diff options
| -rw-r--r-- | .github/workflows/clang-format-fix.yml | 9 | ||||
| -rw-r--r-- | release_docs/RELEASE.txt | 33 | ||||
| -rw-r--r-- | src/H5Oattr.c | 7 | ||||
| -rw-r--r-- | testpar/t_pmulti_dset.c | 4 | ||||
| -rw-r--r-- | testpar/testpar.h | 7 | ||||
| -rw-r--r-- | tools/test/h5dump/CMakeTests.cmake | 5 | ||||
| -rw-r--r-- | tools/test/h5dump/testh5dump.sh.in | 5 | ||||
| -rw-r--r-- | tools/testfiles/tCVE-2021-37501_attr_decode.h5 | bin | 0 -> 48544 bytes |
8 files changed, 60 insertions, 10 deletions
diff --git a/.github/workflows/clang-format-fix.yml b/.github/workflows/clang-format-fix.yml index bb4d685..feaa3d0 100644 --- a/.github/workflows/clang-format-fix.yml +++ b/.github/workflows/clang-format-fix.yml @@ -1,3 +1,12 @@ +# NOTE: This action requires write permissions to be set in your GitHub +# repo/fork for it to be able to commit changes. +# +# This is currently enabled via: +# +# settings > Actions > General > Workflow permissions +# +# which you will need to set to "Read and write permissions" +# name: clang-format Commit Changes on: workflow_dispatch: diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 1a90c23..5dfcf52 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -146,6 +146,26 @@ Bug Fixes since HDF5-1.14.0 release =================================== Library ------- + - Fixed issues in the Subfiling VFD when using the SELECT_IOC_EVERY_NTH_RANK + or SELECT_IOC_TOTAL I/O concentrator selection strategies + + Multiple bugs involving these I/O concentrator selection strategies + were fixed, including: + + * A bug that caused the selection strategy to be altered when + criteria for the strategy was specified in the + H5FD_SUBFILING_IOC_SELECTION_CRITERIA environment variable as + a single value, rather than in the old and undocumented + 'integer:integer' format + * Two bugs which caused a request for 'N' I/O concentrators to + result in 'N - 1' I/O concentrators being assigned, which also + lead to issues if only 1 I/O concentrator was requested + + Also added a regression test for these two I/O concentrator selection + strategies to prevent future issues. + + (JTH - 2023/03/15) + - Fixed a memory corruption issue that can occur when reading from a dataset using a hyperslab selection in the file dataspace and a point selection in the memory dataspace @@ -195,6 +215,19 @@ Bug Fixes since HDF5-1.14.0 release (JTH - 2023/02/16, GH #2433) + - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf + + Check for overflow when calculating on-disk attribute data size. + + A bogus hdf5 file may contain dataspace messages with sizes + which lead to the on-disk data sizes to exceed what is addressable. + When calculating the size, make sure, the multiplication does not + overflow. + The test case was crafted in a way that the overflow caused the + size to be 0. + + (EFE - 2023/02/11 GH-2458) + Java Library ------------ diff --git a/src/H5Oattr.c b/src/H5Oattr.c index 6386865..e431cd2 100644 --- a/src/H5Oattr.c +++ b/src/H5Oattr.c @@ -221,10 +221,6 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u else p += attr->shared->ds_size; - /* Get the datatype's size */ - if (0 == (dt_size = H5T_get_size(attr->shared->dt))) - HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size") - /* Get the datatype & dataspace sizes */ if (0 == (dt_size = H5T_get_size(attr->shared->dt))) HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size") @@ -234,6 +230,9 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u /* Compute the size of the data */ H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t); + /* Check if multiplication has overflown */ + if ((attr->shared->data_size / dt_size) != ds_size) + HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range") /* Go get the data */ if (attr->shared->data_size) { diff --git a/testpar/t_pmulti_dset.c b/testpar/t_pmulti_dset.c index 52d0aa7..dd9a71a 100644 --- a/testpar/t_pmulti_dset.c +++ b/testpar/t_pmulti_dset.c @@ -17,10 +17,6 @@ * Purpose: Test H5Dwrite_multi() and H5Dread_multi using randomized * parameters in parallel. Also tests H5Dwrite() and H5Dread() * using a similar method. - * - * Note that this test currently relies on all processes generating - * the same sequence of random numbers after using a shared seed - * value, therefore it may not work across multiple machines. */ #include "h5test.h" diff --git a/testpar/testpar.h b/testpar/testpar.h index 6c380a9..58bcab4 100644 --- a/testpar/testpar.h +++ b/testpar/testpar.h @@ -30,8 +30,11 @@ * mesg is not an empty string. */ #define MESG(mesg) \ - if (VERBOSE_MED && *mesg != '\0') \ - HDprintf("%s\n", mesg) + do { \ + if (VERBOSE_MED && *mesg != '\0') { \ + HDprintf("%s\n", mesg); \ + } \ + } while (0) /* * VRFY: Verify if the condition val is true. diff --git a/tools/test/h5dump/CMakeTests.cmake b/tools/test/h5dump/CMakeTests.cmake index bcbb1c1..c328ef1 100644 --- a/tools/test/h5dump/CMakeTests.cmake +++ b/tools/test/h5dump/CMakeTests.cmake @@ -344,6 +344,7 @@ ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_old.h5 ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_new.h5 ${HDF5_TOOLS_DIR}/testfiles/zerodim.h5 + ${HDF5_TOOLS_DIR}/testfiles/tCVE-2021-37501_attr_decode.h5 #STD_REF_OBJ files ${HDF5_TOOLS_DIR}/testfiles/trefer_attr.h5 ${HDF5_TOOLS_DIR}/testfiles/trefer_compat.h5 @@ -1340,6 +1341,10 @@ ADD_H5_TEST (tCVE_2018_11206_fill_old 1 tCVE_2018_11206_fill_old.h5) ADD_H5_TEST (tCVE_2018_11206_fill_new 1 tCVE_2018_11206_fill_new.h5) + # test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode() + # https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc + ADD_H5_TEST (tCVE-2021-37501_attr_decode 1 tCVE-2021-37501_attr_decode.h5) + # onion VFD tests ADD_H5_TEST (tst_onion_objs 0 --enable-error-stack --vfd-name onion --vfd-info 3 tst_onion_objs.h5) ADD_H5_TEST (tst_onion_dset_ext 0 --enable-error-stack --vfd-name onion --vfd-info 1 tst_onion_dset_ext.h5) diff --git a/tools/test/h5dump/testh5dump.sh.in b/tools/test/h5dump/testh5dump.sh.in index 24807cb..6ea410b 100644 --- a/tools/test/h5dump/testh5dump.sh.in +++ b/tools/test/h5dump/testh5dump.sh.in @@ -183,6 +183,7 @@ $SRC_H5DUMP_TESTFILES/tvms.h5 $SRC_H5DUMP_TESTFILES/err_attr_dspace.h5 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_old.h5 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_new.h5 +$SRC_H5DUMP_TESTFILES/tCVE-2021-37501_attr_decode.h5 $SRC_H5DUMP_TESTFILES/tst_onion_objs.h5 $SRC_H5DUMP_TESTFILES/tst_onion_objs.h5.onion $SRC_H5DUMP_TESTFILES/tst_onion_dset_ext.h5 @@ -1495,6 +1496,10 @@ TOOLTEST err_attr_dspace.ddl err_attr_dspace.h5 TOOLTEST_FAIL tCVE_2018_11206_fill_old.h5 TOOLTEST_FAIL tCVE_2018_11206_fill_new.h5 +# test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode() +# https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc +TOOLTEST_FAIL tCVE-2021-37501_attr_decode.h5 + # test Onion VFD TOOLTEST tst_onion_objs.ddl --enable-error-stack --vfd-name onion --vfd-info 3 tst_onion_objs.h5 TOOLTEST tst_onion_dset_ext.ddl --enable-error-stack --vfd-name onion --vfd-info 1 tst_onion_dset_ext.h5 diff --git a/tools/testfiles/tCVE-2021-37501_attr_decode.h5 b/tools/testfiles/tCVE-2021-37501_attr_decode.h5 Binary files differnew file mode 100644 index 0000000..331b05b --- /dev/null +++ b/tools/testfiles/tCVE-2021-37501_attr_decode.h5 |