Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix potential buffer read overflows in H5PB_read #4279

Merged
merged 1 commit into from
Mar 29, 2024
Merged

Fix potential buffer read overflows in H5PB_read #4279

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions release_docs/RELEASE.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -693,6 +693,13 @@ Bug Fixes since HDF5-1.14.0 release

Library
-------
- Fixed potential buffer read overflows in H5PB_read

H5PB_read previously did not account for the fact that the size of the
read it's performing could overflow the page buffer pointer, depending
on the calculated offset for the read. This has been fixed by adjusting
the size of the read if it's determined that it would overflow the page.

- Fixed CVE-2017-17507

This CVE was previously declared fixed, but later testing with a static
Expand Down
11 changes: 10 additions & 1 deletion src/H5PB.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -726,7 +726,7 @@ H5PB_read(H5F_shared_t *f_sh, H5FD_mem_t type, haddr_t addr, size_t size, void *
if (H5FD_MEM_DRAW == type) {
last_page_addr = ((addr + size - 1) / page_buf->page_size) * page_buf->page_size;

/* How many pages does this write span */
/* How many pages does this read span */
num_touched_pages =
(last_page_addr / page_buf->page_size + 1) - (first_page_addr / page_buf->page_size);
if (first_page_addr == last_page_addr) {
Expand Down Expand Up @@ -835,6 +835,10 @@ H5PB_read(H5F_shared_t *f_sh, H5FD_mem_t type, haddr_t addr, size_t size, void *
offset = (0 == i ? addr - page_entry->addr : 0);
buf_offset = (0 == i ? 0 : size - access_size);

/* Account for reads that would overflow a page */
if (offset + access_size > page_buf->page_size)
access_size = page_buf->page_size - offset;

/* copy the requested data from the page into the input buffer */
H5MM_memcpy((uint8_t *)buf + buf_offset, (uint8_t *)page_entry->page_buf_ptr + offset,
access_size);
Expand Down Expand Up @@ -905,6 +909,11 @@ H5PB_read(H5F_shared_t *f_sh, H5FD_mem_t type, haddr_t addr, size_t size, void *
/* Copy the requested data from the page into the input buffer */
offset = (0 == i ? addr - search_addr : 0);
buf_offset = (0 == i ? 0 : size - access_size);

/* Account for reads that would overflow a page */
if (offset + access_size > page_buf->page_size)
access_size = page_buf->page_size - offset;

H5MM_memcpy((uint8_t *)buf + buf_offset, (uint8_t *)new_page_buf + offset, access_size);

/* Create the new PB entry */
Expand Down
Loading