Skip to content
Permalink
Browse files Browse the repository at this point in the history
Prevent use after free.
A very old version of the code used `result` as a simple pointer to a resource. Two years later, the pointer got changed to a `unique_ptr` but author forgot to remove the call to `Unref`. Three years after that, we finally uncover the UAF.

PiperOrigin-RevId: 387924872
Change-Id: I70fb6f199164de49fac20c168132a07b84903f9b
  • Loading branch information
mihaimaruseac authored and tensorflower-gardener committed Jul 31, 2021
1 parent d8a39f2 commit 5ecec9c
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions tensorflow/core/kernels/boosted_trees/resource_ops.cc
Expand Up @@ -53,6 +53,7 @@ class BoostedTreesCreateEnsembleOp : public OpKernel {
if (!result->InitFromSerialized(
tree_ensemble_serialized_t->scalar<tstring>()(), stamp_token)) {
result->Unref();
result.release(); // Needed due to the `->Unref` above, to prevent UAF
OP_REQUIRES(
context, false,
errors::InvalidArgument("Unable to parse tree ensemble proto."));
Expand Down

0 comments on commit 5ecec9c

Please sign in to comment.