From 37a8e3024e1be71325b752d3001a02389f60434c Mon Sep 17 00:00:00 2001 From: Larry Knox Date: Tue, 4 Apr 2023 12:36:27 -0500 Subject: Minor cherry-pick merges to 1.14 (#2582) * Enclose MESG in do...while loop (#2576) Enclose MSG macro in a do...while loop * Add a clang-format comment about permissions (#2577) * Remove an obsolete comment from the MDS test (#2578) The seed is now broadcast from rank 0, so the warning about multiple machines having different seeds is unnecessary. * Subfiling VFD - fix issues with I/O concentrator selection strategies (#2571) Fix multiple bugs with the SELECT_IOC_EVERY_NTH_RANK and SELECT_IOC_TOTAL I/O concentrator selection strategies and add a regression test for them * Check for overflow when calculating on-disk attribute data size (#2459) * Remove duplicate code Signed-off-by: Egbert Eich * Add test case for CVE-2021-37501 Bogus sizes in this test case causes the on-disk data size calculation in H5O__attr_decode() to overflow so that the calculated size becomes 0. This causes the read to overflow and h5dump to segfault. This test case was crafted, the test file was not directly generated by HDF5. Test case from: https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.md --------- Co-authored-by: glennsong09 <43005495+glennsong09@users.noreply.github.com> Co-authored-by: Dana Robinson <43805+derobins@users.noreply.github.com> Co-authored-by: jhendersonHDF Co-authored-by: Egbert Eich --- .github/workflows/clang-format-fix.yml | 9 +++++++ release_docs/RELEASE.txt | 33 +++++++++++++++++++++++++ src/H5Oattr.c | 7 +++--- testpar/t_pmulti_dset.c | 4 --- testpar/testpar.h | 7 ++++-- tools/test/h5dump/CMakeTests.cmake | 5 ++++ tools/test/h5dump/testh5dump.sh.in | 5 ++++ tools/testfiles/tCVE-2021-37501_attr_decode.h5 | Bin 0 -> 48544 bytes 8 files changed, 60 insertions(+), 10 deletions(-) create mode 100644 tools/testfiles/tCVE-2021-37501_attr_decode.h5 diff --git a/.github/workflows/clang-format-fix.yml b/.github/workflows/clang-format-fix.yml index bb4d685..feaa3d0 100644 --- a/.github/workflows/clang-format-fix.yml +++ b/.github/workflows/clang-format-fix.yml @@ -1,3 +1,12 @@ +# NOTE: This action requires write permissions to be set in your GitHub +# repo/fork for it to be able to commit changes. +# +# This is currently enabled via: +# +# settings > Actions > General > Workflow permissions +# +# which you will need to set to "Read and write permissions" +# name: clang-format Commit Changes on: workflow_dispatch: diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 1a90c23..5dfcf52 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -146,6 +146,26 @@ Bug Fixes since HDF5-1.14.0 release =================================== Library ------- + - Fixed issues in the Subfiling VFD when using the SELECT_IOC_EVERY_NTH_RANK + or SELECT_IOC_TOTAL I/O concentrator selection strategies + + Multiple bugs involving these I/O concentrator selection strategies + were fixed, including: + + * A bug that caused the selection strategy to be altered when + criteria for the strategy was specified in the + H5FD_SUBFILING_IOC_SELECTION_CRITERIA environment variable as + a single value, rather than in the old and undocumented + 'integer:integer' format + * Two bugs which caused a request for 'N' I/O concentrators to + result in 'N - 1' I/O concentrators being assigned, which also + lead to issues if only 1 I/O concentrator was requested + + Also added a regression test for these two I/O concentrator selection + strategies to prevent future issues. + + (JTH - 2023/03/15) + - Fixed a memory corruption issue that can occur when reading from a dataset using a hyperslab selection in the file dataspace and a point selection in the memory dataspace @@ -195,6 +215,19 @@ Bug Fixes since HDF5-1.14.0 release (JTH - 2023/02/16, GH #2433) + - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf + + Check for overflow when calculating on-disk attribute data size. + + A bogus hdf5 file may contain dataspace messages with sizes + which lead to the on-disk data sizes to exceed what is addressable. + When calculating the size, make sure, the multiplication does not + overflow. + The test case was crafted in a way that the overflow caused the + size to be 0. + + (EFE - 2023/02/11 GH-2458) + Java Library ------------ diff --git a/src/H5Oattr.c b/src/H5Oattr.c index 6386865..e431cd2 100644 --- a/src/H5Oattr.c +++ b/src/H5Oattr.c @@ -221,10 +221,6 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u else p += attr->shared->ds_size; - /* Get the datatype's size */ - if (0 == (dt_size = H5T_get_size(attr->shared->dt))) - HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size") - /* Get the datatype & dataspace sizes */ if (0 == (dt_size = H5T_get_size(attr->shared->dt))) HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size") @@ -234,6 +230,9 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u /* Compute the size of the data */ H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t); + /* Check if multiplication has overflown */ + if ((attr->shared->data_size / dt_size) != ds_size) + HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range") /* Go get the data */ if (attr->shared->data_size) { diff --git a/testpar/t_pmulti_dset.c b/testpar/t_pmulti_dset.c index 52d0aa7..dd9a71a 100644 --- a/testpar/t_pmulti_dset.c +++ b/testpar/t_pmulti_dset.c @@ -17,10 +17,6 @@ * Purpose: Test H5Dwrite_multi() and H5Dread_multi using randomized * parameters in parallel. Also tests H5Dwrite() and H5Dread() * using a similar method. - * - * Note that this test currently relies on all processes generating - * the same sequence of random numbers after using a shared seed - * value, therefore it may not work across multiple machines. */ #include "h5test.h" diff --git a/testpar/testpar.h b/testpar/testpar.h index 6c380a9..58bcab4 100644 --- a/testpar/testpar.h +++ b/testpar/testpar.h @@ -30,8 +30,11 @@ * mesg is not an empty string. */ #define MESG(mesg) \ - if (VERBOSE_MED && *mesg != '\0') \ - HDprintf("%s\n", mesg) + do { \ + if (VERBOSE_MED && *mesg != '\0') { \ + HDprintf("%s\n", mesg); \ + } \ + } while (0) /* * VRFY: Verify if the condition val is true. diff --git a/tools/test/h5dump/CMakeTests.cmake b/tools/test/h5dump/CMakeTests.cmake index bcbb1c1..c328ef1 100644 --- a/tools/test/h5dump/CMakeTests.cmake +++ b/tools/test/h5dump/CMakeTests.cmake @@ -344,6 +344,7 @@ ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_old.h5 ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_new.h5 ${HDF5_TOOLS_DIR}/testfiles/zerodim.h5 + ${HDF5_TOOLS_DIR}/testfiles/tCVE-2021-37501_attr_decode.h5 #STD_REF_OBJ files ${HDF5_TOOLS_DIR}/testfiles/trefer_attr.h5 ${HDF5_TOOLS_DIR}/testfiles/trefer_compat.h5 @@ -1340,6 +1341,10 @@ ADD_H5_TEST (tCVE_2018_11206_fill_old 1 tCVE_2018_11206_fill_old.h5) ADD_H5_TEST (tCVE_2018_11206_fill_new 1 tCVE_2018_11206_fill_new.h5) + # test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode() + # https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc + ADD_H5_TEST (tCVE-2021-37501_attr_decode 1 tCVE-2021-37501_attr_decode.h5) + # onion VFD tests ADD_H5_TEST (tst_onion_objs 0 --enable-error-stack --vfd-name onion --vfd-info 3 tst_onion_objs.h5) ADD_H5_TEST (tst_onion_dset_ext 0 --enable-error-stack --vfd-name onion --vfd-info 1 tst_onion_dset_ext.h5) diff --git a/tools/test/h5dump/testh5dump.sh.in b/tools/test/h5dump/testh5dump.sh.in index 24807cb..6ea410b 100644 --- a/tools/test/h5dump/testh5dump.sh.in +++ b/tools/test/h5dump/testh5dump.sh.in @@ -183,6 +183,7 @@ $SRC_H5DUMP_TESTFILES/tvms.h5 $SRC_H5DUMP_TESTFILES/err_attr_dspace.h5 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_old.h5 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_new.h5 +$SRC_H5DUMP_TESTFILES/tCVE-2021-37501_attr_decode.h5 $SRC_H5DUMP_TESTFILES/tst_onion_objs.h5 $SRC_H5DUMP_TESTFILES/tst_onion_objs.h5.onion $SRC_H5DUMP_TESTFILES/tst_onion_dset_ext.h5 @@ -1495,6 +1496,10 @@ TOOLTEST err_attr_dspace.ddl err_attr_dspace.h5 TOOLTEST_FAIL tCVE_2018_11206_fill_old.h5 TOOLTEST_FAIL tCVE_2018_11206_fill_new.h5 +# test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode() +# https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc +TOOLTEST_FAIL tCVE-2021-37501_attr_decode.h5 + # test Onion VFD TOOLTEST tst_onion_objs.ddl --enable-error-stack --vfd-name onion --vfd-info 3 tst_onion_objs.h5 TOOLTEST tst_onion_dset_ext.ddl --enable-error-stack --vfd-name onion --vfd-info 1 tst_onion_dset_ext.h5 diff --git a/tools/testfiles/tCVE-2021-37501_attr_decode.h5 b/tools/testfiles/tCVE-2021-37501_attr_decode.h5 new file mode 100644 index 0000000..331b05b Binary files /dev/null and b/tools/testfiles/tCVE-2021-37501_attr_decode.h5 differ -- cgit v0.12