add pdsa-2022-001, test=document_fix (#47228)

Add PDSA-2022-001 security advisory

SECURITY.md

@@ -60,4 +60,4 @@ If malicious input can trigger memory corruption or non-clean exit, such bug is
 
 
 
-[security advisories](https://github.com/PaddlePaddle/Paddle/blob/develop/security/README.md)
+[security advisories](./security/README.md)

SECURITY_cn.md

@@ -46,4 +46,4 @@
 
 如果输入非预期的参数后，对飞桨代码造成了内存破坏，或者非干净退出，这类行为被认定为存在安全问题。
 
-### [安全公告](https://github.com/PaddlePaddle/Paddle/blob/develop/security/README_cn.md)
+### [安全公告](./security/README_cn.md)

security/README.md

@@ -4,9 +4,9 @@ We regularly publish security advisories about using PaddlePaddle.
 
 
 
-*Note*: In conjunction with these security advisories, we strongly encourage PaddlePaddle users to read and understand PaddlePaddle's security model as outlined in [SECURITY.md](https://github.com/PaddlePaddle/Paddle/blob/develop/SECURITY.md).
+*Note*: In conjunction with these security advisories, we strongly encourage PaddlePaddle users to read and understand PaddlePaddle's security model as outlined in [SECURITY.md](../SECURITY.md).
 
 
-| Advisory Number | Type | Versions affected | Reported by | Additional Information|
-| --------------- | ---- | :---------------: | ----------- | ----------------------|
-|  |  |  |  |  |
+| Advisory Number                              | Type                    | Versions affected | Reported by                           | Additional Information |
+|----------------------------------------------|-------------------------|:-----------------:|---------------------------------------|------------------------|
+| [PDSA-2022-001](./advisory/pdsa-2022-001.md) | OOB read in gather_tree |       < 2.4       | Wang Xuan(王旋) of Qihoo 360 AIVul Team |                        |

security/README_cn.md

@@ -4,9 +4,9 @@
 
 
 
-注：我们非常建议飞桨用户阅读和理解[SECURITY_cn.md](https://github.com/PaddlePaddle/Paddle/blob/develop/SECURITY_cn.md)所介绍的飞桨安全模型，以便更好地了解此安全公告。
+注：我们非常建议飞桨用户阅读和理解[SECURITY_cn.md](../SECURITY_cn.md)所介绍的飞桨安全模型，以便更好地了解此安全公告。
 
 
 | 安全公告编号                                          | 类型                      | 受影响版本 | 报告者                                   | 备注 |
-| --------------- | ---- | :---------------: | ----------- | ----------------------|
-|  |  |  |  |  |
+|-------------------------------------------------|-------------------------|:-----:|---------------------------------------| ----------------------|
+| [PDSA-2022-001](./advisory/pdsa-2022-001_cn.md) | OOB read in gather_tree | < 2.4 | Wang Xuan(王旋) of Qihoo 360 AIVul Team |  |

security/advisory/pdsa-2022-001.md

+## PDSA-2022-001: OOB read in gather_tree
+
+### Impact
+
+The PoC is as follows:
+
+```python
+import paddle
+import paddle.fluid as fluid
+import numpy as  np
+
+ids = paddle.to_tensor([[2,2],[6,1]])
+parents = paddle.to_tensor([[2,2],[6,1]])
+
+out = paddle.nn.functional.gather_tree(ids,parents)
+```
+
+The [implementation](https://github.com/PaddlePaddle/Paddle/blob/release/2.3/paddle/phi/kernels/cpu/gather_tree_kernel.cc#L31-L33) of GatherTreeKernel does not validate the ids_dims size which would result in a memory out-of-bounds read if the ids shape is invalid.
+
+```c++
+template <typename T, typename Context>
+void GatherTreeKernel(const Context &dev_ctx,
+                      const DenseTensor &ids,
+                      const DenseTensor &parents,
+                      DenseTensor *out) {
+  const auto *ids_data = ids.data<T>();
+  const auto *parents_data = parents.data<T>();
+
+  T *out_data = dev_ctx.template Alloc<T>(out);
+
+  auto &ids_dims = ids.dims();
+  auto max_length = ids_dims[0];
+  auto batch_size = ids_dims[1];
+  auto beam_size = ids_dims[2];    //[1]
+```
+
+### Patches
+
+We have patched the issue in commit [6712e262fc6734873cc6d5ca4f45973339a88697](https://github.com/PaddlePaddle/Paddle/commit/6712e262fc6734873cc6d5ca4f45973339a88697).
+
+The fix will be included in PaddlePaddle 2.4.
+
+### For more information
+
+Please consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.
+
+### Attribution
+
+This vulnerability has been reported by Wang Xuan(王旋) of Qihoo 360 AIVul Team.

security/advisory/pdsa-2022-001_cn.md

+## PDSA-2022-001: OOB read in gather_tree
+
+### 影响
+
+PoC如下：
+
+```python
+import paddle
+import paddle.fluid as fluid
+import numpy as  np
+
+ids = paddle.to_tensor([[2,2],[6,1]])
+parents = paddle.to_tensor([[2,2],[6,1]])
+
+out = paddle.nn.functional.gather_tree(ids,parents)
+```
+
+在GatherTreeKernel的[实现代码中](https://github.com/PaddlePaddle/Paddle/blob/release/2.3/paddle/phi/kernels/cpu/gather_tree_kernel.cc#L31-L33)，并没有检查ids_dims的大小，当输入非预期的ids，其shape不正确时会造成可能造成越界读ids_dims。
+
+```c++
+template <typename T, typename Context>
+void GatherTreeKernel(const Context &dev_ctx,
+                      const DenseTensor &ids,
+                      const DenseTensor &parents,
+                      DenseTensor *out) {
+  const auto *ids_data = ids.data<T>();
+  const auto *parents_data = parents.data<T>();
+
+  T *out_data = dev_ctx.template Alloc<T>(out);
+
+  auto &ids_dims = ids.dims();
+  auto max_length = ids_dims[0];
+  auto batch_size = ids_dims[1];
+  auto beam_size = ids_dims[2];    //[1]
+```
+
+### 补丁
+
+我们在commit [6712e262fc6734873cc6d5ca4f45973339a88697](https://github.com/PaddlePaddle/Paddle/commit/6712e262fc6734873cc6d5ca4f45973339a88697)中对此问题进行了补丁。
+
+修复将包含在飞桨2.4版本当中。
+
+### 更多信息
+
+请参考我们的[安全指南](../../SECURITY_cn.md)以获得更多关于安全的信息，以及如何与我们联系问题。
+
+### 贡献者
+
+此漏洞由 Wang Xuan(王旋) of Qihoo 360 AIVul Team 提交。