From abdc160a97c78b01580308fe43204a202d3a6951 Mon Sep 17 00:00:00 2001 From: Larry Knox Date: Wed, 29 Mar 2023 13:15:11 -0500 Subject: Minor cherry-pick merges to 1.12 (#2581) --- .github/CODEOWNERS | 2 +- .github/workflows/clang-format-check.yml | 2 +- .github/workflows/clang-format-fix.yml | 15 ++++++++++++--- doxygen/examples/tables/propertyLists.dox | 6 +----- release_docs/RELEASE.txt | 13 +++++++++++++ src/H5Oattr.c | 7 +++---- src/H5Ppublic.h | 11 +++++++---- testpar/testpar.h | 7 +++++-- tools/test/h5dump/CMakeTests.cmake | 5 +++++ tools/test/h5dump/testh5dump.sh.in | 5 +++++ tools/testfiles/tCVE-2021-37501_attr_decode.h5 | Bin 0 -> 48544 bytes 11 files changed, 53 insertions(+), 20 deletions(-) create mode 100644 tools/testfiles/tCVE-2021-37501_attr_decode.h5 diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 8d73684..506c668 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -2,7 +2,7 @@ # Each line is a file pattern followed by one or more owners. # These owners will be the default owners for everything in the repo. -* @lrknox @derobins @byrnHDF @fortnern @jhendersonHDF @vchoi-hdfgroup @bmribler @raylu-hdf @mattjala @brtnfld +* @lrknox @derobins @byrnHDF @fortnern @jhendersonHDF @qkoziol @vchoi-hdfgroup @bmribler @glennsong09 @mattjala @brtnfld # Order is important. The last matching pattern has the most precedence. # So if a pull request only touches javascript files, only these owners diff --git a/.github/workflows/clang-format-check.yml b/.github/workflows/clang-format-check.yml index e8251f2..70809a1 100644 --- a/.github/workflows/clang-format-check.yml +++ b/.github/workflows/clang-format-check.yml @@ -8,7 +8,7 @@ jobs: if: "!contains(github.event.head_commit.message, 'skip-ci')" steps: - uses: actions/checkout@v3 - - name: Run clang-format style check for C and Java programs. + - name: Run clang-format style check for C and Java code uses: DoozyX/clang-format-lint-action@v0.13 with: source: '.' diff --git a/.github/workflows/clang-format-fix.yml b/.github/workflows/clang-format-fix.yml index c1110cf..feaa3d0 100644 --- a/.github/workflows/clang-format-fix.yml +++ b/.github/workflows/clang-format-fix.yml @@ -1,15 +1,24 @@ -name: clang-format Check +# NOTE: This action requires write permissions to be set in your GitHub +# repo/fork for it to be able to commit changes. +# +# This is currently enabled via: +# +# settings > Actions > General > Workflow permissions +# +# which you will need to set to "Read and write permissions" +# +name: clang-format Commit Changes on: workflow_dispatch: push: jobs: formatting-check: - name: Formatting Check + name: Commit Format Changes runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, 'skip-ci')" steps: - uses: actions/checkout@v3 - - name: Run clang-format style check for C and Java programs. + - name: Fix C and Java formatting issues detected by clang-format uses: DoozyX/clang-format-lint-action@v0.13 with: source: '.' diff --git a/doxygen/examples/tables/propertyLists.dox b/doxygen/examples/tables/propertyLists.dox index 375fd50..e77c2fd 100644 --- a/doxygen/examples/tables/propertyLists.dox +++ b/doxygen/examples/tables/propertyLists.dox @@ -372,10 +372,6 @@ regarding the driver. or retrieves information regarding driver. -#H5Pset_fapl_onion/#H5Pget_fapl_onion -Modifies/queries the file driver properties of the onion driver. - - #H5Pset_fapl_sec2 Sets driver for unbuffered permanent files or retrieves information regarding driver. @@ -952,4 +948,4 @@ encoding for object names. //! [acpl_table] * */ - \ No newline at end of file + diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 23cdc36..97f137d 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -226,6 +226,19 @@ Bug Fixes since HDF5-1.12.1 release hyperslab selection's dataspace. (JTH - 2023/03/23) + + - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf + + Check for overflow when calculating on-disk attribute data size. + + A bogus hdf5 file may contain dataspace messages with sizes + which lead to the on-disk data sizes to exceed what is addressable. + When calculating the size, make sure, the multiplication does not + overflow. + The test case was crafted in a way that the overflow caused the + size to be 0. + + (EFE - 2023/02/11 GH-2458) - Seg fault on file close diff --git a/src/H5Oattr.c b/src/H5Oattr.c index ac643ea..cb06f25 100644 --- a/src/H5Oattr.c +++ b/src/H5Oattr.c @@ -221,10 +221,6 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u else p += attr->shared->ds_size; - /* Get the datatype's size */ - if (0 == (dt_size = H5T_get_size(attr->shared->dt))) - HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size") - /* Get the datatype & dataspace sizes */ if (0 == (dt_size = H5T_get_size(attr->shared->dt))) HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size") @@ -234,6 +230,9 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u /* Compute the size of the data */ H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t); + /* Check if multiplication has overflown */ + if ((attr->shared->data_size / dt_size) != ds_size) + HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range") /* Go get the data */ if (attr->shared->data_size) { diff --git a/src/H5Ppublic.h b/src/H5Ppublic.h index 04b8f0e..33a1df9 100644 --- a/src/H5Ppublic.h +++ b/src/H5Ppublic.h @@ -2321,10 +2321,13 @@ H5_DLL herr_t H5Pset_deflate(hid_t plist_id, unsigned level); * (#H5Z_FILTER_DEFLATE) and the Fletcher32 error detection filter * (#H5Z_FILTER_FLETCHER32). * - * The array \p c_values contains \p cd_nelmts integers which are - * auxiliary data for the filter. The integer values will be - * stored in the dataset object header as part of the filter - * information. + * The array \p cd_values contains \p cd_nelmts unsigned integers + * which are auxiliary data for the filter. The values are typically + * used as parameters to control the filter. In a filter's + * \p set_local method (called from \p H5Dcreate), the values are + * interpreted and possibly modified before they are used to control + * the filter. These, possibly modified values, are then stored in + * the dataset object header as auxiliary data for the filter. * * The \p flags argument is a bit vector with the following * fields specifying certain general properties of the filter: diff --git a/testpar/testpar.h b/testpar/testpar.h index 6c380a9..58bcab4 100644 --- a/testpar/testpar.h +++ b/testpar/testpar.h @@ -30,8 +30,11 @@ * mesg is not an empty string. */ #define MESG(mesg) \ - if (VERBOSE_MED && *mesg != '\0') \ - HDprintf("%s\n", mesg) + do { \ + if (VERBOSE_MED && *mesg != '\0') { \ + HDprintf("%s\n", mesg); \ + } \ + } while (0) /* * VRFY: Verify if the condition val is true. diff --git a/tools/test/h5dump/CMakeTests.cmake b/tools/test/h5dump/CMakeTests.cmake index 2505e84..be1a414 100644 --- a/tools/test/h5dump/CMakeTests.cmake +++ b/tools/test/h5dump/CMakeTests.cmake @@ -339,6 +339,7 @@ ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_old.h5 ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_new.h5 ${HDF5_TOOLS_DIR}/testfiles/zerodim.h5 + ${HDF5_TOOLS_DIR}/testfiles/tCVE-2021-37501_attr_decode.h5 #STD_REF_OBJ files ${HDF5_TOOLS_DIR}/testfiles/trefer_attr.h5 ${HDF5_TOOLS_DIR}/testfiles/trefer_compat.h5 @@ -1187,6 +1188,10 @@ ADD_H5_TEST (tCVE_2018_11206_fill_old 1 tCVE_2018_11206_fill_old.h5) ADD_H5_TEST (tCVE_2018_11206_fill_new 1 tCVE_2018_11206_fill_new.h5) + # test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode() + # https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc + ADD_H5_TEST (tCVE-2021-37501_attr_decode 1 tCVE-2021-37501_attr_decode.h5) + ############################################################################## ### P L U G I N T E S T S ############################################################################## diff --git a/tools/test/h5dump/testh5dump.sh.in b/tools/test/h5dump/testh5dump.sh.in index 5d7ff88..ae5cc56 100644 --- a/tools/test/h5dump/testh5dump.sh.in +++ b/tools/test/h5dump/testh5dump.sh.in @@ -183,6 +183,7 @@ $SRC_H5DUMP_TESTFILES/tvms.h5 $SRC_H5DUMP_TESTFILES/err_attr_dspace.h5 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_old.h5 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_new.h5 +$SRC_H5DUMP_TESTFILES/tCVE-2021-37501_attr_decode.h5 " LIST_OTHER_TEST_FILES=" @@ -1485,6 +1486,10 @@ TOOLTEST err_attr_dspace.ddl err_attr_dspace.h5 TOOLTEST_FAIL tCVE_2018_11206_fill_old.h5 TOOLTEST_FAIL tCVE_2018_11206_fill_new.h5 +# test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode() +# https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc +TOOLTEST_FAIL tCVE-2021-37501_attr_decode.h5 + # Clean up temporary files/directories CLEAN_TESTFILES_AND_TESTDIR diff --git a/tools/testfiles/tCVE-2021-37501_attr_decode.h5 b/tools/testfiles/tCVE-2021-37501_attr_decode.h5 new file mode 100644 index 0000000..331b05b Binary files /dev/null and b/tools/testfiles/tCVE-2021-37501_attr_decode.h5 differ -- cgit v0.12