From 9fb2c24c2eb2454430701247a984780654ca0544 Mon Sep 17 00:00:00 2001 From: bmribler <39579120+bmribler@users.noreply.github.com> Date: Wed, 12 May 2021 15:35:53 -0400 Subject: Bmr dev hdffv 11223 (#640) * Fixed HDFFV-11223 (CVE-2018-14460) Description - Added checks against buffer size to prevent segfault, in case of data corruption, for sdim->size and sdim->max. - Renamed data files in an existing test to shorten their length as agreed with other developers previously. Platforms tested: Linux/64 (jelly) * Committing clang-format changes * Updated for test files * Updated for HDFFV-11223 Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> --- MANIFEST | 3 ++- release_docs/RELEASE.txt | 13 +++++++++++- src/H5Osdspace.c | 23 ++++++++++++++++----- tools/test/h5repack/CMakeTests.cmake | 10 +++++++-- tools/test/h5repack/h5repack.sh.in | 9 ++++++-- .../h5repack/testfiles/h5repack_CVE-2018-14460.h5 | Bin 0 -> 2560 bytes .../h5repack/testfiles/h5repack_CVE-2018-17432.h5 | Bin 0 -> 7648 bytes .../h5repack_HDFFV-10590_CVE-2018-17432.h5 | Bin 7648 -> 0 bytes 8 files changed, 47 insertions(+), 11 deletions(-) create mode 100644 tools/test/h5repack/testfiles/h5repack_CVE-2018-14460.h5 create mode 100644 tools/test/h5repack/testfiles/h5repack_CVE-2018-17432.h5 delete mode 100644 tools/test/h5repack/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5 diff --git a/MANIFEST b/MANIFEST index 9ecef83..9832159 100644 --- a/MANIFEST +++ b/MANIFEST @@ -2836,7 +2836,8 @@ ./tools/test/h5repack/testfiles/h5repack_layout.h5-plugin_test.ddl ./tools/test/h5repack/testfiles/h5repack_layout.h5-plugin_version_test.ddl ./tools/test/h5repack/testfiles/h5repack_layout.h5-plugin_zero.ddl -./tools/test/h5repack/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5 +./tools/test/h5repack/testfiles/h5repack_CVE-2018-17432.h5 +./tools/test/h5repack/testfiles/h5repack_CVE-2018-14460.h5 ./tools/test/h5repack/testfiles/GS.h5repack_paged_nopersist.h5.ddl ./tools/test/h5repack/testfiles/S.h5repack_fsm_aggr_persist.h5.ddl ./tools/test/h5repack/testfiles/SP.h5repack_fsm_aggr_nopersist.h5.ddl diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index be8440f..9e99e66 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -823,7 +823,18 @@ Bug Fixes since HDF5-1.12.0 release =================================== Library ------- - - Fixed CVE-2018-17435 + - Fixed CVE-2018-14460 + + The tool h5repack produced a segfault when the rank in dataspace + message was corrupted, causing invalid read while decoding the + dimension sizes. + + The problem was fixed by ensuring that decoding the dimension sizes + and max values will not go beyong the end of the buffer. + + (BMR - 2021/05/12, HDFFV-11223) + + - Fixed CVE-2018-11206 The tool h5dump produced a segfault when the size of a fill value message was corrupted and caused a buffer overflow. diff --git a/src/H5Osdspace.c b/src/H5Osdspace.c index 2cdf6ec..dab989f 100644 --- a/src/H5Osdspace.c +++ b/src/H5Osdspace.c @@ -106,12 +106,13 @@ H5FL_ARR_EXTERN(hsize_t); --------------------------------------------------------------------------*/ static void * H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, - unsigned H5_ATTR_UNUSED *ioflags, size_t H5_ATTR_UNUSED p_size, const uint8_t *p) + unsigned H5_ATTR_UNUSED *ioflags, size_t p_size, const uint8_t *p) { - H5S_extent_t *sdim = NULL; /* New extent dimensionality structure */ - unsigned flags, version; - unsigned i; /* Local counting variable */ - void * ret_value = NULL; /* Return value */ + H5S_extent_t * sdim = NULL; /* New extent dimensionality structure */ + unsigned flags, version; + unsigned i; /* Local counting variable */ + const uint8_t *p_end = p + p_size - 1; /* End of the p buffer */ + void * ret_value = NULL; /* Return value */ FUNC_ENTER_STATIC @@ -161,6 +162,13 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN /* Decode dimension sizes */ if (sdim->rank > 0) { + /* Ensure that rank doesn't cause reading passed buffer's end, + due to possible data corruption */ + uint8_t sizeof_size = H5F_SIZEOF_SIZE(f); + if (p + (sizeof_size * sdim->rank - 1) > p_end) { + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "rank might cause reading passed buffer's end") + } + if (NULL == (sdim->size = (hsize_t *)H5FL_ARR_MALLOC(hsize_t, (size_t)sdim->rank))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") @@ -170,6 +178,11 @@ H5O__sdspace_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UN if (flags & H5S_VALID_MAX) { if (NULL == (sdim->max = (hsize_t *)H5FL_ARR_MALLOC(hsize_t, (size_t)sdim->rank))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") + + /* Ensure that rank doesn't cause reading passed buffer's end */ + if (p + (sizeof_size * sdim->rank - 1) > p_end) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "rank might cause reading passed buffer's end") + for (i = 0; i < sdim->rank; i++) H5F_DECODE_LENGTH(f, p, sdim->max[i]); } /* end if */ diff --git a/tools/test/h5repack/CMakeTests.cmake b/tools/test/h5repack/CMakeTests.cmake index 528ee1c..037287d 100644 --- a/tools/test/h5repack/CMakeTests.cmake +++ b/tools/test/h5repack/CMakeTests.cmake @@ -51,7 +51,8 @@ ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_named_dtypes.h5 ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_nested_8bit_enum.h5 ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_nested_8bit_enum_deflated.h5 - ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5 + ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_CVE-2018-17432.h5 + ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_CVE-2018-14460.h5 ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_nbit.h5 ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_objs.h5 ${HDF5_TOOLS_TEST_H5REPACK_SOURCE_DIR}/testfiles/h5repack_refs.h5 @@ -1551,10 +1552,15 @@ ADD_H5_TEST (HDFFV-7840 "TEST" h5diff_attr1.h5) # test CVE-2018-17432 fix - set (arg h5repack_HDFFV-10590_CVE-2018-17432.h5 h5repack_HDFFV-10590_CVE-2018-17432_out.h5 --low=1 --high=2 -f GZIP=8 -l dset1:CHUNK=5x6) + set (arg h5repack_CVE-2018-17432.h5 h5repack__CVE-2018-17432_out.h5 --low=1 --high=2 -f GZIP=8 -l dset1:CHUNK=5x6) set (TESTTYPE "TEST") ADD_H5_FILTER_TEST (HDFFV-10590 "" ${TESTTYPE} 1 ${arg}) +# test CVE-2018-14460 fix + set (arg h5repack_CVE-2018-14460.h5 h5repack_CVE-2018-14460_out.h5) + set (TESTTYPE "TEST") + ADD_H5_FILTER_TEST (HDFFV-11223 "" ${TESTTYPE} 1 ${arg}) + # tests for metadata block size option ('-M') ADD_H5_TEST_META (meta_short h5repack_layout.h5 -M 8192) ADD_H5_TEST_META (meta_long h5repack_layout.h5 --metadata_block_size=8192) diff --git a/tools/test/h5repack/h5repack.sh.in b/tools/test/h5repack/h5repack.sh.in index f881b0a..3756a95 100644 --- a/tools/test/h5repack/h5repack.sh.in +++ b/tools/test/h5repack/h5repack.sh.in @@ -129,7 +129,8 @@ $SRC_H5REPACK_TESTFILES/h5repack_paged_persist.h5 ########h5diff/testfile######## $SRC_H5DIFF_TESTFILES/h5diff_attr1.h5 ########test#HDFFV-10590######## -$SRC_H5REPACK_TESTFILES/h5repack_HDFFV-10590_CVE-2018-17432.h5 +$SRC_H5REPACK_TESTFILES/h5repack_CVE-2018-17432.h5 +$SRC_H5REPACK_TESTFILES/h5repack_CVE-2018-14460.h5 ########tools/testfiles#for#external#links######## $SRC_TOOLS_TESTFILES/tsoftlinks.h5 $SRC_TOOLS_TESTFILES/textlinkfar.h5 @@ -1712,7 +1713,11 @@ TOOLTEST HDFFV-5932 h5repack_attr_refs.h5 TOOLTEST HDFFV-7840 h5diff_attr1.h5 # test HDFFV-10590 -arg="h5repack_HDFFV-10590_CVE-2018-17432.h5 h5repack_HDFFV-10590_CVE-2018-17432_out.h5 --low=1 --high=2 -f GZIP=8 -l dset1:CHUNK=5x6" +arg="h5repack_CVE-2018-17432.h5 h5repack_CVE-2018-17432_out.h5 --low=1 --high=2 -f GZIP=8 -l dset1:CHUNK=5x6" +TOOLTEST_FAIL $arg + +# test HDFFV-11223 +arg="h5repack_CVE-2018-14460.h5 h5repack_CVE-2018-14460_out.h5" TOOLTEST_FAIL $arg # tests for metadata block size option diff --git a/tools/test/h5repack/testfiles/h5repack_CVE-2018-14460.h5 b/tools/test/h5repack/testfiles/h5repack_CVE-2018-14460.h5 new file mode 100644 index 0000000..f4093b5 Binary files /dev/null and b/tools/test/h5repack/testfiles/h5repack_CVE-2018-14460.h5 differ diff --git a/tools/test/h5repack/testfiles/h5repack_CVE-2018-17432.h5 b/tools/test/h5repack/testfiles/h5repack_CVE-2018-17432.h5 new file mode 100644 index 0000000..7a815ba Binary files /dev/null and b/tools/test/h5repack/testfiles/h5repack_CVE-2018-17432.h5 differ diff --git a/tools/test/h5repack/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5 b/tools/test/h5repack/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5 deleted file mode 100644 index 7a815ba..0000000 Binary files a/tools/test/h5repack/testfiles/h5repack_HDFFV-10590_CVE-2018-17432.h5 and /dev/null differ -- cgit v0.12