summaryrefslogtreecommitdiffstats
path: root/tools
diff options
context:
space:
mode:
authorEgbert Eich <eich@suse.com>2023-03-02 17:17:49 (GMT)
committerGitHub <noreply@github.com>2023-03-02 17:17:49 (GMT)
commitb16ec83d4bd79f9ffaad85de16056419f3532887 (patch)
treea8d04d51a806c1f0a0c52485ff8dc60c487ddc14 /tools
parent877e4a67c5440f801e9faccf4ca1a451c89eae59 (diff)
downloadhdf5-b16ec83d4bd79f9ffaad85de16056419f3532887.zip
hdf5-b16ec83d4bd79f9ffaad85de16056419f3532887.tar.gz
hdf5-b16ec83d4bd79f9ffaad85de16056419f3532887.tar.bz2
Check for overflow when calculating on-disk attribute data size (#2459)
* Remove duplicate code Signed-off-by: Egbert Eich <eich@suse.com> * Add test case for CVE-2021-37501 Bogus sizes in this test case causes the on-disk data size calculation in H5O__attr_decode() to overflow so that the calculated size becomes 0. This causes the read to overflow and h5dump to segfault. This test case was crafted, the test file was not directly generated by HDF5. Test case from: https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.md
Diffstat (limited to 'tools')
-rw-r--r--tools/test/h5dump/CMakeTests.cmake5
-rw-r--r--tools/test/h5dump/testh5dump.sh.in5
-rw-r--r--tools/testfiles/tCVE-2021-37501_attr_decode.h5bin0 -> 48544 bytes
3 files changed, 10 insertions, 0 deletions
diff --git a/tools/test/h5dump/CMakeTests.cmake b/tools/test/h5dump/CMakeTests.cmake
index bcbb1c1..c328ef1 100644
--- a/tools/test/h5dump/CMakeTests.cmake
+++ b/tools/test/h5dump/CMakeTests.cmake
@@ -344,6 +344,7 @@
${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_old.h5
${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_new.h5
${HDF5_TOOLS_DIR}/testfiles/zerodim.h5
+ ${HDF5_TOOLS_DIR}/testfiles/tCVE-2021-37501_attr_decode.h5
#STD_REF_OBJ files
${HDF5_TOOLS_DIR}/testfiles/trefer_attr.h5
${HDF5_TOOLS_DIR}/testfiles/trefer_compat.h5
@@ -1340,6 +1341,10 @@
ADD_H5_TEST (tCVE_2018_11206_fill_old 1 tCVE_2018_11206_fill_old.h5)
ADD_H5_TEST (tCVE_2018_11206_fill_new 1 tCVE_2018_11206_fill_new.h5)
+ # test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
+ # https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
+ ADD_H5_TEST (tCVE-2021-37501_attr_decode 1 tCVE-2021-37501_attr_decode.h5)
+
# onion VFD tests
ADD_H5_TEST (tst_onion_objs 0 --enable-error-stack --vfd-name onion --vfd-info 3 tst_onion_objs.h5)
ADD_H5_TEST (tst_onion_dset_ext 0 --enable-error-stack --vfd-name onion --vfd-info 1 tst_onion_dset_ext.h5)
diff --git a/tools/test/h5dump/testh5dump.sh.in b/tools/test/h5dump/testh5dump.sh.in
index 24807cb..6ea410b 100644
--- a/tools/test/h5dump/testh5dump.sh.in
+++ b/tools/test/h5dump/testh5dump.sh.in
@@ -183,6 +183,7 @@ $SRC_H5DUMP_TESTFILES/tvms.h5
$SRC_H5DUMP_TESTFILES/err_attr_dspace.h5
$SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_old.h5
$SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_new.h5
+$SRC_H5DUMP_TESTFILES/tCVE-2021-37501_attr_decode.h5
$SRC_H5DUMP_TESTFILES/tst_onion_objs.h5
$SRC_H5DUMP_TESTFILES/tst_onion_objs.h5.onion
$SRC_H5DUMP_TESTFILES/tst_onion_dset_ext.h5
@@ -1495,6 +1496,10 @@ TOOLTEST err_attr_dspace.ddl err_attr_dspace.h5
TOOLTEST_FAIL tCVE_2018_11206_fill_old.h5
TOOLTEST_FAIL tCVE_2018_11206_fill_new.h5
+# test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
+# https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
+TOOLTEST_FAIL tCVE-2021-37501_attr_decode.h5
+
# test Onion VFD
TOOLTEST tst_onion_objs.ddl --enable-error-stack --vfd-name onion --vfd-info 3 tst_onion_objs.h5
TOOLTEST tst_onion_dset_ext.ddl --enable-error-stack --vfd-name onion --vfd-info 1 tst_onion_dset_ext.h5
diff --git a/tools/testfiles/tCVE-2021-37501_attr_decode.h5 b/tools/testfiles/tCVE-2021-37501_attr_decode.h5
new file mode 100644
index 0000000..331b05b
--- /dev/null
+++ b/tools/testfiles/tCVE-2021-37501_attr_decode.h5
Binary files differ