issue mindspore SA

security/cve-report_zh_cn.md

@@ -39,7 +39,16 @@ MindSpore作为一个同时支持端/边缘/云场景的训练推理框架，在
 
 ## MindSpore安全公告（SA）
 
-无
+| 公告 | 类型 | 受影响版本 | 上报人 | 附加信息 |
+|  ---   | ----        | ---  | ---    | ---     |
+| [MSSA-2021-008](security_advisory_list/mssa-2021-008.md) | memcpy()越界问题在MindSpore Lite Tile算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team |  |
+| [MSSA-2021-007](security_advisory_list/mssa-2021-007.md) | Integer溢出问题在MindSpore Lite的common_infer.c文件中 | >= 1.1.0, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team |  |
+| [MSSA-2021-006](security_advisory_list/mssa-2021-006.md) | 数组下标未判断导致的数组越界访问问题在MindSpore Lite的Transpose算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team |  |
+| [MSSA-2021-005](security_advisory_list/mssa-2021-005.md) | 数组下标未判断导致的数组越界访问问题在MindSpore Lite的SparseToDense算子中 | >= 1.2.0, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team |  |
+| [MSSA-2021-004](security_advisory_list/mssa-2021-004.md) | 除0导致的SIGFPE问题在MindSpore Lite的Conv算子parser文件中 | >= 1.1.0, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team |  |
+| [MSSA-2021-003](security_advisory_list/mssa-2021-003.md) | 除0导致的SIGFPE问题在MindSpore Lite的Reduce算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team |  |
+| [MSSA-2021-002](security_advisory_list/mssa-2021-002.md) | 除0导致的SIGFPE问题在MindSpore Lite的SpaceToBatch算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team |  |
+| [MSSA-2021-001](security_advisory_list/mssa-2021-001.md) | 除0导致的SIGFPE问题在MindSpore Lite的Split算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team |  |
 
 ## MindSpore安全说明（SN）
 

security/cve_patch/mssa-2021-001.patch

@@ -0,0 +1,32 @@
+From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001
+From: lzk <liuzhongkai2@huawei.com>
+Date: Fri, 21 May 2021 01:11:07 -0700
+Subject: [PATCH] div 0 bug fix
+
+---
+ mindspore/lite/src/runtime/kernel/arm/base/split_base.cc | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc b/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc
+index 2448a407dd..b96e5aacb8 100644
+--- a/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc
++++ b/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc
+@@ -50,6 +50,15 @@ int SplitBaseCPUKernel::ReSize() {
+     param->strides_[i] = param->strides_[i + 1] * input_shape.at(i + 1);
+   }
+ 
++  if (input_shape.at(param->split_dim_) == 0) {
++    MS_LOG(ERROR) << "input_shape[" << param->split_dim_ << "] must not be zero!";
++    return RET_ERROR;
++  }
++  if (param->strides_[param->split_dim_] == 0) {
++    MS_LOG(ERROR) << "param->strides_[" << param->split_dim_ << "] must not be zero!";
++    return RET_ERROR;
++  }
++
+   MS_ASSERT(static_cast<size_t>(param->split_dim_) < input_shape.size());
+   param->split_count_ =
+     param->strides_[0] * input_shape.at(0) / (input_shape.at(param->split_dim_) * param->strides_[param->split_dim_]);
+-- 
+2.17.1
+

security/cve_patch/mssa-2021-002.patch

@@ -0,0 +1,29 @@
+From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001
+From: lzk <liuzhongkai2@huawei.com>
+Date: Fri, 21 May 2021 01:11:07 -0700
+Subject: [PATCH] div 0 bug fix
+
+---
+ .../kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c  | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c
+index c19082141d..e1b73101b3 100644
+--- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c
++++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c
+@@ -51,6 +51,12 @@ int SpaceToBatchInferShape(const TensorC *const *inputs, size_t inputs_size, Ten
+     block_w = block_shape[1];
+   }
+ 
++  if (block_shape[0] == 0) {
++    return NNACL_ERR;
++  }
++  if (block_w == 0) {
++    return NNACL_ERR;
++  }
+   outputs[0]->shape_[kNHWC_N] = input->shape_[kNHWC_N] * (block_shape[0] * block_w);
+   outputs[0]->shape_[kNHWC_H] = (input->shape_[kNHWC_H] + paddings[0] + paddings[1]) / block_shape[0];
+   outputs[0]->shape_[kNHWC_W] = (input->shape_[kNHWC_W] + padding_left + padding_right) / block_w;
+-- 
+2.17.1
+

security/cve_patch/mssa-2021-003.patch

@@ -0,0 +1,27 @@
+From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001
+From: lzk <liuzhongkai2@huawei.com>
+Date: Fri, 21 May 2021 01:11:07 -0700
+Subject: [PATCH] div 0 bug fix
+
+---
+ mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc b/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc
+index 044fd170e1..f1e45d47e0 100644
+--- a/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc
++++ b/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc
+@@ -117,6 +117,10 @@ int ReduceCPUKernel::Run() {
+     outer_size_ = outer_sizes_.at(i);
+     inner_size_ = inner_sizes_.at(i);
+     axis_size_ = axis_sizes_.at(i);
++    if (axis_size_ == 0) {
++      MS_LOG(ERROR) << "axis_size_ is must not be zero!";
++      return RET_ERROR;
++    }
+     auto error_code = ParallelLaunch(static_cast<const lite::InnerContext *>(this->context_)->thread_pool_, ReduceImpl,
+                                      this, context_->thread_num_);
+     if (error_code != RET_OK) {
+-- 
+2.17.1
+

security/cve_patch/mssa-2021-004.patch

@@ -0,0 +1,27 @@
+From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001
+From: lzk <liuzhongkai2@huawei.com>
+Date: Fri, 21 May 2021 01:11:07 -0700
+Subject: [PATCH] div 0 bug fix
+
+---
+ .../lite/tools/converter/parser/tflite/tflite_conv_parser.cc  | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc b/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc
+index 3e552883af..c2aac03799 100644
+--- a/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc
++++ b/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc
+@@ -111,6 +111,10 @@ ops::PrimitiveC *TfliteDepthwiseConv2DParser::Parse(const std::unique_ptr<tflite
+   auto weight_shape = weight_tensor->shape;
+   prim->set_kernel_size({weight_shape[1], weight_shape[2]});
+   prim->set_in_channel(weight_shape[3]);
++  if (tflite_attr->depth_multiplier == 0) {
++    MS_LOG(ERROR) << "depth_multiplier must not be zero!";
++    return nullptr;
++  }
+   prim->set_group(weight_shape[3] / tflite_attr->depth_multiplier);
+ 
+   // get data tensor
+-- 
+2.17.1
+

security/cve_patch/mssa-2021-005.patch

@@ -0,0 +1,26 @@
+From 5aab6599e7280d2512a87434c174f13a0a2e7008 Mon Sep 17 00:00:00 2001
+From: lzk <liuzhongkai2@huawei.com>
+Date: Fri, 21 May 2021 01:25:06 -0700
+Subject: [PATCH] array cross the border
+
+---
+ .../kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c    | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c
+index 4b44ec7568..89620c9634 100644
+--- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c
++++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c
+@@ -27,6 +27,9 @@ int SparseToDenseInferShape(const TensorC *const *inputs, size_t inputs_size, Te
+ #endif
+ 
+   TensorC *output = outputs[0];
++  if (inputs_size < 3) {
++    return NNACL_INPUT_TENSOR_ERROR;
++  }
+   const TensorC *input1 = inputs[1];
+   const TensorC *input2 = inputs[2];
+   SetDataTypeFormat(output, input2);
+-- 
+2.17.1
+

security/cve_patch/mssa-2021-006.patch

@@ -0,0 +1,102 @@
+From 5aab6599e7280d2512a87434c174f13a0a2e7008 Mon Sep 17 00:00:00 2001
+From: lzk <liuzhongkai2@huawei.com>
+Date: Fri, 21 May 2021 01:25:06 -0700
+Subject: [PATCH] array cross the border
+
+---
+ .../cpu/nnacl/infer/transpose_infer.c         | 70 +++++++++++--------
+ 1 file changed, 40 insertions(+), 30 deletions(-)
+
+diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c
+index 04da736190..b1460bc8be 100644
+--- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c
++++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c
+@@ -26,6 +26,45 @@ bool CheckPermTransFormat(const int *perm, const int *perm_transformat, const si
+   return true;
+ }
+ 
++int SetOutputShape(int perms_num, const TensorC *input, TensorC *output, int *perm, size_t perm_size, int *out_shape) {
++  if (perms_num == 4) {
++    const int nchw2nhwc[4] = {0, 2, 3, 1};
++    const int nhwc2nchw[4] = {0, 3, 1, 2};
++    const int trans3d[3] = {0, 2, 1};
++    if (input->format_ == Format_NCHW && CheckPermTransFormat(perm, nchw2nhwc, perms_num)) {
++      output->format_ = Format_NHWC;
++    } else if (input->format_ == Format_NHWC && CheckPermTransFormat(perm, nhwc2nchw, perms_num)) {
++      output->format_ = Format_NCHW;
++    }
++    // though the perm is 4d in default, the input can be a 3d tensor. The op implementation should be adapted to this.
++    if (input->shape_size_ == 3) {
++      ShapeSet(perm, &perm_size, trans3d, 3);
++    }
++  }
++  // set output shape
++  size_t in_shape_size = input->shape_size_;
++  output->shape_size_ = in_shape_size;
++  if (perm_size == 0) {
++    for (size_t i = 0; i < in_shape_size; ++i) {
++      out_shape[in_shape_size - i - 1] = input->shape_[i];
++    }
++  } else if (perm_size != in_shape_size) {
++    for (size_t i = 0; i < in_shape_size; ++i) {
++      out_shape[i] = input->shape_[i];
++    }
++  } else {
++    output->shape_size_ = perm_size;
++    for (size_t i = 0; i < perm_size; ++i) {
++      if (perm[i] >= input->shape_size_) {
++        return NNACL_ERR;
++      } else {
++        out_shape[i] = input->shape_[perm[i]];
++      }
++    }
++  }
++  return NNACL_OK;
++}
++
+ int TransposeInferShape(const TensorC *const *inputs, size_t inputs_size, TensorC **outputs, size_t outputs_size,
+                         OpParameter *parameter) {
+ #ifdef Debug
+@@ -60,38 +99,9 @@ int TransposeInferShape(const TensorC *const *inputs, size_t inputs_size, Tensor
+   for (size_t i = 0; i < perms_num; i++) {
+     ShapePush(perm, &perm_size, perm_data[i]);
+   }
+-  const int nchw2nhwc[4] = {0, 2, 3, 1};
+-  const int nhwc2nchw[4] = {0, 3, 1, 2};
+-  const int trans3d[3] = {0, 2, 1};
+-  if (perms_num == 4) {
+-    if (input->format_ == Format_NCHW && CheckPermTransFormat(perm, nchw2nhwc, perms_num)) {
+-      output->format_ = Format_NHWC;
+-    } else if (input->format_ == Format_NHWC && CheckPermTransFormat(perm, nhwc2nchw, perms_num)) {
+-      output->format_ = Format_NCHW;
+-    }
+-    // though the perm is 4d in default, the input can be a 3d tensor. The op implementation should be adapted to this.
+-    if (input->shape_size_ == 3) {
+-      ShapeSet(perm, &perm_size, trans3d, 3);
+-    }
+-  }
+   // set output shape
+   int out_shape[MAX_TRANSPOSE_DIM_SIZE] = {0};
+-  size_t in_shape_size = input->shape_size_;
+-  output->shape_size_ = in_shape_size;
+-  if (perm_size == 0) {
+-    for (size_t i = 0; i < in_shape_size; ++i) {
+-      out_shape[in_shape_size - i - 1] = input->shape_[i];
+-    }
+-  } else if (perm_size != in_shape_size) {
+-    for (size_t i = 0; i < in_shape_size; ++i) {
+-      out_shape[i] = input->shape_[i];
+-    }
+-  } else {
+-    output->shape_size_ = perm_size;
+-    for (size_t i = 0; i < perm_size; ++i) {
+-      out_shape[i] = input->shape_[perm[i]];
+-    }
+-  }
++  SetOutputShape(perms_num, input, output, perm, perm_size, out_shape);
+   SetShapeArray(output, out_shape, output->shape_size_);
+   return NNACL_OK;
+ }
+-- 
+2.17.1
+

security/cve_patch/mssa-2021-007.patch

@@ -0,0 +1,25 @@
+From 8359643b0ebd9d0931110bd7776080abd2f2259d Mon Sep 17 00:00:00 2001
+From: lzk <liuzhongkai2@huawei.com>
+Date: Fri, 21 May 2021 01:37:26 -0700
+Subject: [PATCH] common_infer bug
+
+---
+ .../backend/kernel_compiler/cpu/nnacl/infer/common_infer.c      | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c
+index 20c15559ed..c422a9c1ab 100644
+--- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c
++++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c
+@@ -302,7 +302,7 @@ int ShapeInsert(int *shape, size_t *shape_size, int index, int value) {
+ }
+ 
+ int ShapeErase(int *shape, size_t *shape_size, int index) {
+-  if (index < 0 && index >= *shape_size) {
++  if (index < 0 || index >= *shape_size) {
+     return NNACL_ERR;
+   }
+ 
+-- 
+2.17.1
+

security/cve_patch/mssa-2021-008.patch

@@ -0,0 +1,43 @@
+From 5aab6599e7280d2512a87434c174f13a0a2e7008 Mon Sep 17 00:00:00 2001
+From: lzk <liuzhongkai2@huawei.com>
+Date: Fri, 21 May 2021 01:25:06 -0700
+Subject: [PATCH] array cross the border
+
+---
+ .../backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c     | 3 +++
+ mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc      | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c
+index 19e20e71bd..df36be303a 100644
+--- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c
++++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c
+@@ -63,6 +63,9 @@ int TileInferShape(const TensorC *const *inputs, size_t inputs_size, TensorC **o
+     return NNACL_INPUT_TENSOR_ERROR;
+   }
+   multiples_size = data_num;
++  if (inputs[1]->data_type_ != kNumberTypeInt && inputs[1]->data_type_ != kNumberTypeInt32) {
++    return NNACL_INPUT_TENSOR_ERROR;
++  }
+   int *input1_data = inputs[1]->data_;
+   if (input1_data == NULL) {
+     return NNACL_INFER_INVALID;
+diff --git a/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc b/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc
+index 54548699d0..6898bcffff 100644
+--- a/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc
++++ b/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc
+@@ -50,6 +50,11 @@ int TileCPUKernel::ReSize() {
+       MS_LOG(ERROR) << "tile's input1 data_num cannot be larger than input0's shape_size.";
+       return false;
+     }
++    if (in_tensors_[1]->data_type() != kNumberTypeInt && in_tensors_[1]->data_type() != kNumberTypeInt32) {
++      MS_LOG(ERROR) << "in_tensors_[1]->data_type():" << in_tensors_[1]->data_type()
++                    << " must be kNumberTypeInt32 or kNumberTypeInt!";
++      return RET_ERROR;
++    }
+     auto input1_addr = reinterpret_cast<int *>(in_tensors_[1]->data_c());
+     for (int i = 0; i < in_tensors_[1]->ElementsNum(); ++i) {
+       tile_parameter_->dims_[i] = i;
+-- 
+2.17.1
+

security/security_advisory_list/mssa-2021-001.md

@@ -0,0 +1,25 @@
+# MSSA-2021-001 - Security Advisory
+
+## 发布日期
+
+2021-10-18
+
+## 更新日期
+
+2021-10-18
+
+## 影响
+
+- 在运行Split算子的resize操作时，如果变量input_shape元素中存在0值，会导致除0 SIGFPE。
+
+## 补丁
+
+- 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题，并且制作了该漏洞的[patch](../cve_patch/mssa-2021-001.patch)。
+
+## CVE
+
+- 待补充。
+
+## 参考信息
+
+- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。

security/security_advisory_list/mssa-2021-002.md

@@ -0,0 +1,25 @@
+# MSSA-2021-002 - Security Advisory
+
+## 发布日期
+
+2021-10-18
+
+## 更新日期
+
+2021-10-18
+
+## 影响
+
+- 在运行SpaceToBatch算子的推导shape阶段，如果参数block_shape元素中存在0值，会导致除0 SIGFPE。
+
+## 补丁
+
+- 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题，并且制作了该漏洞的[patch](../cve_patch/mssa-2021-002.patch)。
+
+## CVE
+
+- 待补充。
+
+## 参考信息
+
+- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。

security/security_advisory_list/mssa-2021-003.md

@@ -0,0 +1,25 @@
+# MSSA-2021-003 - Security Advisory
+
+## 发布日期
+
+2021-10-18
+
+## 更新日期
+
+2021-10-18
+
+## 影响
+
+- 在运行Refuce算子的run函数时，如果参数axis_sizes元素中存在0值，会导致除0 SIGFPE。
+
+## 补丁
+
+- 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题，并且制作了该漏洞的[patch](../cve_patch/mssa-2021-003.patch)。
+
+## CVE
+
+- 待补充。
+
+## 参考信息
+
+- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。

security/security_advisory_list/mssa-2021-004.md

@@ -0,0 +1,25 @@
+# MSSA-2021-004 - Security Advisory
+
+## 发布日期
+
+2021-10-18
+
+## 更新日期
+
+2021-10-18
+
+## 影响
+
+- 在解析tflite Conv算子导MindSporeLite Conv算子的parser阶段时，如果属性depth_multiplier为0，会导致除0 SIGFPE。
+
+## 补丁
+
+- 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题，并且制作了该漏洞的[patch](../cve_patch/mssa-2021-004.patch)。
+
+## CVE
+
+- 待补充。
+
+## 参考信息  
+
+- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。

security/security_advisory_list/mssa-2021-005.md

@@ -0,0 +1,25 @@
+# MSSA-2021-005 - Security Advisory
+
+## 发布日期
+
+2021-10-18
+
+## 更新日期
+
+2021-10-18
+
+## 影响
+
+- 在SparseToDense算子的推导shape阶段，如果输入个数小于3，会导致变量inputs访问越界。
+
+## 补丁
+
+- 我们已经在1.3.0版本通过commit [5aab6599e7280d2512a87434c174f13a0a2e7008](https://gitee.com/mindspore/mindspore/commit/5aab6599e7280d2512a87434c174f13a0a2e7008)修复了该问题，并且制作了该漏洞的[patch](../cve_patch/mssa-2021-005.patch)。
+
+## CVE
+
+- 待补充。
+
+## 参考信息
+
+- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2J)。

security/security_advisory_list/mssa-2021-006.md

@@ -0,0 +1,25 @@
+# MSSA-2021-006 - Security Advisory
+
+## 发布日期
+
+2021-10-18
+
+## 更新日期
+
+2021-10-18
+
+## 影响
+
+- 在Transpose算子的推导shape阶段，如果perm元素中的值大于或等于input_shape size，会导致input_shape访问越界。
+
+## 补丁
+
+- 我们已经在1.3.0版本通过commit [5aab6599e7280d2512a87434c174f13a0a2e7008](https://gitee.com/mindspore/mindspore/commit/5aab6599e7280d2512a87434c174f13a0a2e7008)修复了该问题，并且制作了该漏洞的[patch](../cve_patch/mssa-2021-006.patch)。
+
+## CVE
+
+- 待补充。
+
+## 参考信息
+
+- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2J)。

security/security_advisory_list/mssa-2021-007.md

@@ -0,0 +1,25 @@
+# MSSA-2021-007 - Security Advisory
+
+## 发布日期
+
+2021-10-18
+
+## 更新日期
+
+2021-10-18
+
+## 影响
+
+- 在算子的公共推导shape阶段，判断逻辑错误，会导致shape访问越界。
+
+## 补丁
+
+- 我们已经在1.3.0版本通过commit [8359643b0ebd9d0931110bd7776080abd2f2259d](https://gitee.com/mindspore/mindspore/commit/8359643b0ebd9d0931110bd7776080abd2f2259d)修复了该问题，并且制作了该漏洞的[patch](../cve_patch/mssa-2021-007.patch)。
+
+## CVE
+
+- 待补充。
+
+## 参考信息
+
+- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2X)。

security/security_advisory_list/mssa-2021-008.md

@@ -0,0 +1,25 @@
+# MSSA-2021-008 - Security Advisory
+
+## 发布日期
+
+2021-10-18
+
+## 更新日期
+
+2021-10-18
+
+## 影响
+
+- 在Tile算子的推导shape阶段，如果输入数据类型不是int或者int32类型时，会导致内存拷贝越界。
+
+## 补丁
+
+- 我们已经在1.3.0版本通过commit [5aab6599e7280d2512a87434c174f13a0a2e7008](https://gitee.com/mindspore/mindspore/commit/5aab6599e7280d2512a87434c174f13a0a2e7008)修复了该问题，并且制作了该漏洞的[patch](../cve_patch/mssa-2021-008.patch)。
+
+## CVE
+
+- 待补充。
+
+## 参考信息
+
+- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2J)。