From 5b43e467a95f8f5dab9e3c659fa3fe6ec46e4f3e Mon Sep 17 00:00:00 2001 From: chengxianbin Date: Sun, 19 Sep 2021 18:25:37 +0800 Subject: [PATCH] issue mindspore SA --- security/cve-report_zh_cn.md | 11 ++- security/cve_patch/mssa-2021-001.patch | 32 +++++++ security/cve_patch/mssa-2021-002.patch | 29 +++++++ security/cve_patch/mssa-2021-003.patch | 27 ++++++ security/cve_patch/mssa-2021-004.patch | 27 ++++++ security/cve_patch/mssa-2021-005.patch | 26 ++++++ security/cve_patch/mssa-2021-006.patch | 102 +++++++++++++++++++++++ security/cve_patch/mssa-2021-007.patch | 25 ++++++ security/cve_patch/mssa-2021-008.patch | 43 ++++++++++ security/security_advisory_list/mssa-2021-001.md | 25 ++++++ security/security_advisory_list/mssa-2021-002.md | 25 ++++++ security/security_advisory_list/mssa-2021-003.md | 25 ++++++ security/security_advisory_list/mssa-2021-004.md | 25 ++++++ security/security_advisory_list/mssa-2021-005.md | 25 ++++++ security/security_advisory_list/mssa-2021-006.md | 25 ++++++ security/security_advisory_list/mssa-2021-007.md | 25 ++++++ security/security_advisory_list/mssa-2021-008.md | 25 ++++++ 17 files changed, 521 insertions(+), 1 deletion(-) create mode 100644 security/cve_patch/mssa-2021-001.patch create mode 100644 security/cve_patch/mssa-2021-002.patch create mode 100644 security/cve_patch/mssa-2021-003.patch create mode 100644 security/cve_patch/mssa-2021-004.patch create mode 100644 security/cve_patch/mssa-2021-005.patch create mode 100644 security/cve_patch/mssa-2021-006.patch create mode 100644 security/cve_patch/mssa-2021-007.patch create mode 100644 security/cve_patch/mssa-2021-008.patch create mode 100644 security/security_advisory_list/mssa-2021-001.md create mode 100644 security/security_advisory_list/mssa-2021-002.md create mode 100644 security/security_advisory_list/mssa-2021-003.md create mode 100644 security/security_advisory_list/mssa-2021-004.md create mode 100644 security/security_advisory_list/mssa-2021-005.md create mode 100644 security/security_advisory_list/mssa-2021-006.md create mode 100644 security/security_advisory_list/mssa-2021-007.md create mode 100644 security/security_advisory_list/mssa-2021-008.md diff --git a/security/cve-report_zh_cn.md b/security/cve-report_zh_cn.md index 6f4429f..912f09b 100644 --- a/security/cve-report_zh_cn.md +++ b/security/cve-report_zh_cn.md @@ -39,7 +39,16 @@ MindSpore作为一个同时支持端/边缘/云场景的训练推理框架,在 ## MindSpore安全公告(SA) -无 +| 公告 | 类型 | 受影响版本 | 上报人 | 附加信息 | +| --- | ---- | --- | --- | --- | +| [MSSA-2021-008](security_advisory_list/mssa-2021-008.md) | memcpy()越界问题在MindSpore Lite Tile算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | +| [MSSA-2021-007](security_advisory_list/mssa-2021-007.md) | Integer溢出问题在MindSpore Lite的common_infer.c文件中 | >= 1.1.0, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | +| [MSSA-2021-006](security_advisory_list/mssa-2021-006.md) | 数组下标未判断导致的数组越界访问问题在MindSpore Lite的Transpose算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | +| [MSSA-2021-005](security_advisory_list/mssa-2021-005.md) | 数组下标未判断导致的数组越界访问问题在MindSpore Lite的SparseToDense算子中 | >= 1.2.0, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | +| [MSSA-2021-004](security_advisory_list/mssa-2021-004.md) | 除0导致的SIGFPE问题在MindSpore Lite的Conv算子parser文件中 | >= 1.1.0, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | +| [MSSA-2021-003](security_advisory_list/mssa-2021-003.md) | 除0导致的SIGFPE问题在MindSpore Lite的Reduce算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | +| [MSSA-2021-002](security_advisory_list/mssa-2021-002.md) | 除0导致的SIGFPE问题在MindSpore Lite的SpaceToBatch算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | +| [MSSA-2021-001](security_advisory_list/mssa-2021-001.md) | 除0导致的SIGFPE问题在MindSpore Lite的Split算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | ## MindSpore安全说明(SN) diff --git a/security/cve_patch/mssa-2021-001.patch b/security/cve_patch/mssa-2021-001.patch new file mode 100644 index 0000000..0a55547 --- /dev/null +++ b/security/cve_patch/mssa-2021-001.patch @@ -0,0 +1,32 @@ +From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001 +From: lzk +Date: Fri, 21 May 2021 01:11:07 -0700 +Subject: [PATCH] div 0 bug fix + +--- + mindspore/lite/src/runtime/kernel/arm/base/split_base.cc | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc b/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc +index 2448a407dd..b96e5aacb8 100644 +--- a/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc ++++ b/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc +@@ -50,6 +50,15 @@ int SplitBaseCPUKernel::ReSize() { + param->strides_[i] = param->strides_[i + 1] * input_shape.at(i + 1); + } + ++ if (input_shape.at(param->split_dim_) == 0) { ++ MS_LOG(ERROR) << "input_shape[" << param->split_dim_ << "] must not be zero!"; ++ return RET_ERROR; ++ } ++ if (param->strides_[param->split_dim_] == 0) { ++ MS_LOG(ERROR) << "param->strides_[" << param->split_dim_ << "] must not be zero!"; ++ return RET_ERROR; ++ } ++ + MS_ASSERT(static_cast(param->split_dim_) < input_shape.size()); + param->split_count_ = + param->strides_[0] * input_shape.at(0) / (input_shape.at(param->split_dim_) * param->strides_[param->split_dim_]); +-- +2.17.1 + diff --git a/security/cve_patch/mssa-2021-002.patch b/security/cve_patch/mssa-2021-002.patch new file mode 100644 index 0000000..c1a7508 --- /dev/null +++ b/security/cve_patch/mssa-2021-002.patch @@ -0,0 +1,29 @@ +From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001 +From: lzk +Date: Fri, 21 May 2021 01:11:07 -0700 +Subject: [PATCH] div 0 bug fix + +--- + .../kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c +index c19082141d..e1b73101b3 100644 +--- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c ++++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c +@@ -51,6 +51,12 @@ int SpaceToBatchInferShape(const TensorC *const *inputs, size_t inputs_size, Ten + block_w = block_shape[1]; + } + ++ if (block_shape[0] == 0) { ++ return NNACL_ERR; ++ } ++ if (block_w == 0) { ++ return NNACL_ERR; ++ } + outputs[0]->shape_[kNHWC_N] = input->shape_[kNHWC_N] * (block_shape[0] * block_w); + outputs[0]->shape_[kNHWC_H] = (input->shape_[kNHWC_H] + paddings[0] + paddings[1]) / block_shape[0]; + outputs[0]->shape_[kNHWC_W] = (input->shape_[kNHWC_W] + padding_left + padding_right) / block_w; +-- +2.17.1 + diff --git a/security/cve_patch/mssa-2021-003.patch b/security/cve_patch/mssa-2021-003.patch new file mode 100644 index 0000000..5722a6b --- /dev/null +++ b/security/cve_patch/mssa-2021-003.patch @@ -0,0 +1,27 @@ +From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001 +From: lzk +Date: Fri, 21 May 2021 01:11:07 -0700 +Subject: [PATCH] div 0 bug fix + +--- + mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc b/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc +index 044fd170e1..f1e45d47e0 100644 +--- a/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc ++++ b/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc +@@ -117,6 +117,10 @@ int ReduceCPUKernel::Run() { + outer_size_ = outer_sizes_.at(i); + inner_size_ = inner_sizes_.at(i); + axis_size_ = axis_sizes_.at(i); ++ if (axis_size_ == 0) { ++ MS_LOG(ERROR) << "axis_size_ is must not be zero!"; ++ return RET_ERROR; ++ } + auto error_code = ParallelLaunch(static_cast(this->context_)->thread_pool_, ReduceImpl, + this, context_->thread_num_); + if (error_code != RET_OK) { +-- +2.17.1 + diff --git a/security/cve_patch/mssa-2021-004.patch b/security/cve_patch/mssa-2021-004.patch new file mode 100644 index 0000000..8c147b2 --- /dev/null +++ b/security/cve_patch/mssa-2021-004.patch @@ -0,0 +1,27 @@ +From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001 +From: lzk +Date: Fri, 21 May 2021 01:11:07 -0700 +Subject: [PATCH] div 0 bug fix + +--- + .../lite/tools/converter/parser/tflite/tflite_conv_parser.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc b/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc +index 3e552883af..c2aac03799 100644 +--- a/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc ++++ b/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc +@@ -111,6 +111,10 @@ ops::PrimitiveC *TfliteDepthwiseConv2DParser::Parse(const std::unique_ptrshape; + prim->set_kernel_size({weight_shape[1], weight_shape[2]}); + prim->set_in_channel(weight_shape[3]); ++ if (tflite_attr->depth_multiplier == 0) { ++ MS_LOG(ERROR) << "depth_multiplier must not be zero!"; ++ return nullptr; ++ } + prim->set_group(weight_shape[3] / tflite_attr->depth_multiplier); + + // get data tensor +-- +2.17.1 + diff --git a/security/cve_patch/mssa-2021-005.patch b/security/cve_patch/mssa-2021-005.patch new file mode 100644 index 0000000..66aac60 --- /dev/null +++ b/security/cve_patch/mssa-2021-005.patch @@ -0,0 +1,26 @@ +From 5aab6599e7280d2512a87434c174f13a0a2e7008 Mon Sep 17 00:00:00 2001 +From: lzk +Date: Fri, 21 May 2021 01:25:06 -0700 +Subject: [PATCH] array cross the border + +--- + .../kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c +index 4b44ec7568..89620c9634 100644 +--- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c ++++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c +@@ -27,6 +27,9 @@ int SparseToDenseInferShape(const TensorC *const *inputs, size_t inputs_size, Te + #endif + + TensorC *output = outputs[0]; ++ if (inputs_size < 3) { ++ return NNACL_INPUT_TENSOR_ERROR; ++ } + const TensorC *input1 = inputs[1]; + const TensorC *input2 = inputs[2]; + SetDataTypeFormat(output, input2); +-- +2.17.1 + diff --git a/security/cve_patch/mssa-2021-006.patch b/security/cve_patch/mssa-2021-006.patch new file mode 100644 index 0000000..2d36ae5 --- /dev/null +++ b/security/cve_patch/mssa-2021-006.patch @@ -0,0 +1,102 @@ +From 5aab6599e7280d2512a87434c174f13a0a2e7008 Mon Sep 17 00:00:00 2001 +From: lzk +Date: Fri, 21 May 2021 01:25:06 -0700 +Subject: [PATCH] array cross the border + +--- + .../cpu/nnacl/infer/transpose_infer.c | 70 +++++++++++-------- + 1 file changed, 40 insertions(+), 30 deletions(-) + +diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c +index 04da736190..b1460bc8be 100644 +--- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c ++++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c +@@ -26,6 +26,45 @@ bool CheckPermTransFormat(const int *perm, const int *perm_transformat, const si + return true; + } + ++int SetOutputShape(int perms_num, const TensorC *input, TensorC *output, int *perm, size_t perm_size, int *out_shape) { ++ if (perms_num == 4) { ++ const int nchw2nhwc[4] = {0, 2, 3, 1}; ++ const int nhwc2nchw[4] = {0, 3, 1, 2}; ++ const int trans3d[3] = {0, 2, 1}; ++ if (input->format_ == Format_NCHW && CheckPermTransFormat(perm, nchw2nhwc, perms_num)) { ++ output->format_ = Format_NHWC; ++ } else if (input->format_ == Format_NHWC && CheckPermTransFormat(perm, nhwc2nchw, perms_num)) { ++ output->format_ = Format_NCHW; ++ } ++ // though the perm is 4d in default, the input can be a 3d tensor. The op implementation should be adapted to this. ++ if (input->shape_size_ == 3) { ++ ShapeSet(perm, &perm_size, trans3d, 3); ++ } ++ } ++ // set output shape ++ size_t in_shape_size = input->shape_size_; ++ output->shape_size_ = in_shape_size; ++ if (perm_size == 0) { ++ for (size_t i = 0; i < in_shape_size; ++i) { ++ out_shape[in_shape_size - i - 1] = input->shape_[i]; ++ } ++ } else if (perm_size != in_shape_size) { ++ for (size_t i = 0; i < in_shape_size; ++i) { ++ out_shape[i] = input->shape_[i]; ++ } ++ } else { ++ output->shape_size_ = perm_size; ++ for (size_t i = 0; i < perm_size; ++i) { ++ if (perm[i] >= input->shape_size_) { ++ return NNACL_ERR; ++ } else { ++ out_shape[i] = input->shape_[perm[i]]; ++ } ++ } ++ } ++ return NNACL_OK; ++} ++ + int TransposeInferShape(const TensorC *const *inputs, size_t inputs_size, TensorC **outputs, size_t outputs_size, + OpParameter *parameter) { + #ifdef Debug +@@ -60,38 +99,9 @@ int TransposeInferShape(const TensorC *const *inputs, size_t inputs_size, Tensor + for (size_t i = 0; i < perms_num; i++) { + ShapePush(perm, &perm_size, perm_data[i]); + } +- const int nchw2nhwc[4] = {0, 2, 3, 1}; +- const int nhwc2nchw[4] = {0, 3, 1, 2}; +- const int trans3d[3] = {0, 2, 1}; +- if (perms_num == 4) { +- if (input->format_ == Format_NCHW && CheckPermTransFormat(perm, nchw2nhwc, perms_num)) { +- output->format_ = Format_NHWC; +- } else if (input->format_ == Format_NHWC && CheckPermTransFormat(perm, nhwc2nchw, perms_num)) { +- output->format_ = Format_NCHW; +- } +- // though the perm is 4d in default, the input can be a 3d tensor. The op implementation should be adapted to this. +- if (input->shape_size_ == 3) { +- ShapeSet(perm, &perm_size, trans3d, 3); +- } +- } + // set output shape + int out_shape[MAX_TRANSPOSE_DIM_SIZE] = {0}; +- size_t in_shape_size = input->shape_size_; +- output->shape_size_ = in_shape_size; +- if (perm_size == 0) { +- for (size_t i = 0; i < in_shape_size; ++i) { +- out_shape[in_shape_size - i - 1] = input->shape_[i]; +- } +- } else if (perm_size != in_shape_size) { +- for (size_t i = 0; i < in_shape_size; ++i) { +- out_shape[i] = input->shape_[i]; +- } +- } else { +- output->shape_size_ = perm_size; +- for (size_t i = 0; i < perm_size; ++i) { +- out_shape[i] = input->shape_[perm[i]]; +- } +- } ++ SetOutputShape(perms_num, input, output, perm, perm_size, out_shape); + SetShapeArray(output, out_shape, output->shape_size_); + return NNACL_OK; + } +-- +2.17.1 + diff --git a/security/cve_patch/mssa-2021-007.patch b/security/cve_patch/mssa-2021-007.patch new file mode 100644 index 0000000..bdedbb9 --- /dev/null +++ b/security/cve_patch/mssa-2021-007.patch @@ -0,0 +1,25 @@ +From 8359643b0ebd9d0931110bd7776080abd2f2259d Mon Sep 17 00:00:00 2001 +From: lzk +Date: Fri, 21 May 2021 01:37:26 -0700 +Subject: [PATCH] common_infer bug + +--- + .../backend/kernel_compiler/cpu/nnacl/infer/common_infer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c +index 20c15559ed..c422a9c1ab 100644 +--- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c ++++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c +@@ -302,7 +302,7 @@ int ShapeInsert(int *shape, size_t *shape_size, int index, int value) { + } + + int ShapeErase(int *shape, size_t *shape_size, int index) { +- if (index < 0 && index >= *shape_size) { ++ if (index < 0 || index >= *shape_size) { + return NNACL_ERR; + } + +-- +2.17.1 + diff --git a/security/cve_patch/mssa-2021-008.patch b/security/cve_patch/mssa-2021-008.patch new file mode 100644 index 0000000..4f3e0dd --- /dev/null +++ b/security/cve_patch/mssa-2021-008.patch @@ -0,0 +1,43 @@ +From 5aab6599e7280d2512a87434c174f13a0a2e7008 Mon Sep 17 00:00:00 2001 +From: lzk +Date: Fri, 21 May 2021 01:25:06 -0700 +Subject: [PATCH] array cross the border + +--- + .../backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c | 3 +++ + mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc | 5 +++++ + 2 files changed, 8 insertions(+) + +diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c +index 19e20e71bd..df36be303a 100644 +--- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c ++++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c +@@ -63,6 +63,9 @@ int TileInferShape(const TensorC *const *inputs, size_t inputs_size, TensorC **o + return NNACL_INPUT_TENSOR_ERROR; + } + multiples_size = data_num; ++ if (inputs[1]->data_type_ != kNumberTypeInt && inputs[1]->data_type_ != kNumberTypeInt32) { ++ return NNACL_INPUT_TENSOR_ERROR; ++ } + int *input1_data = inputs[1]->data_; + if (input1_data == NULL) { + return NNACL_INFER_INVALID; +diff --git a/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc b/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc +index 54548699d0..6898bcffff 100644 +--- a/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc ++++ b/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc +@@ -50,6 +50,11 @@ int TileCPUKernel::ReSize() { + MS_LOG(ERROR) << "tile's input1 data_num cannot be larger than input0's shape_size."; + return false; + } ++ if (in_tensors_[1]->data_type() != kNumberTypeInt && in_tensors_[1]->data_type() != kNumberTypeInt32) { ++ MS_LOG(ERROR) << "in_tensors_[1]->data_type():" << in_tensors_[1]->data_type() ++ << " must be kNumberTypeInt32 or kNumberTypeInt!"; ++ return RET_ERROR; ++ } + auto input1_addr = reinterpret_cast(in_tensors_[1]->data_c()); + for (int i = 0; i < in_tensors_[1]->ElementsNum(); ++i) { + tile_parameter_->dims_[i] = i; +-- +2.17.1 + diff --git a/security/security_advisory_list/mssa-2021-001.md b/security/security_advisory_list/mssa-2021-001.md new file mode 100644 index 0000000..f048b6a --- /dev/null +++ b/security/security_advisory_list/mssa-2021-001.md @@ -0,0 +1,25 @@ +# MSSA-2021-001 - Security Advisory + +## 发布日期 + +2021-10-18 + +## 更新日期 + +2021-10-18 + +## 影响 + +- 在运行Split算子的resize操作时,如果变量input_shape元素中存在0值,会导致除0 SIGFPE。 + +## 补丁 + +- 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-001.patch)。 + +## CVE + +- 待补充。 + +## 参考信息 + +- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。 diff --git a/security/security_advisory_list/mssa-2021-002.md b/security/security_advisory_list/mssa-2021-002.md new file mode 100644 index 0000000..f886b2a --- /dev/null +++ b/security/security_advisory_list/mssa-2021-002.md @@ -0,0 +1,25 @@ +# MSSA-2021-002 - Security Advisory + +## 发布日期 + +2021-10-18 + +## 更新日期 + +2021-10-18 + +## 影响 + +- 在运行SpaceToBatch算子的推导shape阶段,如果参数block_shape元素中存在0值,会导致除0 SIGFPE。 + +## 补丁 + +- 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-002.patch)。 + +## CVE + +- 待补充。 + +## 参考信息 + +- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。 diff --git a/security/security_advisory_list/mssa-2021-003.md b/security/security_advisory_list/mssa-2021-003.md new file mode 100644 index 0000000..6cb9f2e --- /dev/null +++ b/security/security_advisory_list/mssa-2021-003.md @@ -0,0 +1,25 @@ +# MSSA-2021-003 - Security Advisory + +## 发布日期 + +2021-10-18 + +## 更新日期 + +2021-10-18 + +## 影响 + +- 在运行Refuce算子的run函数时,如果参数axis_sizes元素中存在0值,会导致除0 SIGFPE。 + +## 补丁 + +- 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-003.patch)。 + +## CVE + +- 待补充。 + +## 参考信息 + +- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。 diff --git a/security/security_advisory_list/mssa-2021-004.md b/security/security_advisory_list/mssa-2021-004.md new file mode 100644 index 0000000..9686406 --- /dev/null +++ b/security/security_advisory_list/mssa-2021-004.md @@ -0,0 +1,25 @@ +# MSSA-2021-004 - Security Advisory + +## 发布日期 + +2021-10-18 + +## 更新日期 + +2021-10-18 + +## 影响 + +- 在解析tflite Conv算子导MindSporeLite Conv算子的parser阶段时,如果属性depth_multiplier为0,会导致除0 SIGFPE。 + +## 补丁 + +- 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-004.patch)。 + +## CVE + +- 待补充。 + +## 参考信息 + +- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。 diff --git a/security/security_advisory_list/mssa-2021-005.md b/security/security_advisory_list/mssa-2021-005.md new file mode 100644 index 0000000..999469d --- /dev/null +++ b/security/security_advisory_list/mssa-2021-005.md @@ -0,0 +1,25 @@ +# MSSA-2021-005 - Security Advisory + +## 发布日期 + +2021-10-18 + +## 更新日期 + +2021-10-18 + +## 影响 + +- 在SparseToDense算子的推导shape阶段,如果输入个数小于3,会导致变量inputs访问越界。 + +## 补丁 + +- 我们已经在1.3.0版本通过commit [5aab6599e7280d2512a87434c174f13a0a2e7008](https://gitee.com/mindspore/mindspore/commit/5aab6599e7280d2512a87434c174f13a0a2e7008)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-005.patch)。 + +## CVE + +- 待补充。 + +## 参考信息 + +- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2J)。 diff --git a/security/security_advisory_list/mssa-2021-006.md b/security/security_advisory_list/mssa-2021-006.md new file mode 100644 index 0000000..14353b4 --- /dev/null +++ b/security/security_advisory_list/mssa-2021-006.md @@ -0,0 +1,25 @@ +# MSSA-2021-006 - Security Advisory + +## 发布日期 + +2021-10-18 + +## 更新日期 + +2021-10-18 + +## 影响 + +- 在Transpose算子的推导shape阶段,如果perm元素中的值大于或等于input_shape size,会导致input_shape访问越界。 + +## 补丁 + +- 我们已经在1.3.0版本通过commit [5aab6599e7280d2512a87434c174f13a0a2e7008](https://gitee.com/mindspore/mindspore/commit/5aab6599e7280d2512a87434c174f13a0a2e7008)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-006.patch)。 + +## CVE + +- 待补充。 + +## 参考信息 + +- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2J)。 diff --git a/security/security_advisory_list/mssa-2021-007.md b/security/security_advisory_list/mssa-2021-007.md new file mode 100644 index 0000000..d5a17c2 --- /dev/null +++ b/security/security_advisory_list/mssa-2021-007.md @@ -0,0 +1,25 @@ +# MSSA-2021-007 - Security Advisory + +## 发布日期 + +2021-10-18 + +## 更新日期 + +2021-10-18 + +## 影响 + +- 在算子的公共推导shape阶段,判断逻辑错误,会导致shape访问越界。 + +## 补丁 + +- 我们已经在1.3.0版本通过commit [8359643b0ebd9d0931110bd7776080abd2f2259d](https://gitee.com/mindspore/mindspore/commit/8359643b0ebd9d0931110bd7776080abd2f2259d)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-007.patch)。 + +## CVE + +- 待补充。 + +## 参考信息 + +- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2X)。 diff --git a/security/security_advisory_list/mssa-2021-008.md b/security/security_advisory_list/mssa-2021-008.md new file mode 100644 index 0000000..9028f91 --- /dev/null +++ b/security/security_advisory_list/mssa-2021-008.md @@ -0,0 +1,25 @@ +# MSSA-2021-008 - Security Advisory + +## 发布日期 + +2021-10-18 + +## 更新日期 + +2021-10-18 + +## 影响 + +- 在Tile算子的推导shape阶段,如果输入数据类型不是int或者int32类型时,会导致内存拷贝越界。 + +## 补丁 + +- 我们已经在1.3.0版本通过commit [5aab6599e7280d2512a87434c174f13a0a2e7008](https://gitee.com/mindspore/mindspore/commit/5aab6599e7280d2512a87434c174f13a0a2e7008)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-008.patch)。 + +## CVE + +- 待补充。 + +## 参考信息 + +- 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2J)。