| @@ -39,7 +39,16 @@ MindSpore作为一个同时支持端/边缘/云场景的训练推理框架,在 | |||
| ## MindSpore安全公告(SA) | |||
| 无 | |||
| | 公告 | 类型 | 受影响版本 | 上报人 | 附加信息 | | |||
| | --- | ---- | --- | --- | --- | | |||
| | [MSSA-2021-008](security_advisory_list/mssa-2021-008.md) | memcpy()越界问题在MindSpore Lite Tile算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | | |||
| | [MSSA-2021-007](security_advisory_list/mssa-2021-007.md) | Integer溢出问题在MindSpore Lite的common_infer.c文件中 | >= 1.1.0, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | | |||
| | [MSSA-2021-006](security_advisory_list/mssa-2021-006.md) | 数组下标未判断导致的数组越界访问问题在MindSpore Lite的Transpose算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | | |||
| | [MSSA-2021-005](security_advisory_list/mssa-2021-005.md) | 数组下标未判断导致的数组越界访问问题在MindSpore Lite的SparseToDense算子中 | >= 1.2.0, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | | |||
| | [MSSA-2021-004](security_advisory_list/mssa-2021-004.md) | 除0导致的SIGFPE问题在MindSpore Lite的Conv算子parser文件中 | >= 1.1.0, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | | |||
| | [MSSA-2021-003](security_advisory_list/mssa-2021-003.md) | 除0导致的SIGFPE问题在MindSpore Lite的Reduce算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | | |||
| | [MSSA-2021-002](security_advisory_list/mssa-2021-002.md) | 除0导致的SIGFPE问题在MindSpore Lite的SpaceToBatch算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | | |||
| | [MSSA-2021-001](security_advisory_list/mssa-2021-001.md) | 除0导致的SIGFPE问题在MindSpore Lite的Split算子中 | >= 0.7.0-beta, < 1.3.0 | Wang Xuan(@May) of Qihoo 360 AIVul Team | | | |||
| ## MindSpore安全说明(SN) | |||
| @@ -0,0 +1,32 @@ | |||
| From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001 | |||
| From: lzk <liuzhongkai2@huawei.com> | |||
| Date: Fri, 21 May 2021 01:11:07 -0700 | |||
| Subject: [PATCH] div 0 bug fix | |||
| --- | |||
| mindspore/lite/src/runtime/kernel/arm/base/split_base.cc | 9 +++++++++ | |||
| 1 file changed, 9 insertions(+) | |||
| diff --git a/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc b/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc | |||
| index 2448a407dd..b96e5aacb8 100644 | |||
| --- a/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc | |||
| +++ b/mindspore/lite/src/runtime/kernel/arm/base/split_base.cc | |||
| @@ -50,6 +50,15 @@ int SplitBaseCPUKernel::ReSize() { | |||
| param->strides_[i] = param->strides_[i + 1] * input_shape.at(i + 1); | |||
| } | |||
| + if (input_shape.at(param->split_dim_) == 0) { | |||
| + MS_LOG(ERROR) << "input_shape[" << param->split_dim_ << "] must not be zero!"; | |||
| + return RET_ERROR; | |||
| + } | |||
| + if (param->strides_[param->split_dim_] == 0) { | |||
| + MS_LOG(ERROR) << "param->strides_[" << param->split_dim_ << "] must not be zero!"; | |||
| + return RET_ERROR; | |||
| + } | |||
| + | |||
| MS_ASSERT(static_cast<size_t>(param->split_dim_) < input_shape.size()); | |||
| param->split_count_ = | |||
| param->strides_[0] * input_shape.at(0) / (input_shape.at(param->split_dim_) * param->strides_[param->split_dim_]); | |||
| -- | |||
| 2.17.1 | |||
| @@ -0,0 +1,29 @@ | |||
| From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001 | |||
| From: lzk <liuzhongkai2@huawei.com> | |||
| Date: Fri, 21 May 2021 01:11:07 -0700 | |||
| Subject: [PATCH] div 0 bug fix | |||
| --- | |||
| .../kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c | 6 ++++++ | |||
| 1 file changed, 6 insertions(+) | |||
| diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c | |||
| index c19082141d..e1b73101b3 100644 | |||
| --- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c | |||
| +++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/space_to_batch_infer.c | |||
| @@ -51,6 +51,12 @@ int SpaceToBatchInferShape(const TensorC *const *inputs, size_t inputs_size, Ten | |||
| block_w = block_shape[1]; | |||
| } | |||
| + if (block_shape[0] == 0) { | |||
| + return NNACL_ERR; | |||
| + } | |||
| + if (block_w == 0) { | |||
| + return NNACL_ERR; | |||
| + } | |||
| outputs[0]->shape_[kNHWC_N] = input->shape_[kNHWC_N] * (block_shape[0] * block_w); | |||
| outputs[0]->shape_[kNHWC_H] = (input->shape_[kNHWC_H] + paddings[0] + paddings[1]) / block_shape[0]; | |||
| outputs[0]->shape_[kNHWC_W] = (input->shape_[kNHWC_W] + padding_left + padding_right) / block_w; | |||
| -- | |||
| 2.17.1 | |||
| @@ -0,0 +1,27 @@ | |||
| From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001 | |||
| From: lzk <liuzhongkai2@huawei.com> | |||
| Date: Fri, 21 May 2021 01:11:07 -0700 | |||
| Subject: [PATCH] div 0 bug fix | |||
| --- | |||
| mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc | 4 ++++ | |||
| 1 file changed, 4 insertions(+) | |||
| diff --git a/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc b/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc | |||
| index 044fd170e1..f1e45d47e0 100644 | |||
| --- a/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc | |||
| +++ b/mindspore/lite/src/runtime/kernel/arm/fp32/reduce_fp32.cc | |||
| @@ -117,6 +117,10 @@ int ReduceCPUKernel::Run() { | |||
| outer_size_ = outer_sizes_.at(i); | |||
| inner_size_ = inner_sizes_.at(i); | |||
| axis_size_ = axis_sizes_.at(i); | |||
| + if (axis_size_ == 0) { | |||
| + MS_LOG(ERROR) << "axis_size_ is must not be zero!"; | |||
| + return RET_ERROR; | |||
| + } | |||
| auto error_code = ParallelLaunch(static_cast<const lite::InnerContext *>(this->context_)->thread_pool_, ReduceImpl, | |||
| this, context_->thread_num_); | |||
| if (error_code != RET_OK) { | |||
| -- | |||
| 2.17.1 | |||
| @@ -0,0 +1,27 @@ | |||
| From e0cbe113745a38be7b3afa0dff63a819e4490005 Mon Sep 17 00:00:00 2001 | |||
| From: lzk <liuzhongkai2@huawei.com> | |||
| Date: Fri, 21 May 2021 01:11:07 -0700 | |||
| Subject: [PATCH] div 0 bug fix | |||
| --- | |||
| .../lite/tools/converter/parser/tflite/tflite_conv_parser.cc | 4 ++++ | |||
| 1 file changed, 4 insertions(+) | |||
| diff --git a/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc b/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc | |||
| index 3e552883af..c2aac03799 100644 | |||
| --- a/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc | |||
| +++ b/mindspore/lite/tools/converter/parser/tflite/tflite_conv_parser.cc | |||
| @@ -111,6 +111,10 @@ ops::PrimitiveC *TfliteDepthwiseConv2DParser::Parse(const std::unique_ptr<tflite | |||
| auto weight_shape = weight_tensor->shape; | |||
| prim->set_kernel_size({weight_shape[1], weight_shape[2]}); | |||
| prim->set_in_channel(weight_shape[3]); | |||
| + if (tflite_attr->depth_multiplier == 0) { | |||
| + MS_LOG(ERROR) << "depth_multiplier must not be zero!"; | |||
| + return nullptr; | |||
| + } | |||
| prim->set_group(weight_shape[3] / tflite_attr->depth_multiplier); | |||
| // get data tensor | |||
| -- | |||
| 2.17.1 | |||
| @@ -0,0 +1,26 @@ | |||
| From 5aab6599e7280d2512a87434c174f13a0a2e7008 Mon Sep 17 00:00:00 2001 | |||
| From: lzk <liuzhongkai2@huawei.com> | |||
| Date: Fri, 21 May 2021 01:25:06 -0700 | |||
| Subject: [PATCH] array cross the border | |||
| --- | |||
| .../kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c | 3 +++ | |||
| 1 file changed, 3 insertions(+) | |||
| diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c | |||
| index 4b44ec7568..89620c9634 100644 | |||
| --- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c | |||
| +++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/sparse_to_dense_infer.c | |||
| @@ -27,6 +27,9 @@ int SparseToDenseInferShape(const TensorC *const *inputs, size_t inputs_size, Te | |||
| #endif | |||
| TensorC *output = outputs[0]; | |||
| + if (inputs_size < 3) { | |||
| + return NNACL_INPUT_TENSOR_ERROR; | |||
| + } | |||
| const TensorC *input1 = inputs[1]; | |||
| const TensorC *input2 = inputs[2]; | |||
| SetDataTypeFormat(output, input2); | |||
| -- | |||
| 2.17.1 | |||
| @@ -0,0 +1,102 @@ | |||
| From 5aab6599e7280d2512a87434c174f13a0a2e7008 Mon Sep 17 00:00:00 2001 | |||
| From: lzk <liuzhongkai2@huawei.com> | |||
| Date: Fri, 21 May 2021 01:25:06 -0700 | |||
| Subject: [PATCH] array cross the border | |||
| --- | |||
| .../cpu/nnacl/infer/transpose_infer.c | 70 +++++++++++-------- | |||
| 1 file changed, 40 insertions(+), 30 deletions(-) | |||
| diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c | |||
| index 04da736190..b1460bc8be 100644 | |||
| --- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c | |||
| +++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/transpose_infer.c | |||
| @@ -26,6 +26,45 @@ bool CheckPermTransFormat(const int *perm, const int *perm_transformat, const si | |||
| return true; | |||
| } | |||
| +int SetOutputShape(int perms_num, const TensorC *input, TensorC *output, int *perm, size_t perm_size, int *out_shape) { | |||
| + if (perms_num == 4) { | |||
| + const int nchw2nhwc[4] = {0, 2, 3, 1}; | |||
| + const int nhwc2nchw[4] = {0, 3, 1, 2}; | |||
| + const int trans3d[3] = {0, 2, 1}; | |||
| + if (input->format_ == Format_NCHW && CheckPermTransFormat(perm, nchw2nhwc, perms_num)) { | |||
| + output->format_ = Format_NHWC; | |||
| + } else if (input->format_ == Format_NHWC && CheckPermTransFormat(perm, nhwc2nchw, perms_num)) { | |||
| + output->format_ = Format_NCHW; | |||
| + } | |||
| + // though the perm is 4d in default, the input can be a 3d tensor. The op implementation should be adapted to this. | |||
| + if (input->shape_size_ == 3) { | |||
| + ShapeSet(perm, &perm_size, trans3d, 3); | |||
| + } | |||
| + } | |||
| + // set output shape | |||
| + size_t in_shape_size = input->shape_size_; | |||
| + output->shape_size_ = in_shape_size; | |||
| + if (perm_size == 0) { | |||
| + for (size_t i = 0; i < in_shape_size; ++i) { | |||
| + out_shape[in_shape_size - i - 1] = input->shape_[i]; | |||
| + } | |||
| + } else if (perm_size != in_shape_size) { | |||
| + for (size_t i = 0; i < in_shape_size; ++i) { | |||
| + out_shape[i] = input->shape_[i]; | |||
| + } | |||
| + } else { | |||
| + output->shape_size_ = perm_size; | |||
| + for (size_t i = 0; i < perm_size; ++i) { | |||
| + if (perm[i] >= input->shape_size_) { | |||
| + return NNACL_ERR; | |||
| + } else { | |||
| + out_shape[i] = input->shape_[perm[i]]; | |||
| + } | |||
| + } | |||
| + } | |||
| + return NNACL_OK; | |||
| +} | |||
| + | |||
| int TransposeInferShape(const TensorC *const *inputs, size_t inputs_size, TensorC **outputs, size_t outputs_size, | |||
| OpParameter *parameter) { | |||
| #ifdef Debug | |||
| @@ -60,38 +99,9 @@ int TransposeInferShape(const TensorC *const *inputs, size_t inputs_size, Tensor | |||
| for (size_t i = 0; i < perms_num; i++) { | |||
| ShapePush(perm, &perm_size, perm_data[i]); | |||
| } | |||
| - const int nchw2nhwc[4] = {0, 2, 3, 1}; | |||
| - const int nhwc2nchw[4] = {0, 3, 1, 2}; | |||
| - const int trans3d[3] = {0, 2, 1}; | |||
| - if (perms_num == 4) { | |||
| - if (input->format_ == Format_NCHW && CheckPermTransFormat(perm, nchw2nhwc, perms_num)) { | |||
| - output->format_ = Format_NHWC; | |||
| - } else if (input->format_ == Format_NHWC && CheckPermTransFormat(perm, nhwc2nchw, perms_num)) { | |||
| - output->format_ = Format_NCHW; | |||
| - } | |||
| - // though the perm is 4d in default, the input can be a 3d tensor. The op implementation should be adapted to this. | |||
| - if (input->shape_size_ == 3) { | |||
| - ShapeSet(perm, &perm_size, trans3d, 3); | |||
| - } | |||
| - } | |||
| // set output shape | |||
| int out_shape[MAX_TRANSPOSE_DIM_SIZE] = {0}; | |||
| - size_t in_shape_size = input->shape_size_; | |||
| - output->shape_size_ = in_shape_size; | |||
| - if (perm_size == 0) { | |||
| - for (size_t i = 0; i < in_shape_size; ++i) { | |||
| - out_shape[in_shape_size - i - 1] = input->shape_[i]; | |||
| - } | |||
| - } else if (perm_size != in_shape_size) { | |||
| - for (size_t i = 0; i < in_shape_size; ++i) { | |||
| - out_shape[i] = input->shape_[i]; | |||
| - } | |||
| - } else { | |||
| - output->shape_size_ = perm_size; | |||
| - for (size_t i = 0; i < perm_size; ++i) { | |||
| - out_shape[i] = input->shape_[perm[i]]; | |||
| - } | |||
| - } | |||
| + SetOutputShape(perms_num, input, output, perm, perm_size, out_shape); | |||
| SetShapeArray(output, out_shape, output->shape_size_); | |||
| return NNACL_OK; | |||
| } | |||
| -- | |||
| 2.17.1 | |||
| @@ -0,0 +1,25 @@ | |||
| From 8359643b0ebd9d0931110bd7776080abd2f2259d Mon Sep 17 00:00:00 2001 | |||
| From: lzk <liuzhongkai2@huawei.com> | |||
| Date: Fri, 21 May 2021 01:37:26 -0700 | |||
| Subject: [PATCH] common_infer bug | |||
| --- | |||
| .../backend/kernel_compiler/cpu/nnacl/infer/common_infer.c | 2 +- | |||
| 1 file changed, 1 insertion(+), 1 deletion(-) | |||
| diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c | |||
| index 20c15559ed..c422a9c1ab 100644 | |||
| --- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c | |||
| +++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/common_infer.c | |||
| @@ -302,7 +302,7 @@ int ShapeInsert(int *shape, size_t *shape_size, int index, int value) { | |||
| } | |||
| int ShapeErase(int *shape, size_t *shape_size, int index) { | |||
| - if (index < 0 && index >= *shape_size) { | |||
| + if (index < 0 || index >= *shape_size) { | |||
| return NNACL_ERR; | |||
| } | |||
| -- | |||
| 2.17.1 | |||
| @@ -0,0 +1,43 @@ | |||
| From 5aab6599e7280d2512a87434c174f13a0a2e7008 Mon Sep 17 00:00:00 2001 | |||
| From: lzk <liuzhongkai2@huawei.com> | |||
| Date: Fri, 21 May 2021 01:25:06 -0700 | |||
| Subject: [PATCH] array cross the border | |||
| --- | |||
| .../backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c | 3 +++ | |||
| mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc | 5 +++++ | |||
| 2 files changed, 8 insertions(+) | |||
| diff --git a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c | |||
| index 19e20e71bd..df36be303a 100644 | |||
| --- a/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c | |||
| +++ b/mindspore/ccsrc/backend/kernel_compiler/cpu/nnacl/infer/tile_infer.c | |||
| @@ -63,6 +63,9 @@ int TileInferShape(const TensorC *const *inputs, size_t inputs_size, TensorC **o | |||
| return NNACL_INPUT_TENSOR_ERROR; | |||
| } | |||
| multiples_size = data_num; | |||
| + if (inputs[1]->data_type_ != kNumberTypeInt && inputs[1]->data_type_ != kNumberTypeInt32) { | |||
| + return NNACL_INPUT_TENSOR_ERROR; | |||
| + } | |||
| int *input1_data = inputs[1]->data_; | |||
| if (input1_data == NULL) { | |||
| return NNACL_INFER_INVALID; | |||
| diff --git a/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc b/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc | |||
| index 54548699d0..6898bcffff 100644 | |||
| --- a/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc | |||
| +++ b/mindspore/lite/src/runtime/kernel/arm/base/tile_base.cc | |||
| @@ -50,6 +50,11 @@ int TileCPUKernel::ReSize() { | |||
| MS_LOG(ERROR) << "tile's input1 data_num cannot be larger than input0's shape_size."; | |||
| return false; | |||
| } | |||
| + if (in_tensors_[1]->data_type() != kNumberTypeInt && in_tensors_[1]->data_type() != kNumberTypeInt32) { | |||
| + MS_LOG(ERROR) << "in_tensors_[1]->data_type():" << in_tensors_[1]->data_type() | |||
| + << " must be kNumberTypeInt32 or kNumberTypeInt!"; | |||
| + return RET_ERROR; | |||
| + } | |||
| auto input1_addr = reinterpret_cast<int *>(in_tensors_[1]->data_c()); | |||
| for (int i = 0; i < in_tensors_[1]->ElementsNum(); ++i) { | |||
| tile_parameter_->dims_[i] = i; | |||
| -- | |||
| 2.17.1 | |||
| @@ -0,0 +1,25 @@ | |||
| # MSSA-2021-001 - Security Advisory | |||
| ## 发布日期 | |||
| 2021-10-18 | |||
| ## 更新日期 | |||
| 2021-10-18 | |||
| ## 影响 | |||
| - 在运行Split算子的resize操作时,如果变量input_shape元素中存在0值,会导致除0 SIGFPE。 | |||
| ## 补丁 | |||
| - 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-001.patch)。 | |||
| ## CVE | |||
| - 待补充。 | |||
| ## 参考信息 | |||
| - 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。 | |||
| @@ -0,0 +1,25 @@ | |||
| # MSSA-2021-002 - Security Advisory | |||
| ## 发布日期 | |||
| 2021-10-18 | |||
| ## 更新日期 | |||
| 2021-10-18 | |||
| ## 影响 | |||
| - 在运行SpaceToBatch算子的推导shape阶段,如果参数block_shape元素中存在0值,会导致除0 SIGFPE。 | |||
| ## 补丁 | |||
| - 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-002.patch)。 | |||
| ## CVE | |||
| - 待补充。 | |||
| ## 参考信息 | |||
| - 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。 | |||
| @@ -0,0 +1,25 @@ | |||
| # MSSA-2021-003 - Security Advisory | |||
| ## 发布日期 | |||
| 2021-10-18 | |||
| ## 更新日期 | |||
| 2021-10-18 | |||
| ## 影响 | |||
| - 在运行Refuce算子的run函数时,如果参数axis_sizes元素中存在0值,会导致除0 SIGFPE。 | |||
| ## 补丁 | |||
| - 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-003.patch)。 | |||
| ## CVE | |||
| - 待补充。 | |||
| ## 参考信息 | |||
| - 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。 | |||
| @@ -0,0 +1,25 @@ | |||
| # MSSA-2021-004 - Security Advisory | |||
| ## 发布日期 | |||
| 2021-10-18 | |||
| ## 更新日期 | |||
| 2021-10-18 | |||
| ## 影响 | |||
| - 在解析tflite Conv算子导MindSporeLite Conv算子的parser阶段时,如果属性depth_multiplier为0,会导致除0 SIGFPE。 | |||
| ## 补丁 | |||
| - 我们已经在1.3.0版本通过commit [e0cbe113745a38be7b3afa0dff63a819e4490005](https://gitee.com/mindspore/mindspore/commit/e0cbe113745a38be7b3afa0dff63a819e4490005)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-004.patch)。 | |||
| ## CVE | |||
| - 待补充。 | |||
| ## 参考信息 | |||
| - 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE1A)。 | |||
| @@ -0,0 +1,25 @@ | |||
| # MSSA-2021-005 - Security Advisory | |||
| ## 发布日期 | |||
| 2021-10-18 | |||
| ## 更新日期 | |||
| 2021-10-18 | |||
| ## 影响 | |||
| - 在SparseToDense算子的推导shape阶段,如果输入个数小于3,会导致变量inputs访问越界。 | |||
| ## 补丁 | |||
| - 我们已经在1.3.0版本通过commit [5aab6599e7280d2512a87434c174f13a0a2e7008](https://gitee.com/mindspore/mindspore/commit/5aab6599e7280d2512a87434c174f13a0a2e7008)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-005.patch)。 | |||
| ## CVE | |||
| - 待补充。 | |||
| ## 参考信息 | |||
| - 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2J)。 | |||
| @@ -0,0 +1,25 @@ | |||
| # MSSA-2021-006 - Security Advisory | |||
| ## 发布日期 | |||
| 2021-10-18 | |||
| ## 更新日期 | |||
| 2021-10-18 | |||
| ## 影响 | |||
| - 在Transpose算子的推导shape阶段,如果perm元素中的值大于或等于input_shape size,会导致input_shape访问越界。 | |||
| ## 补丁 | |||
| - 我们已经在1.3.0版本通过commit [5aab6599e7280d2512a87434c174f13a0a2e7008](https://gitee.com/mindspore/mindspore/commit/5aab6599e7280d2512a87434c174f13a0a2e7008)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-006.patch)。 | |||
| ## CVE | |||
| - 待补充。 | |||
| ## 参考信息 | |||
| - 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2J)。 | |||
| @@ -0,0 +1,25 @@ | |||
| # MSSA-2021-007 - Security Advisory | |||
| ## 发布日期 | |||
| 2021-10-18 | |||
| ## 更新日期 | |||
| 2021-10-18 | |||
| ## 影响 | |||
| - 在算子的公共推导shape阶段,判断逻辑错误,会导致shape访问越界。 | |||
| ## 补丁 | |||
| - 我们已经在1.3.0版本通过commit [8359643b0ebd9d0931110bd7776080abd2f2259d](https://gitee.com/mindspore/mindspore/commit/8359643b0ebd9d0931110bd7776080abd2f2259d)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-007.patch)。 | |||
| ## CVE | |||
| - 待补充。 | |||
| ## 参考信息 | |||
| - 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2X)。 | |||
| @@ -0,0 +1,25 @@ | |||
| # MSSA-2021-008 - Security Advisory | |||
| ## 发布日期 | |||
| 2021-10-18 | |||
| ## 更新日期 | |||
| 2021-10-18 | |||
| ## 影响 | |||
| - 在Tile算子的推导shape阶段,如果输入数据类型不是int或者int32类型时,会导致内存拷贝越界。 | |||
| ## 补丁 | |||
| - 我们已经在1.3.0版本通过commit [5aab6599e7280d2512a87434c174f13a0a2e7008](https://gitee.com/mindspore/mindspore/commit/5aab6599e7280d2512a87434c174f13a0a2e7008)修复了该问题,并且制作了该漏洞的[patch](../cve_patch/mssa-2021-008.patch)。 | |||
| ## CVE | |||
| - 待补充。 | |||
| ## 参考信息 | |||
| - 该漏洞对应的[issue](https://gitee.com/mindspore/mindspore/issues/I3SE2J)。 | |||