diff options
author | Dana Robinson <43805+derobins@users.noreply.github.com> | 2021-08-12 12:21:50 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-08-12 12:21:50 (GMT) |
commit | b5c66529e9709839f336d2b6f0d453139a0744b5 (patch) | |
tree | 9926fba600f73eb479127773fd9a5dfe5e799b1c /test | |
parent | 7c918e685fea4d58b632389999f092b1f4b33d17 (diff) | |
download | hdf5-b5c66529e9709839f336d2b6f0d453139a0744b5.zip hdf5-b5c66529e9709839f336d2b6f0d453139a0744b5.tar.gz hdf5-b5c66529e9709839f336d2b6f0d453139a0744b5.tar.bz2 |
Fixes a bad memory read and unfreed memory in fsinfo code (#893)
* Fixes a bad memory read and unfreed memory in fsinfo code
The segfaul from CVE-2020-10810 was fixed some time ago, but the
illegal memory read and unfreed memory were not.
This fix tracks some buffer sizes and errors out gracefully on errors,
ensuring buffers are cleaned up and avoiding the H5FL infinite loop +
abort on library close.
* Committing clang-format changes
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Diffstat (limited to 'test')
-rw-r--r-- | test/cve_2020_10810.h5 | bin | 0 -> 1808 bytes | |||
-rw-r--r-- | test/ohdr.c | 56 |
2 files changed, 56 insertions, 0 deletions
diff --git a/test/cve_2020_10810.h5 b/test/cve_2020_10810.h5 Binary files differnew file mode 100644 index 0000000..5cface3 --- /dev/null +++ b/test/cve_2020_10810.h5 diff --git a/test/ohdr.c b/test/ohdr.c index b7af77f..afcea87 100644 --- a/test/ohdr.c +++ b/test/ohdr.c @@ -457,6 +457,59 @@ error: } /* test_ohdr_swmr() */ /* + * Tests bad object header messages. + * + * Currently tests for CVE-2020-10810 fixes but can be expanded to handle + * other CVE badness. + */ + +/* This is a generated file that can be obtained from: + * + * https://nvd.nist.gov/vuln/detail/CVE-2020-10810 + * + * It was formerly named H5AC_unpin_entry_POC + */ +#define CVE_2020_10810_FILENAME "cve_2020_10810.h5" + +static herr_t +test_ohdr_badness(hid_t fapl) +{ + hid_t fid = H5I_INVALID_HID; + + /* CVE-2020-10810 involved a malformed fsinfo message + * This test ensures the fundamental problem is fixed. Running it under + * valgrind et al. will ensure that the memory leaks and invalid access + * are fixed. + */ + TESTING("Fix for CVE-2020-10810"); + + H5E_BEGIN_TRY + { + /* This should fail due to the malformed fsinfo message. It should + * fail gracefully and not segfault. + */ + fid = H5Fopen(CVE_2020_10810_FILENAME, H5F_ACC_RDWR, fapl); + } + H5E_END_TRY; + + if (fid >= 0) + FAIL_PUTS_ERROR("should not have been able to open malformed file"); + + PASSED(); + + return SUCCEED; + +error: + H5E_BEGIN_TRY + { + H5Fclose(fid); + } + H5E_END_TRY; + + return FAIL; +} + +/* * To test objects with unknown messages in a file with: * a) H5O_BOGUS_VALID_ID: * --the bogus_id is within the range of H5O_msg_class_g[] @@ -2047,6 +2100,9 @@ main(void) } /* high */ } /* low */ + /* Verify bad ohdr message fixes work */ + test_ohdr_badness(fapl); + /* Verify symbol table messages are cached */ if (h5_verify_cached_stabs(FILENAME, fapl) < 0) TEST_ERROR |