HDFGroup · derobins · Dec 15, 2022 · Dec 12, 2022 · Dec 12, 2022 · Dec 15, 2022
@@ -171,6 +171,25 @@ Bug Fixes since HDF5-1.13.3 release
 ===================================
     Library
     -------
+    - Seg fault on file close
+
+      h5debug fails at file close with core dump on a file that has an
+      illegal file size in its cache image.  In H5F_dest(), the library
+      performs all the closing operations for the file and keeps track of
+      the error encountered when reading the file cache image.  
+      At the end of the routine, it frees the file's file structure and 
+      returns error.  Due to the error return, the file object is not removed 
+      from the ID node table.  This eventually causes assertion failure in 
+      H5VL__native_file_close() when the library finally exits and tries to 
+      access that file object in the table for closing.
+
+      The closing routine, H5F_dest(), will not free the file structure if
+      there is error, keeping a valid file structure in the ID node table.
+      It will be freed later in H5VL__native_file_close() when the
+      library exits and terminates the file package.
+
+      (VC - 2022/12/14, HDFFV-11052, CVE-2020-10812)
+
     - Fix CVE-2018-13867 / GHSA-j8jr-chrh-qfrf
 
       Validate location (offset) of the accumulated metadata when comparing.

@@ -126,6 +126,7 @@ set (HDF5_REFERENCE_TEST_FILES
     btree_idx_1_6.h5
     btree_idx_1_8.h5
     corrupt_stab_msg.h5
+    cve_2020_10812.h5
     deflate.h5
     family_v16-000000.h5
     family_v16-000001.h5

@@ -330,6 +330,11 @@ typedef struct {
 #define MISC35_SPACE_DIM3 13
 #define MISC35_NPOINTS    10
 
+/* Definitions for misc. test #37 */
+/* The test file is formerly named h5_nrefs_POC.
+   See https://nvd.nist.gov/vuln/detail/CVE-2020-10812 */
+#define CVE_2020_10812_FILENAME "cve_2020_10812.h5"
+
 /****************************************************************
 **
 **  test_misc1(): test unlinking a dataset from a group and immediately
@@ -6044,6 +6049,39 @@ test_misc36(void)
     VERIFY(test_misc36_context, 0, "H5atclose");
 } /* end test_misc36() */
 
+/****************************************************************
+**
+**  test_misc37():
+**      Test for seg fault issue when closing the provided test file
+**      which has an illegal file size in its cache image.
+**      See HDFFV-11052/CVE-2020-10812 for details.
+**
+****************************************************************/
+static void
+test_misc37(void)
+{
+    const char *fname;
+    hid_t       fid;
+    herr_t      ret;
+
+    /* Output message about test being performed */
+    MESSAGE(5, ("Fix for HDFFV-11052/CVE-2020-10812"));
+
+    fname = H5_get_srcdir_filename(CVE_2020_10812_FILENAME);
+    fid   = H5Fopen(fname, H5F_ACC_RDONLY, H5P_DEFAULT);
+    CHECK(fid, FAIL, "H5Fopen");
+
+    /* This should fail due to the illegal file size.
+       It should fail gracefully and not seg fault */
+    H5E_BEGIN_TRY
+    {
+        ret = H5Fclose(fid);
+    }
+    H5E_END_TRY;
+    VERIFY(ret, FAIL, "H5Fclose");
+
+} /* end test_misc37() */
+
 /****************************************************************
 **
 **  test_misc(): Main misc. test routine.
@@ -6111,6 +6149,7 @@ test_misc(void)
     test_misc34(); /* Test behavior of 0 and NULL in H5MM API calls */
     test_misc35(); /* Test behavior of free-list & allocation statistics API calls */
     test_misc36(); /* Exercise H5atclose and H5is_library_terminating */
+    test_misc37(); /* Test for seg fault failure at file close */
 
 } /* test_misc() */