Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bmr dev hdffv 11223 #640

Merged
merged 4 commits into from
May 12, 2021
Merged

Bmr dev hdffv 11223 #640

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2bda10f
Fixed HDFFV-11223 (CVE-2018-14460)
bmribler May 11, 2021
319e7b8
Committing clang-format changes
github-actions[bot] May 11, 2021
783a256
Updated for test files
bmribler May 12, 2021
f61a343
Updated for HDFFV-11223
bmribler May 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion MANIFEST
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2836,7 +2836,8 @@
./tools/test/h5repack/testfiles/h5repack_layout.h5-plugin_test.ddl
./tools/test/h5repack/testfiles/h5repack_layout.h5-plugin_version_test.ddl
./tools/test/h5repack/testfiles/h5repack_layout.h5-plugin_zero.ddl
./tools/test/h5repack/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5
./tools/test/h5repack/testfiles/h5repack_CVE-2018-17432.h5
./tools/test/h5repack/testfiles/h5repack_CVE-2018-14460.h5
./tools/test/h5repack/testfiles/GS.h5repack_paged_nopersist.h5.ddl
./tools/test/h5repack/testfiles/S.h5repack_fsm_aggr_persist.h5.ddl
./tools/test/h5repack/testfiles/SP.h5repack_fsm_aggr_nopersist.h5.ddl
Expand Down
13 changes: 12 additions & 1 deletion release_docs/RELEASE.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -823,7 +823,18 @@ Bug Fixes since HDF5-1.12.0 release
===================================
Library
-------
- Fixed CVE-2018-17435
- Fixed CVE-2018-14460

The tool h5repack produced a segfault when the rank in dataspace
message was corrupted, causing invalid read while decoding the
dimension sizes.

The problem was fixed by ensuring that decoding the dimension sizes
and max values will not go beyong the end of the buffer.

(BMR - 2021/05/12, HDFFV-11223)

- Fixed CVE-2018-11206

The tool h5dump produced a segfault when the size of a fill value
message was corrupted and caused a buffer overflow.
Expand Down
23 changes: 18 additions & 5 deletions src/H5Osdspace.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,12 +106,13 @@ H5FL_ARR_EXTERN(hsize_t);
--------------------------------------------------------------------------*/
static void *
H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags,
unsigned H5_ATTR_UNUSED *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p)
unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p)
{
H5S_extent_t *sdim = NULL; /* New extent dimensionality structure */
unsigned flags, version;
unsigned i; /* Local counting variable */
void * ret_value = NULL; /* Return value */
H5S_extent_t * sdim = NULL; /* New extent dimensionality structure */
unsigned flags, version;
unsigned i; /* Local counting variable */
const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */
void * ret_value = NULL; /* Return value */

FUNC_ENTER_STATIC

Expand Down Expand Up @@ -161,6 +162,13 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN

/* Decode dimension sizes */
if (sdim->rank > 0) {
/* Ensure that rank doesn't cause reading passed buffer's end,
due to possible data corruption */
uint8_t sizeof_size = H5F_SIZEOF_SIZE(f);
if (p + (sizeof_size * sdim->rank - 1) > p_end) {
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "rank might cause reading passed buffer's end")
}

if (NULL == (sdim->size = (hsize_t *)H5FL_ARR_MALLOC(hsize_t, (size_t)sdim->rank)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")

Expand All @@ -170,6 +178,11 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN
if (flags & H5S_VALID_MAX) {
if (NULL == (sdim->max = (hsize_t *)H5FL_ARR_MALLOC(hsize_t, (size_t)sdim->rank)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")

/* Ensure that rank doesn't cause reading passed buffer's end */
if (p + (sizeof_size * sdim->rank - 1) > p_end)
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "rank might cause reading passed buffer's end")

for (i = 0; i < sdim->rank; i++)
H5F_DECODE_LENGTH(f, p, sdim->max[i]);
} /* end if */
Expand Down
10 changes: 8 additions & 2 deletions tools/test/h5repack/CMakeTests.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@
${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_named_dtypes.h5
${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_nested_8bit_enum.h5
${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_nested_8bit_enum_deflated.h5
${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5
${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_CVE-2018-17432.h5
${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_CVE-2018-14460.h5
${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_nbit.h5
${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_objs.h5
${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_refs.h5
Expand Down Expand Up @@ -1551,10 +1552,15 @@
ADD_H5_TEST (HDFFV-7840 "TEST" h5diff_attr1.h5)

# test CVE-2018-17432 fix
set (arg h5repack_HDFFV-10590_CVE-2018-17432.h5 h5repack_HDFFV-10590_CVE-2018-17432_out.h5 --low=1 --high=2 -f GZIP=8 -l dset1:CHUNK=5x6)
set (arg h5repack_CVE-2018-17432.h5 h5repack__CVE-2018-17432_out.h5 --low=1 --high=2 -f GZIP=8 -l dset1:CHUNK=5x6)
set (TESTTYPE "TEST")
ADD_H5_FILTER_TEST (HDFFV-10590 "" ${TESTTYPE} 1 ${arg})

# test CVE-2018-14460 fix
set (arg h5repack_CVE-2018-14460.h5 h5repack_CVE-2018-14460_out.h5)
set (TESTTYPE "TEST")
ADD_H5_FILTER_TEST (HDFFV-11223 "" ${TESTTYPE} 1 ${arg})

# tests for metadata block size option ('-M')
ADD_H5_TEST_META (meta_short h5repack_layout.h5 -M 8192)
ADD_H5_TEST_META (meta_long h5repack_layout.h5 --metadata_block_size=8192)
Expand Down
9 changes: 7 additions & 2 deletions tools/test/h5repack/h5repack.sh.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,8 @@ $SRC_H5REPACK_TESTFILES/h5repack_paged_persist.h5
########h5diff/testfile########
$SRC_H5DIFF_TESTFILES/h5diff_attr1.h5
########test#HDFFV-10590########
$SRC_H5REPACK_TESTFILES/h5repack_HDFFV-10590_CVE-2018-17432.h5
$SRC_H5REPACK_TESTFILES/h5repack_CVE-2018-17432.h5
$SRC_H5REPACK_TESTFILES/h5repack_CVE-2018-14460.h5
########tools/testfiles#for#external#links########
$SRC_TOOLS_TESTFILES/tsoftlinks.h5
$SRC_TOOLS_TESTFILES/textlinkfar.h5
Expand Down Expand Up @@ -1712,7 +1713,11 @@ TOOLTEST HDFFV-5932 h5repack_attr_refs.h5
TOOLTEST HDFFV-7840 h5diff_attr1.h5

# test HDFFV-10590
arg="h5repack_HDFFV-10590_CVE-2018-17432.h5 h5repack_HDFFV-10590_CVE-2018-17432_out.h5 --low=1 --high=2 -f GZIP=8 -l dset1:CHUNK=5x6"
arg="h5repack_CVE-2018-17432.h5 h5repack_CVE-2018-17432_out.h5 --low=1 --high=2 -f GZIP=8 -l dset1:CHUNK=5x6"
TOOLTEST_FAIL $arg

# test HDFFV-11223
arg="h5repack_CVE-2018-14460.h5 h5repack_CVE-2018-14460_out.h5"
TOOLTEST_FAIL $arg

# tests for metadata block size option
Expand Down
Binary file added tools/test/h5repack/testfiles/h5repack_CVE-2018-14460.h5
View file
Open in desktop
Binary file not shown.
0 ...es/h5repack_HDFFV-10590_CVE-2018-17432.h5 → ...pack/testfiles/h5repack_CVE-2018-17432.h5
View file
Open in desktop
File renamed without changes.