@@ -4,9 +4,9 @@ We regularly publish security advisories about using PaddlePaddle.
...
@@ -4,9 +4,9 @@ We regularly publish security advisories about using PaddlePaddle.
*Note*: In conjunction with these security advisories, we strongly encourage PaddlePaddle users to read and understand PaddlePaddle's security model as outlined in [SECURITY.md](https://github.com/PaddlePaddle/Paddle/blob/develop/SECURITY.md).
*Note*: In conjunction with these security advisories, we strongly encourage PaddlePaddle users to read and understand PaddlePaddle's security model as outlined in [SECURITY.md](../SECURITY.md).
| Advisory Number | Type | Versions affected | Reported by | Additional Information|
| Advisory Number | Type | Versions affected | Reported by | Additional Information |
The [implementation](https://github.com/PaddlePaddle/Paddle/blob/release/2.3/paddle/phi/kernels/cpu/gather_tree_kernel.cc#L31-L33) of GatherTreeKernel does not validate the ids_dims size which would result in a memory out-of-bounds read if the ids shape is invalid.
```c++
template<typenameT,typenameContext>
voidGatherTreeKernel(constContext&dev_ctx,
constDenseTensor&ids,
constDenseTensor&parents,
DenseTensor*out){
constauto*ids_data=ids.data<T>();
constauto*parents_data=parents.data<T>();
T*out_data=dev_ctx.templateAlloc<T>(out);
auto&ids_dims=ids.dims();
automax_length=ids_dims[0];
autobatch_size=ids_dims[1];
autobeam_size=ids_dims[2];//[1]
```
### Patches
We have patched the issue in commit [6712e262fc6734873cc6d5ca4f45973339a88697](https://github.com/PaddlePaddle/Paddle/commit/6712e262fc6734873cc6d5ca4f45973339a88697).
The fix will be included in PaddlePaddle 2.4.
### For more information
Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.
### Attribution
This vulnerability has been reported by Wang Xuan(王旋) of Qihoo 360 AIVul Team.