Skip to content

Commit

Permalink
Check for overflow when calculating on-disk attribute data size (#2459)
Browse files Browse the repository at this point in the history
* Remove duplicate code

Signed-off-by: Egbert Eich <[email protected]>

* Add test case for CVE-2021-37501

Bogus sizes in this test case causes the on-disk data size
calculation in H5O__attr_decode() to overflow so that the
calculated size becomes 0. This causes the read to overflow
and h5dump to segfault.
This test case was crafted, the test file was not directly
generated by HDF5.
Test case from:
https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.md
  • Loading branch information
e4t authored Mar 2, 2023
1 parent 877e4a6 commit b16ec83
Show file tree
Hide file tree
Showing 5 changed files with 26 additions and 4 deletions.
13 changes: 13 additions & 0 deletions release_docs/RELEASE.txt
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,19 @@ Bug Fixes since HDF5-1.13.3 release
===================================
Library
-------
- Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf

Check for overflow when calculating on-disk attribute data size.

A bogus hdf5 file may contain dataspace messages with sizes
which lead to the on-disk data sizes to exceed what is addressable.
When calculating the size, make sure, the multiplication does not
overflow.
The test case was crafted in a way that the overflow caused the
size to be 0.

(EFE - 2023/02/11 GH-2458)

- Fixed an issue with collective metadata writes of global heap data

New test failures in parallel netCDF started occurring with debug
Expand Down
7 changes: 3 additions & 4 deletions src/H5Oattr.c
Original file line number Diff line number Diff line change
Expand Up @@ -221,10 +221,6 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
else
p += attr->shared->ds_size;

/* Get the datatype's size */
if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")

/* Get the datatype & dataspace sizes */
if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
Expand All @@ -234,6 +230,9 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u

/* Compute the size of the data */
H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t);
/* Check if multiplication has overflown */
if ((attr->shared->data_size / dt_size) != ds_size)
HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range")

/* Go get the data */
if (attr->shared->data_size) {
Expand Down
5 changes: 5 additions & 0 deletions tools/test/h5dump/CMakeTests.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,7 @@
${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_old.h5
${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_new.h5
${HDF5_TOOLS_DIR}/testfiles/zerodim.h5
${HDF5_TOOLS_DIR}/testfiles/tCVE-2021-37501_attr_decode.h5
#STD_REF_OBJ files
${HDF5_TOOLS_DIR}/testfiles/trefer_attr.h5
${HDF5_TOOLS_DIR}/testfiles/trefer_compat.h5
Expand Down Expand Up @@ -1340,6 +1341,10 @@
ADD_H5_TEST (tCVE_2018_11206_fill_old 1 tCVE_2018_11206_fill_old.h5)
ADD_H5_TEST (tCVE_2018_11206_fill_new 1 tCVE_2018_11206_fill_new.h5)

# test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
# https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
ADD_H5_TEST (tCVE-2021-37501_attr_decode 1 tCVE-2021-37501_attr_decode.h5)

# onion VFD tests
ADD_H5_TEST (tst_onion_objs 0 --enable-error-stack --vfd-name onion --vfd-info 3 tst_onion_objs.h5)
ADD_H5_TEST (tst_onion_dset_ext 0 --enable-error-stack --vfd-name onion --vfd-info 1 tst_onion_dset_ext.h5)
Expand Down
5 changes: 5 additions & 0 deletions tools/test/h5dump/testh5dump.sh.in
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,7 @@ $SRC_H5DUMP_TESTFILES/tvms.h5
$SRC_H5DUMP_TESTFILES/err_attr_dspace.h5
$SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_old.h5
$SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_new.h5
$SRC_H5DUMP_TESTFILES/tCVE-2021-37501_attr_decode.h5
$SRC_H5DUMP_TESTFILES/tst_onion_objs.h5
$SRC_H5DUMP_TESTFILES/tst_onion_objs.h5.onion
$SRC_H5DUMP_TESTFILES/tst_onion_dset_ext.h5
Expand Down Expand Up @@ -1495,6 +1496,10 @@ TOOLTEST err_attr_dspace.ddl err_attr_dspace.h5
TOOLTEST_FAIL tCVE_2018_11206_fill_old.h5
TOOLTEST_FAIL tCVE_2018_11206_fill_new.h5

# test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
# https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
TOOLTEST_FAIL tCVE-2021-37501_attr_decode.h5

# test Onion VFD
TOOLTEST tst_onion_objs.ddl --enable-error-stack --vfd-name onion --vfd-info 3 tst_onion_objs.h5
TOOLTEST tst_onion_dset_ext.ddl --enable-error-stack --vfd-name onion --vfd-info 1 tst_onion_dset_ext.h5
Expand Down
Binary file added tools/testfiles/tCVE-2021-37501_attr_decode.h5
Binary file not shown.

0 comments on commit b16ec83

Please sign in to comment.