From 7a4d7da14a745333c4e8f3955a0afd9db70969c0 Mon Sep 17 00:00:00 2001 From: Binh-Minh Ribler Date: Tue, 26 May 2020 15:39:39 -0500 Subject: Fix HDFFV-11053 Description: A superblock pointer was set to a temporary structure, as a kluge, and meant to be reset back to NULL after the processing was completed. However, in the case of failure before the completion, this setting caused the superblock pointer to be unpinned twice in the error recovery process. As a result, that generated a segfault in h5clear. The fix resets the superblock pointer to NULL after H5F__super_ext_remove_msg fails so that h5clear can fail properly. Note: After the fix, when built in debug mode, there will be an assertion failure with the user's file, which appeared to be corrupted: H5MM_final_sanity_check: Assertion `0 == H5MM_curr_alloc_bytes_s' failed. This did not happen on a good file or on the corrupted file with the library built in production mode. The un-freed memory were allocated during error recovery. Platforms tested: Linux/64 (jelly) --- src/H5Fsuper.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c index e5d4cde..40e93ec 100644 --- a/src/H5Fsuper.c +++ b/src/H5Fsuper.c @@ -897,7 +897,11 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, hbool_t initial_read) } else { if(H5F__super_ext_remove_msg(f, H5O_FSINFO_ID) < 0) + { + f->shared->sblock = NULL; + HGOTO_ERROR(H5E_FILE, H5E_CANTDELETE, FAIL, "error in removing message from superblock extension") + } if(H5F__super_ext_write_msg(f, H5O_FSINFO_ID, &fsinfo, TRUE, H5O_MSG_FLAG_MARK_IF_UNKNOWN) < 0) HGOTO_ERROR(H5E_FILE, H5E_WRITEERROR, FAIL, "error in writing fsinfo message to superblock extension") -- cgit v0.12 From 32c483cb86031962a09ecdb49dcb331d28dddee9 Mon Sep 17 00:00:00 2001 From: Larry Knox Date: Sat, 27 Jun 2020 15:39:53 -0500 Subject: Copy lib files for junit.sh to temporary subdirectory of /java/test instead of to the prefix/lib directory. Fix for HDFFV-11063. --- java/test/junit.sh.in | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/java/test/junit.sh.in b/java/test/junit.sh.in index 598b3d2..d9ff5a5 100644 --- a/java/test/junit.sh.in +++ b/java/test/junit.sh.in @@ -15,7 +15,6 @@ top_builddir=@top_builddir@ top_srcdir=@top_srcdir@ srcdir=@srcdir@ -prefix=@prefix@ USE_FILTER_SZIP="@USE_FILTER_SZIP@" USE_FILTER_DEFLATE="@USE_FILTER_DEFLATE@" @@ -43,8 +42,8 @@ myos=`uname -s` # where the libs exist HDFLIB_HOME="$top_srcdir/java/lib" -BLDLIBDIR="$prefix/lib" BLDDIR="." +BLDLIBDIR="$BLDDIR/testlibs" HDFTEST_HOME="$top_srcdir/java/test" JARFILE=jar@PACKAGE_TARNAME@-@PACKAGE_VERSION@.jar TESTJARFILE=jar@PACKAGE_TARNAME@test.jar @@ -204,10 +203,7 @@ CLEAN_LIBFILES_AND_BLDLIBDIR() INODE_SDIR=`$LS -i -d $SDIR | $AWK -F' ' '{print $1}'` INODE_DDIR=`$LS -i -d $BLDLIBDIR | $AWK -F' ' '{print $1}'` if [ "$INODE_SDIR" != "$INODE_DDIR" ]; then - for tstfile in $COPY_JARTESTFILES - do - $RM $BLDLIBDIR/tstfile - done + $RM -rf $BLDLIBDIR fi } -- cgit v0.12 From 7c006fd7617d54ab1b97e9aa1d7d8600385f3f3f Mon Sep 17 00:00:00 2001 From: Binh-Minh Ribler Date: Mon, 29 Jun 2020 14:16:35 -0500 Subject: - added comment to explain a kluge - added the associated entry to release notes --- release_docs/RELEASE.txt | 10 +++++++++- src/H5Fsuper.c | 2 ++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 72cab28..d9267e8 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -631,7 +631,15 @@ Bug Fixes since HDF5-1.10.3 release Library ------- - - Fixed the decoding of an attribute message to prevent a segfault by h52gif + - Fixed CVE-2020-10810 + + The tool h5clear produced a segfault during an error recovery in + the superblock decoding. An internal pointer was reset to prevent + further accessing when it is not assigned with a value. + + (BMR - 2020/6/29, HDFFV-11053) + + - Fixed CVE-2018-17435 The tool h52gif produced a segfault when the size of an attribute message was corrupted and caused a buffer overflow. diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c index 40e93ec..459a046 100644 --- a/src/H5Fsuper.c +++ b/src/H5Fsuper.c @@ -898,7 +898,9 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, hbool_t initial_read) else { if(H5F__super_ext_remove_msg(f, H5O_FSINFO_ID) < 0) { +#if 1 /* when removing "KLUGE ALERT" above, tidy this up as well */ /* BMR */ f->shared->sblock = NULL; +#endif /* BMR */ HGOTO_ERROR(H5E_FILE, H5E_CANTDELETE, FAIL, "error in removing message from superblock extension") } -- cgit v0.12 From b155a777629e991374fa2f8609719cb861de4cc2 Mon Sep 17 00:00:00 2001 From: Binh-Minh Ribler Date: Tue, 30 Jun 2020 00:57:46 -0500 Subject: Changed wording in comment. --- src/H5Fsuper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c index 459a046..9fd2831 100644 --- a/src/H5Fsuper.c +++ b/src/H5Fsuper.c @@ -898,9 +898,9 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, hbool_t initial_read) else { if(H5F__super_ext_remove_msg(f, H5O_FSINFO_ID) < 0) { -#if 1 /* when removing "KLUGE ALERT" above, tidy this up as well */ /* BMR */ +#if 1 /* bug fix test code -- tidy this up if all goes well */ /* JRM */ f->shared->sblock = NULL; -#endif /* BMR */ +#endif /* JRM */ HGOTO_ERROR(H5E_FILE, H5E_CANTDELETE, FAIL, "error in removing message from superblock extension") } -- cgit v0.12