diff options
| author | bmribler <39579120+bmribler@users.noreply.github.com> | 2021-03-19 13:15:03 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-19 13:15:03 (GMT) |
| commit | dafc7285bb1df4a6529a64c215c5de4017016d24 (patch) | |
| tree | c40eadbf742bfe9a949cffec62931bbe53ed92ec /tools | |
| parent | 49a14f9e0279e5b43b15121a3d64105f0d7b65b0 (diff) | |
| download | hdf5-dafc7285bb1df4a6529a64c215c5de4017016d24.zip hdf5-dafc7285bb1df4a6529a64c215c5de4017016d24.tar.gz hdf5-dafc7285bb1df4a6529a64c215c5de4017016d24.tar.bz2 | |
Fixed HDFFV-10480 (CVE-2018-11206) and HDFFV-11159 (CVE-2018-14033) (#405)
* Fixed HDFFV-10480 (CVE-2018-11206) and HDFFV-11159 (CVE-2018-14033)
Description
Checked against buffer size to prevent segfault, in case of data corruption.
+ HDFFV-11159 CVE-2018-14033 Buffer over-read in H5O_layout_decode
+ HDFFV-10480 CVE-2018-11206 Buffer over-read in H5O_fill_new[/old]_decode
Platforms tested:
Linux/64 (jelly)
* Accidentally left in another occurrence of the previous patch from user
after a more correct fix was applied, that is the check now accounted
for the previous advance of the buffer pointer. Removed it.
* Typo
* Fixed format issues.
* Added test.
* Changed arguments to ADD_H5_TEST
* Fixing arguments to ADD_H5_TEST again.
* Fixing arguments again.
* Took out the CMake changes until Allen can help.
* Added files:
tCVE_2018_11206_fill_old.h5
tCVE_2018_11206_fill_new.h5
* Revert "Took out the CMake changes until Allen can help."
This reverts commit c21324d6e0044994c5cd24b0671e7d1dd41096cc.
* Revert "Fixing arguments again."
This reverts commit 5832a70674339e4b524749adde5a181f8c3a446a.
* Revert "Fixing arguments to ADD_H5_TEST again."
This reverts commit b45de823c22ce83a388d46466ef7c04b66ff05ed.
* Revert "Changed arguments to ADD_H5_TEST"
This reverts commit 16719824f57e52158451ddd261788c0dcaa3ec55.
* Added first argument to ADD_H5_TEST for HDFFV-10480 fix.
* Changed argument 0 to 1
* Revert "Changed argument 0 to 1"
This reverts commit b343d6613ba681b43248dd5820e96389984ebcf7.
* Revert "Added first argument to ADD_H5_TEST for HDFFV-10480 fix."
This reverts commit b8a0f9a9e8ec8e6c6ff38d33195d63edff76a563.
* Added first argument and corrected the second.
* Updated fixes for HDFFV-10480 and HDFFV-11159/HDFFV-11049
* Improved error messages.
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/test/h5dump/CMakeTests.cmake | 6 | ||||
| -rw-r--r-- | tools/test/h5dump/testh5dump.sh.in | 35 | ||||
| -rw-r--r-- | tools/testfiles/tCVE_2018_11206_fill_new.h5 | bin | 0 -> 1752 bytes | |||
| -rw-r--r-- | tools/testfiles/tCVE_2018_11206_fill_old.h5 | bin | 0 -> 2560 bytes |
4 files changed, 41 insertions, 0 deletions
diff --git a/tools/test/h5dump/CMakeTests.cmake b/tools/test/h5dump/CMakeTests.cmake index 4b61569..411e9ef 100644 --- a/tools/test/h5dump/CMakeTests.cmake +++ b/tools/test/h5dump/CMakeTests.cmake @@ -333,6 +333,8 @@ ${HDF5_TOOLS_DIR}/testfiles/tvlstr.h5 ${HDF5_TOOLS_DIR}/testfiles/tvms.h5 ${HDF5_TOOLS_DIR}/testfiles/t128bit_float.h5 + ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_old.h5 + ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_new.h5 ${HDF5_TOOLS_DIR}/testfiles/zerodim.h5 #STD_REF_OBJ files ${HDF5_TOOLS_DIR}/testfiles/trefer_attr.h5 @@ -1179,6 +1181,10 @@ # test to verify HDFFV-9407: long double full precision # ADD_H5_GREP_TEST (t128bit_float 1 "1.123456789012345" -m %.35Lg t128bit_float.h5) + # test to verify HDFFV-10480: out of bounds read in H5O_fill_new[old]_decode + ADD_H5_TEST (tCVE_2018_11206_fill_old 1 tCVE_2018_11206_fill_old.h5) + ADD_H5_TEST (tCVE_2018_11206_fill_new 1 tCVE_2018_11206_fill_new.h5) + ############################################################################## ### P L U G I N T E S T S ############################################################################## diff --git a/tools/test/h5dump/testh5dump.sh.in b/tools/test/h5dump/testh5dump.sh.in index f985da5..c4e2fd4 100644 --- a/tools/test/h5dump/testh5dump.sh.in +++ b/tools/test/h5dump/testh5dump.sh.in @@ -181,6 +181,8 @@ $SRC_H5DUMP_TESTFILES/tvlenstr_array.h5 $SRC_H5DUMP_TESTFILES/tvlstr.h5 $SRC_H5DUMP_TESTFILES/tvms.h5 $SRC_H5DUMP_TESTFILES/err_attr_dspace.h5 +$SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_old.h5 +$SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_new.h5 " LIST_OTHER_TEST_FILES=" @@ -870,6 +872,35 @@ TOOLTEST5() { fi } +# same as TOOLTEST1 but expects h5dump to fail +# +TOOLTEST_FAIL() { + + infile=$1 + expect="$TESTDIR/`basename $1 exp`.ddl" + actual="$TESTDIR/`basename $1 .exp`.out" + + # Run test. + TESTING $DUMPER $@ + ( + cd $TESTDIR + $RUNSERIAL $DUMPER_BIN "$@" $infile + ) >&$actual + RET=$? + # Segfault occurred + if [ $RET == 139 ] ; then + nerrors="`expr $nerrors + 1`" + echo "*FAILED - test on $infile failed with segmentation fault" + # Should fail but didn't + elif [ $RET == 0 ] ; then + nerrors="`expr $nerrors + 1`" + echo "*FAILED - test on $infile did not fail as expected" + else + echo " PASSED" + fi + +} + # ADD_HELP_TEST TOOLTEST_HELP() { @@ -1448,6 +1479,10 @@ TOOLTEST err_attr_dspace.ddl err_attr_dspace.h5 # test to verify HDFFV-9407: long double full precision #GREPTEST OUTTXT "1.123456789012345" t128bit_float.ddl -m %.35Lf t128bit_float.h5 +# test to verify HDFFV-10480: out of bounds read in H5O_fill_new[old]_decode +TOOLTEST_FAIL tCVE_2018_11206_fill_old.h5 +TOOLTEST_FAIL tCVE_2018_11206_fill_new.h5 + # Clean up temporary files/directories CLEAN_TESTFILES_AND_TESTDIR diff --git a/tools/testfiles/tCVE_2018_11206_fill_new.h5 b/tools/testfiles/tCVE_2018_11206_fill_new.h5 Binary files differnew file mode 100644 index 0000000..643591c --- /dev/null +++ b/tools/testfiles/tCVE_2018_11206_fill_new.h5 diff --git a/tools/testfiles/tCVE_2018_11206_fill_old.h5 b/tools/testfiles/tCVE_2018_11206_fill_old.h5 Binary files differnew file mode 100644 index 0000000..7f5b41a --- /dev/null +++ b/tools/testfiles/tCVE_2018_11206_fill_old.h5 |