Bring CVE fixes from develop (#3447)

* Bring CVE fixes from develop * Fix for CVE-2018-15671 * Fix for CVE-2016-4332 * Update the CVE matrix
author: Dana Robinson <43805+derobins@users.noreply.github.com> 2023-08-30 12:39:33 (GMT)
committer: GitHub <noreply@github.com> 2023-08-30 12:39:33 (GMT)
commit: 4646ac859c5c1ba45c8b864a0dbc713525467d1a (patch)
tree: 002a3f3a180cc40aa87133c895b66e0ca82ac38e
parent: 8063108578873e512c4e5432955086c0bb04b878 (diff)
download: hdf5-4646ac859c5c1ba45c8b864a0dbc713525467d1a.zip
hdf5-4646ac859c5c1ba45c8b864a0dbc713525467d1a.tar.gz
hdf5-4646ac859c5c1ba45c8b864a0dbc713525467d1a.tar.bz2
6 files changed, 33 insertions, 48 deletions
diff --git a/CVE_list_1_14.md b/CVE_list_1_14.md
index d036aa8..3de7f74 100644
--- a/CVE_list_1_14.md
+++ b/CVE_list_1_14.md
@@ -35,7 +35,7 @@
 | [CVE-2018-17233](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17233)          |          |          |          |          |
 | [CVE-2018-16438](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16438)          |          |          |          |          |
 | [CVE-2018-15672](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15672)          |          |          |          |          |
-| [CVE-2018-15671](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15671)          | FAILED   | FAILED   | FAILED   | FAILED   |
+| [CVE-2018-15671](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15671)          | FAILED   | FAILED   | FAILED   |          |
 | [CVE-2018-14460](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14460)          |          |          |          |          |
 | [CVE-2018-14035](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14035)          |          |          |          |          |
 | [CVE-2018-14034](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14034)          |          |          |          |          |
@@ -63,13 +63,12 @@
 | [CVE-2017-17507](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17507)          | FAILED   | FAILED   |          |          |
 | [CVE-2017-17506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17506)          |          |          |          |          |
 | [CVE-2017-17505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17505)          |          |          |          |          |
-| [CVE-2016-4333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333)            | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
-| [CVE-2016-4332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332)            | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
-| [CVE-2016-4331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331)            | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
-| [CVE-2016-4330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330)            | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
+| [CVE-2016-4333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333)            |          |          |          |          |
+| [CVE-2016-4332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332)            | FAILED   | FAILED   | FAILED   |          |
+| [CVE-2016-4331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331)            |          |          |          |          |
+| [CVE-2016-4330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330)            |          |          |          |          |
 
 ## NOTES
-* No test files are available for the 2016 CVE issues as Talos doesn't release proof-of-vulnerability files. We will add our own proof-of-vulnerability files in the future.
 * CVE-2021-45832 has no known proof of vulnerability file. We will attempt to create our own.
 * CVE-2021-31009 is not a specific vulnerability against HDF5.
 * CVE-2022-25942, CVE-2022-25972, and CVE-2022-26061 are not tested. Those vulnerabilities involve the high-level GIF tools and can be avoided by disabling those tools at build time.
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 40faff6..db6b27a 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -109,6 +109,18 @@ Bug Fixes since HDF5-1.14.2 release
 ===================================
     Library
     -------
+    - Fixed an assertion in a previous fix for CVE-2016-4332
+
+      An assert could fail when processing corrupt files that have invalid
+      shared message flags (as in CVE-2016-4332).
+
+      The assert statement in question has been replaced with pointer checks
+      that don't raise errors. Since the function is in cleanup code, we do
+      our best to close and free things, even when presented with partially
+      initialized structs.
+
+      Fixes CVE-2016-4332 and HDFFV-9950 (confirmed via the cve_hdf5 repo)
+
     - Fixed performance regression with some compound type conversions
 
       In-place type conversion was introduced for most use cases in 1.14.2.
@@ -119,8 +131,6 @@ Bug Fixes since HDF5-1.14.2 release
       this optimized conversion and there is no benefit in terms of the I/O
       size.
 
-    - Fixed an assertion in a previous fix for CVE-2016-4332
-
 
     Java Library
     ------------
diff --git a/src/H5Gint.c b/src/H5Gint.c
index 1a9b335..8607c3b 100644
--- a/src/H5Gint.c
+++ b/src/H5Gint.c
@@ -977,15 +977,13 @@ H5G__visit_cb(const H5O_link_t *lnk, void *_udata)
         /* Check if we've seen the object the link references before */
         if (NULL == H5SL_search(udata->visited, &obj_pos)) {
             H5O_type_t otype; /* Basic object type (group, dataset, etc.) */
-            unsigned   rc;    /* Reference count of object    */
 
             /* Get the object's reference count and type */
-            if (H5O_get_rc_and_type(&obj_oloc, &rc, &otype) < 0)
+            if (H5O_get_rc_and_type(&obj_oloc, NULL, &otype) < 0)
                 HGOTO_ERROR(H5E_SYM, H5E_CANTGET, H5_ITER_ERROR, "unable to get object info");
 
-            /* If its ref count is > 1, we add it to the list of visited objects */
-            /* (because it could come up again during traversal) */
-            if (rc > 1) {
+            /* Add it to the list of visited objects */
+            {
                 H5_obj_t *new_node; /* New object node for visited list */
 
                 /* Allocate new object "position" node */
@@ -999,7 +997,7 @@ H5G__visit_cb(const H5O_link_t *lnk, void *_udata)
                 if (H5SL_insert(udata->visited, new_node, new_node) < 0)
                     HGOTO_ERROR(H5E_SYM, H5E_CANTINSERT, H5_ITER_ERROR,
                                 "can't insert object node into visited list");
-            } /* end if */
+            }
 
             /* If it's a group, we recurse into it */
             if (otype == H5O_TYPE_GROUP) {
@@ -1094,7 +1092,6 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o
     hid_t               gid = H5I_INVALID_HID; /* Group ID */
     H5G_t              *grp = NULL;            /* Group opened */
     H5G_loc_t           start_loc;             /* Location of starting group */
-    unsigned            rc;                    /* Reference count of object    */
     herr_t              ret_value = FAIL;      /* Return value */
 
     /* Portably clear udata struct (before FUNC_ENTER) */
@@ -1136,13 +1133,8 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o
     if ((udata.visited = H5SL_create(H5SL_TYPE_OBJ, NULL)) == NULL)
         HGOTO_ERROR(H5E_SYM, H5E_CANTCREATE, FAIL, "can't create skip list for visited objects");
 
-    /* Get the group's reference count */
-    if (H5O_get_rc_and_type(&grp->oloc, &rc, NULL) < 0)
-        HGOTO_ERROR(H5E_SYM, H5E_CANTGET, FAIL, "unable to get object info");
-
-    /* If its ref count is > 1, we add it to the list of visited objects */
-    /* (because it could come up again during traversal) */
-    if (rc > 1) {
+    /* Add it to the list of visited objects */
+    {
         H5_obj_t *obj_pos; /* New object node for visited list */
 
         /* Allocate new object "position" node */
@@ -1156,7 +1148,7 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o
         /* Add to list of visited objects */
         if (H5SL_insert(udata.visited, obj_pos, obj_pos) < 0)
             HGOTO_ERROR(H5E_SYM, H5E_CANTINSERT, FAIL, "can't insert object node into visited list");
-    } /* end if */
+    }
 
     /* Attempt to get the link info for this group */
     if ((linfo_exists = H5G__obj_get_linfo(&(grp->oloc), &linfo)) < 0)
diff --git a/src/H5Omessage.c b/src/H5Omessage.c
index d76409d..e492ceb 100644
--- a/src/H5Omessage.c
+++ b/src/H5Omessage.c
@@ -619,13 +619,12 @@ H5O__msg_free_mesg(H5O_mesg_t *mesg)
 } /* end H5O__msg_free_mesg() */
 
 /*-------------------------------------------------------------------------
- * Function:	H5O_msg_free_real
+ * Function:    H5O_msg_free_real
  *
- * Purpose:	Similar to H5O_msg_reset() except it also frees the message
- *		pointer.
+ * Purpose:     Similar to H5O_msg_reset() except it also frees the message
+ *              pointer
  *
- * Return:	Success:	NULL
- *		Failure:	NULL
+ * Return:      NULL (always)
  *
  *-------------------------------------------------------------------------
  */
@@ -634,16 +633,15 @@ H5O_msg_free_real(const H5O_msg_class_t *type, void *msg_native)
 {
     FUNC_ENTER_NOAPI_NOINIT_NOERR
 
-    /* check args */
-    assert(type);
+    /* Don't assert on args since this could be called in cleanup code */
 
     if (msg_native) {
         H5O__msg_reset_real(type, msg_native);
-        if (NULL != (type->free))
+        if (type && type->free)
             (type->free)(msg_native);
         else
             H5MM_xfree(msg_native);
-    } /* end if */
+    }
 
     FUNC_LEAVE_NOAPI(NULL)
 } /* end H5O_msg_free_real() */
diff --git a/tools/src/h5dump/h5dump_ddl.c b/tools/src/h5dump/h5dump_ddl.c
index 8a02a49..adc8585 100644
--- a/tools/src/h5dump/h5dump_ddl.c
+++ b/tools/src/h5dump/h5dump_ddl.c
@@ -853,10 +853,7 @@ dump_group(hid_t gid, const char *name)
 
     H5Oget_info3(gid, &oinfo, H5O_INFO_BASIC);
 
-    /* Must check for uniqueness of all objects if we've traversed an elink,
-     * otherwise only check if the reference count > 1.
-     */
-    if (oinfo.rc > 1 || hit_elink) {
+    {
         obj_t *found_obj; /* Found object */
 
         found_obj = search_obj(group_table, &oinfo.token);
@@ -880,10 +877,6 @@ dump_group(hid_t gid, const char *name)
             link_iteration(gid, crt_order_flags);
         }
     }
-    else {
-        attr_iteration(gid, attr_crt_order_flags);
-        link_iteration(gid, crt_order_flags);
-    }
 
     dump_indent -= COL;
     ctx.indent_level--;
diff --git a/tools/testfiles/tgroup-2.ddl b/tools/testfiles/tgroup-2.ddl
index 2ac8ac6..5374742 100644
--- a/tools/testfiles/tgroup-2.ddl
+++ b/tools/testfiles/tgroup-2.ddl
@@ -17,14 +17,7 @@ GROUP "/" {
       }
    }
    GROUP "g2" {
-      GROUP "g2.1" {
-         GROUP "g2.1.1" {
-         }
-         GROUP "g2.1.2" {
-         }
-         GROUP "g2.1.3" {
-         }
-      }
+      HARDLINK "/g2"
    }
    GROUP "g3" {
       GROUP "g3.1" {
author	Dana Robinson <43805+derobins@users.noreply.github.com>	2023-08-30 12:39:33 (GMT)
committer	GitHub <noreply@github.com>	2023-08-30 12:39:33 (GMT)
commit	4646ac859c5c1ba45c8b864a0dbc713525467d1a (patch)
tree	002a3f3a180cc40aa87133c895b66e0ca82ac38e
parent	8063108578873e512c4e5432955086c0bb04b878 (diff)
download	hdf5-4646ac859c5c1ba45c8b864a0dbc713525467d1a.zip hdf5-4646ac859c5c1ba45c8b864a0dbc713525467d1a.tar.gz hdf5-4646ac859c5c1ba45c8b864a0dbc713525467d1a.tar.bz2