From 24700e8f0607e9a3782c843528e2c5a892d4d6f6 Mon Sep 17 00:00:00 2001
From: Egbert Eich <eich@suse.com>
Date: Fri, 2 Dec 2022 21:24:14 +0100
Subject: CVE 2021 46242 develop (#2255)

* When evicting driver info block, NULL the corresponding entry

Since H5C_expunge_entry() called (from H5AC_expunge_entry()) sets the  flag
H5C__FLUSH_INVALIDATE_FLAG, the driver info block will be freed. NULLing the
pointer in  f->shared->drvinfo will prevent use-after-free  when it is used in other
functions (like  H5F__dest()) - as other places will check whether the pointer is
initialized before using its value.

This fixes CVE-2021-46242 / Bug #2254

Signed-off-by: Egbert Eich <eich@suse.com>

* When evicting the superblock, NULL the corresponding entry

The call to H5AC_expunge_entry() will free the corresonding structure,
to avoid a use-after-free, the corrsponding pointer entry will be NULLed.

Signed-off-by: Egbert Eich <eich@suse.com>

Signed-off-by: Egbert Eich <eich@suse.com>
---
 release_docs/RELEASE.txt | 12 ++++++++++++
 src/H5Fsuper.c           |  8 ++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 8709686..c71c4fa 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -172,6 +172,18 @@ Bug Fixes since HDF5-1.13.3 release
 ===================================
     Library
     -------
+    - Fix CVE-2021-46242 / GHSA-x9pw-hh7v-wjpf
+
+      When evicting driver info block, NULL the corresponding entry.
+
+      Since H5C_expunge_entry() called (from H5AC_expunge_entry()) sets the  flag
+      H5C__FLUSH_INVALIDATE_FLAG, the driver info block will be freed. NULLing
+      the pointer in f->shared->drvinfo will prevent use-after-free  when it is
+      used in other functions (like  H5F__dest()) - as other places will check
+      whether the pointer is initialized before using its value.
+
+      (EFE - 2022/09/29 GH-2254)
+
     - Fix CVE-2018-13867 / GHSA-j8jr-chrh-qfrf
  
       Validate location (offset) of the accumulated metadata when comparing.
diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c
index fdedc9a..cf18fb0 100644
--- a/src/H5Fsuper.c
+++ b/src/H5Fsuper.c
@@ -1044,8 +1044,11 @@ done:
                 HDONE_ERROR(H5E_FILE, H5E_CANTUNPIN, FAIL, "unable to unpin driver info")
 
             /* Evict the driver info block from the cache */
-            if (sblock && H5AC_expunge_entry(f, H5AC_DRVRINFO, sblock->driver_addr, H5AC__NO_FLAGS_SET) < 0)
-                HDONE_ERROR(H5E_FILE, H5E_CANTEXPUNGE, FAIL, "unable to expunge driver info block")
+            if (sblock) {
+                if (H5AC_expunge_entry(f, H5AC_DRVRINFO, sblock->driver_addr, H5AC__NO_FLAGS_SET) < 0)
+                    HDONE_ERROR(H5E_FILE, H5E_CANTEXPUNGE, FAIL, "unable to expunge driver info block")
+                f->shared->drvinfo = NULL;
+            }
         } /* end if */
 
         /* Unpin & discard superblock */
@@ -1057,6 +1060,7 @@ done:
             /* Evict the superblock from the cache */
             if (H5AC_expunge_entry(f, H5AC_SUPERBLOCK, (haddr_t)0, H5AC__NO_FLAGS_SET) < 0)
                 HDONE_ERROR(H5E_FILE, H5E_CANTEXPUNGE, FAIL, "unable to expunge superblock")
+            f->shared->sblock = NULL;
         } /* end if */
     }     /* end if */
 
-- 
cgit v0.12