more information Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions. ### Attribution This vulnerability has been discovered during variant analysis of [GHSA-rjjg-hgv6-h69v](https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rjjg-hgv6-h69v).

受影響套件(7)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
osvCVSS 3.1MEDIUM4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

參考連結(9)