summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.github/CODEOWNERS2
-rw-r--r--.github/workflows/clang-format-check.yml2
-rw-r--r--.github/workflows/clang-format-fix.yml15
-rw-r--r--doxygen/examples/tables/propertyLists.dox6
-rw-r--r--release_docs/RELEASE.txt13
-rw-r--r--src/H5Oattr.c7
-rw-r--r--src/H5Ppublic.h11
-rw-r--r--testpar/testpar.h7
-rw-r--r--tools/test/h5dump/CMakeTests.cmake5
-rw-r--r--tools/test/h5dump/testh5dump.sh.in5
-rw-r--r--tools/testfiles/tCVE-2021-37501_attr_decode.h5bin0 -> 48544 bytes
11 files changed, 53 insertions, 20 deletions
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 8d73684..506c668 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -2,7 +2,7 @@
# Each line is a file pattern followed by one or more owners.
# These owners will be the default owners for everything in the repo.
-* @lrknox @derobins @byrnHDF @fortnern @jhendersonHDF @vchoi-hdfgroup @bmribler @raylu-hdf @mattjala @brtnfld
+* @lrknox @derobins @byrnHDF @fortnern @jhendersonHDF @qkoziol @vchoi-hdfgroup @bmribler @glennsong09 @mattjala @brtnfld
# Order is important. The last matching pattern has the most precedence.
# So if a pull request only touches javascript files, only these owners
diff --git a/.github/workflows/clang-format-check.yml b/.github/workflows/clang-format-check.yml
index e8251f2..70809a1 100644
--- a/.github/workflows/clang-format-check.yml
+++ b/.github/workflows/clang-format-check.yml
@@ -8,7 +8,7 @@ jobs:
if: "!contains(github.event.head_commit.message, 'skip-ci')"
steps:
- uses: actions/checkout@v3
- - name: Run clang-format style check for C and Java programs.
+ - name: Run clang-format style check for C and Java code
uses: DoozyX/clang-format-lint-action@v0.13
with:
source: '.'
diff --git a/.github/workflows/clang-format-fix.yml b/.github/workflows/clang-format-fix.yml
index c1110cf..feaa3d0 100644
--- a/.github/workflows/clang-format-fix.yml
+++ b/.github/workflows/clang-format-fix.yml
@@ -1,15 +1,24 @@
-name: clang-format Check
+# NOTE: This action requires write permissions to be set in your GitHub
+# repo/fork for it to be able to commit changes.
+#
+# This is currently enabled via:
+#
+# settings > Actions > General > Workflow permissions
+#
+# which you will need to set to "Read and write permissions"
+#
+name: clang-format Commit Changes
on:
workflow_dispatch:
push:
jobs:
formatting-check:
- name: Formatting Check
+ name: Commit Format Changes
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'skip-ci')"
steps:
- uses: actions/checkout@v3
- - name: Run clang-format style check for C and Java programs.
+ - name: Fix C and Java formatting issues detected by clang-format
uses: DoozyX/clang-format-lint-action@v0.13
with:
source: '.'
diff --git a/doxygen/examples/tables/propertyLists.dox b/doxygen/examples/tables/propertyLists.dox
index 375fd50..e77c2fd 100644
--- a/doxygen/examples/tables/propertyLists.dox
+++ b/doxygen/examples/tables/propertyLists.dox
@@ -372,10 +372,6 @@ regarding the driver.</td>
or retrieves information regarding driver.</td>
</tr>
<tr>
-<td>#H5Pset_fapl_onion/#H5Pget_fapl_onion</td>
-<td>Modifies/queries the file driver properties of the onion driver.</td>
-</tr>
-<tr>
<td>#H5Pset_fapl_sec2</td>
<td>Sets driver for unbuffered permanent files or retrieves information regarding driver.</td>
</tr>
@@ -952,4 +948,4 @@ encoding for object names.</td>
//! [acpl_table]
*
*/
- \ No newline at end of file
+
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 23cdc36..97f137d 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -226,6 +226,19 @@ Bug Fixes since HDF5-1.12.1 release
hyperslab selection's dataspace.
(JTH - 2023/03/23)
+
+ - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf
+
+ Check for overflow when calculating on-disk attribute data size.
+
+ A bogus hdf5 file may contain dataspace messages with sizes
+ which lead to the on-disk data sizes to exceed what is addressable.
+ When calculating the size, make sure, the multiplication does not
+ overflow.
+ The test case was crafted in a way that the overflow caused the
+ size to be 0.
+
+ (EFE - 2023/02/11 GH-2458)
- Seg fault on file close
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
index ac643ea..cb06f25 100644
--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
@@ -221,10 +221,6 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
else
p += attr->shared->ds_size;
- /* Get the datatype's size */
- if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
- HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
-
/* Get the datatype & dataspace sizes */
if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
@@ -234,6 +230,9 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
/* Compute the size of the data */
H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t);
+ /* Check if multiplication has overflown */
+ if ((attr->shared->data_size / dt_size) != ds_size)
+ HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range")
/* Go get the data */
if (attr->shared->data_size) {
diff --git a/src/H5Ppublic.h b/src/H5Ppublic.h
index 04b8f0e..33a1df9 100644
--- a/src/H5Ppublic.h
+++ b/src/H5Ppublic.h
@@ -2321,10 +2321,13 @@ H5_DLL herr_t H5Pset_deflate(hid_t plist_id, unsigned level);
* (#H5Z_FILTER_DEFLATE) and the Fletcher32 error detection filter
* (#H5Z_FILTER_FLETCHER32).
*
- * The array \p c_values contains \p cd_nelmts integers which are
- * auxiliary data for the filter. The integer values will be
- * stored in the dataset object header as part of the filter
- * information.
+ * The array \p cd_values contains \p cd_nelmts unsigned integers
+ * which are auxiliary data for the filter. The values are typically
+ * used as parameters to control the filter. In a filter's
+ * \p set_local method (called from \p H5Dcreate), the values are
+ * interpreted and possibly modified before they are used to control
+ * the filter. These, possibly modified values, are then stored in
+ * the dataset object header as auxiliary data for the filter.
*
* The \p flags argument is a bit vector with the following
* fields specifying certain general properties of the filter:
diff --git a/testpar/testpar.h b/testpar/testpar.h
index 6c380a9..58bcab4 100644
--- a/testpar/testpar.h
+++ b/testpar/testpar.h
@@ -30,8 +30,11 @@
* mesg is not an empty string.
*/
#define MESG(mesg) \
- if (VERBOSE_MED && *mesg != '\0') \
- HDprintf("%s\n", mesg)
+ do { \
+ if (VERBOSE_MED && *mesg != '\0') { \
+ HDprintf("%s\n", mesg); \
+ } \
+ } while (0)
/*
* VRFY: Verify if the condition val is true.
diff --git a/tools/test/h5dump/CMakeTests.cmake b/tools/test/h5dump/CMakeTests.cmake
index 2505e84..be1a414 100644
--- a/tools/test/h5dump/CMakeTests.cmake
+++ b/tools/test/h5dump/CMakeTests.cmake
@@ -339,6 +339,7 @@
${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_old.h5
${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_new.h5
${HDF5_TOOLS_DIR}/testfiles/zerodim.h5
+ ${HDF5_TOOLS_DIR}/testfiles/tCVE-2021-37501_attr_decode.h5
#STD_REF_OBJ files
${HDF5_TOOLS_DIR}/testfiles/trefer_attr.h5
${HDF5_TOOLS_DIR}/testfiles/trefer_compat.h5
@@ -1187,6 +1188,10 @@
ADD_H5_TEST (tCVE_2018_11206_fill_old 1 tCVE_2018_11206_fill_old.h5)
ADD_H5_TEST (tCVE_2018_11206_fill_new 1 tCVE_2018_11206_fill_new.h5)
+ # test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
+ # https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
+ ADD_H5_TEST (tCVE-2021-37501_attr_decode 1 tCVE-2021-37501_attr_decode.h5)
+
##############################################################################
### P L U G I N T E S T S
##############################################################################
diff --git a/tools/test/h5dump/testh5dump.sh.in b/tools/test/h5dump/testh5dump.sh.in
index 5d7ff88..ae5cc56 100644
--- a/tools/test/h5dump/testh5dump.sh.in
+++ b/tools/test/h5dump/testh5dump.sh.in
@@ -183,6 +183,7 @@ $SRC_H5DUMP_TESTFILES/tvms.h5
$SRC_H5DUMP_TESTFILES/err_attr_dspace.h5
$SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_old.h5
$SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_new.h5
+$SRC_H5DUMP_TESTFILES/tCVE-2021-37501_attr_decode.h5
"
LIST_OTHER_TEST_FILES="
@@ -1485,6 +1486,10 @@ TOOLTEST err_attr_dspace.ddl err_attr_dspace.h5
TOOLTEST_FAIL tCVE_2018_11206_fill_old.h5
TOOLTEST_FAIL tCVE_2018_11206_fill_new.h5
+# test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
+# https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
+TOOLTEST_FAIL tCVE-2021-37501_attr_decode.h5
+
# Clean up temporary files/directories
CLEAN_TESTFILES_AND_TESTDIR
diff --git a/tools/testfiles/tCVE-2021-37501_attr_decode.h5 b/tools/testfiles/tCVE-2021-37501_attr_decode.h5
new file mode 100644
index 0000000..331b05b
--- /dev/null
+++ b/tools/testfiles/tCVE-2021-37501_attr_decode.h5
Binary files differ