TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation for tf.raw_ops.BoostedTreesCreateEnsemble can result in a use after free error if an attacker supplies specially crafted arguments. The implementation uses a reference counted resource and decrements the refcount if the initialization fails, as it should. However, when the code was written, the resource was represented as a naked pointer but later refactoring has changed it to be a smart pointer. Thus, when the pointer leaves the scope, a subsequent free-ing of the resource occurs, but this fails to take into account that the refcount has already reached 0, thus the resource has been already freed. During this double-free process, members of the resource object are accessed for cleanup but they are invalid as the entire resource has been freed. We have patched the issue in GitHub commit 5ecec9c6fbdbc6be03295685190a45e7eee726ab. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Tensorflow | 2.3.0 (including) | 2.3.4 (excluding) | |
| Tensorflow | 2.4.0 (including) | 2.4.3 (excluding) | |
| Tensorflow | 2.5.0 (including) | 2.5.0 (including) | |
| Tensorflow | 2.6.0-rc0 (including) | 2.6.0-rc0 (including) | |
| Tensorflow | 2.6.0-rc1 (including) | 2.6.0-rc1 (including) | |
| Tensorflow | 2.6.0-rc2 (including) | 2.6.0-rc2 (including) |
The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes:
In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.