summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.github/workflows/clang-format-fix.yml9
-rw-r--r--release_docs/RELEASE.txt33
-rw-r--r--src/H5Oattr.c7
-rw-r--r--testpar/t_pmulti_dset.c4
-rw-r--r--testpar/testpar.h7
-rw-r--r--tools/test/h5dump/CMakeTests.cmake5
-rw-r--r--tools/test/h5dump/testh5dump.sh.in5
-rw-r--r--tools/testfiles/tCVE-2021-37501_attr_decode.h5bin0 -> 48544 bytes
8 files changed, 60 insertions, 10 deletions
diff --git a/.github/workflows/clang-format-fix.yml b/.github/workflows/clang-format-fix.yml
index bb4d685..feaa3d0 100644
--- a/.github/workflows/clang-format-fix.yml
+++ b/.github/workflows/clang-format-fix.yml
@@ -1,3 +1,12 @@
+# NOTE: This action requires write permissions to be set in your GitHub
+# repo/fork for it to be able to commit changes.
+#
+# This is currently enabled via:
+#
+# settings > Actions > General > Workflow permissions
+#
+# which you will need to set to "Read and write permissions"
+#
name: clang-format Commit Changes
on:
workflow_dispatch:
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 1a90c23..5dfcf52 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -146,6 +146,26 @@ Bug Fixes since HDF5-1.14.0 release
===================================
Library
-------
+ - Fixed issues in the Subfiling VFD when using the SELECT_IOC_EVERY_NTH_RANK
+ or SELECT_IOC_TOTAL I/O concentrator selection strategies
+
+ Multiple bugs involving these I/O concentrator selection strategies
+ were fixed, including:
+
+ * A bug that caused the selection strategy to be altered when
+ criteria for the strategy was specified in the
+ H5FD_SUBFILING_IOC_SELECTION_CRITERIA environment variable as
+ a single value, rather than in the old and undocumented
+ 'integer:integer' format
+ * Two bugs which caused a request for 'N' I/O concentrators to
+ result in 'N - 1' I/O concentrators being assigned, which also
+ lead to issues if only 1 I/O concentrator was requested
+
+ Also added a regression test for these two I/O concentrator selection
+ strategies to prevent future issues.
+
+ (JTH - 2023/03/15)
+
- Fixed a memory corruption issue that can occur when reading
from a dataset using a hyperslab selection in the file
dataspace and a point selection in the memory dataspace
@@ -195,6 +215,19 @@ Bug Fixes since HDF5-1.14.0 release
(JTH - 2023/02/16, GH #2433)
+ - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf
+
+ Check for overflow when calculating on-disk attribute data size.
+
+ A bogus hdf5 file may contain dataspace messages with sizes
+ which lead to the on-disk data sizes to exceed what is addressable.
+ When calculating the size, make sure, the multiplication does not
+ overflow.
+ The test case was crafted in a way that the overflow caused the
+ size to be 0.
+
+ (EFE - 2023/02/11 GH-2458)
+
Java Library
------------
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
index 6386865..e431cd2 100644
--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
@@ -221,10 +221,6 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
else
p += attr->shared->ds_size;
- /* Get the datatype's size */
- if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
- HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
-
/* Get the datatype & dataspace sizes */
if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
@@ -234,6 +230,9 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
/* Compute the size of the data */
H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t);
+ /* Check if multiplication has overflown */
+ if ((attr->shared->data_size / dt_size) != ds_size)
+ HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range")
/* Go get the data */
if (attr->shared->data_size) {
diff --git a/testpar/t_pmulti_dset.c b/testpar/t_pmulti_dset.c
index 52d0aa7..dd9a71a 100644
--- a/testpar/t_pmulti_dset.c
+++ b/testpar/t_pmulti_dset.c
@@ -17,10 +17,6 @@
* Purpose: Test H5Dwrite_multi() and H5Dread_multi using randomized
* parameters in parallel. Also tests H5Dwrite() and H5Dread()
* using a similar method.
- *
- * Note that this test currently relies on all processes generating
- * the same sequence of random numbers after using a shared seed
- * value, therefore it may not work across multiple machines.
*/
#include "h5test.h"
diff --git a/testpar/testpar.h b/testpar/testpar.h
index 6c380a9..58bcab4 100644
--- a/testpar/testpar.h
+++ b/testpar/testpar.h
@@ -30,8 +30,11 @@
* mesg is not an empty string.
*/
#define MESG(mesg) \
- if (VERBOSE_MED && *mesg != '\0') \
- HDprintf("%s\n", mesg)
+ do { \
+ if (VERBOSE_MED && *mesg != '\0') { \
+ HDprintf("%s\n", mesg); \
+ } \
+ } while (0)
/*
* VRFY: Verify if the condition val is true.
diff --git a/tools/test/h5dump/CMakeTests.cmake b/tools/test/h5dump/CMakeTests.cmake
index bcbb1c1..c328ef1 100644
--- a/tools/test/h5dump/CMakeTests.cmake
+++ b/tools/test/h5dump/CMakeTests.cmake
@@ -344,6 +344,7 @@
${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_old.h5
${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_new.h5
${HDF5_TOOLS_DIR}/testfiles/zerodim.h5
+ ${HDF5_TOOLS_DIR}/testfiles/tCVE-2021-37501_attr_decode.h5
#STD_REF_OBJ files
${HDF5_TOOLS_DIR}/testfiles/trefer_attr.h5
${HDF5_TOOLS_DIR}/testfiles/trefer_compat.h5
@@ -1340,6 +1341,10 @@
ADD_H5_TEST (tCVE_2018_11206_fill_old 1 tCVE_2018_11206_fill_old.h5)
ADD_H5_TEST (tCVE_2018_11206_fill_new 1 tCVE_2018_11206_fill_new.h5)
+ # test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
+ # https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
+ ADD_H5_TEST (tCVE-2021-37501_attr_decode 1 tCVE-2021-37501_attr_decode.h5)
+
# onion VFD tests
ADD_H5_TEST (tst_onion_objs 0 --enable-error-stack --vfd-name onion --vfd-info 3 tst_onion_objs.h5)
ADD_H5_TEST (tst_onion_dset_ext 0 --enable-error-stack --vfd-name onion --vfd-info 1 tst_onion_dset_ext.h5)
diff --git a/tools/test/h5dump/testh5dump.sh.in b/tools/test/h5dump/testh5dump.sh.in
index 24807cb..6ea410b 100644
--- a/tools/test/h5dump/testh5dump.sh.in
+++ b/tools/test/h5dump/testh5dump.sh.in
@@ -183,6 +183,7 @@ $SRC_H5DUMP_TESTFILES/tvms.h5
$SRC_H5DUMP_TESTFILES/err_attr_dspace.h5
$SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_old.h5
$SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_new.h5
+$SRC_H5DUMP_TESTFILES/tCVE-2021-37501_attr_decode.h5
$SRC_H5DUMP_TESTFILES/tst_onion_objs.h5
$SRC_H5DUMP_TESTFILES/tst_onion_objs.h5.onion
$SRC_H5DUMP_TESTFILES/tst_onion_dset_ext.h5
@@ -1495,6 +1496,10 @@ TOOLTEST err_attr_dspace.ddl err_attr_dspace.h5
TOOLTEST_FAIL tCVE_2018_11206_fill_old.h5
TOOLTEST_FAIL tCVE_2018_11206_fill_new.h5
+# test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
+# https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
+TOOLTEST_FAIL tCVE-2021-37501_attr_decode.h5
+
# test Onion VFD
TOOLTEST tst_onion_objs.ddl --enable-error-stack --vfd-name onion --vfd-info 3 tst_onion_objs.h5
TOOLTEST tst_onion_dset_ext.ddl --enable-error-stack --vfd-name onion --vfd-info 1 tst_onion_dset_ext.h5
diff --git a/tools/testfiles/tCVE-2021-37501_attr_decode.h5 b/tools/testfiles/tCVE-2021-37501_attr_decode.h5
new file mode 100644
index 0000000..331b05b
--- /dev/null
+++ b/tools/testfiles/tCVE-2021-37501_attr_decode.h5
Binary files differ