From 4646ac859c5c1ba45c8b864a0dbc713525467d1a Mon Sep 17 00:00:00 2001 From: Dana Robinson <43805+derobins@users.noreply.github.com> Date: Wed, 30 Aug 2023 05:39:33 -0700 Subject: [PATCH] Bring CVE fixes from develop (#3447) * Bring CVE fixes from develop * Fix for CVE-2018-15671 * Fix for CVE-2016-4332 * Update the CVE matrix --- CVE_list_1_14.md | 11 +++++------ release_docs/RELEASE.txt | 14 ++++++++++++-- src/H5Gint.c | 22 +++++++--------------- src/H5Omessage.c | 16 +++++++--------- tools/src/h5dump/h5dump_ddl.c | 9 +-------- tools/testfiles/tgroup-2.ddl | 9 +-------- 6 files changed, 33 insertions(+), 48 deletions(-) diff --git a/CVE_list_1_14.md b/CVE_list_1_14.md index d036aa8b6f0..3de7f740991 100644 --- a/CVE_list_1_14.md +++ b/CVE_list_1_14.md @@ -35,7 +35,7 @@ | [CVE-2018-17233](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17233) | | | | | | [CVE-2018-16438](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16438) | | | | | | [CVE-2018-15672](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15672) | | | | | -| [CVE-2018-15671](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15671) | FAILED | FAILED | FAILED | FAILED | +| [CVE-2018-15671](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15671) | FAILED | FAILED | FAILED | | | [CVE-2018-14460](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14460) | | | | | | [CVE-2018-14035](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14035) | | | | | | [CVE-2018-14034](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14034) | | | | | @@ -63,13 +63,12 @@ | [CVE-2017-17507](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17507) | FAILED | FAILED | | | | [CVE-2017-17506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17506) | | | | | | [CVE-2017-17505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17505) | | | | | -| [CVE-2016-4333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333) | UNTESTED | UNTESTED | UNTESTED | UNTESTED | -| [CVE-2016-4332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332) | UNTESTED | UNTESTED | UNTESTED | UNTESTED | -| [CVE-2016-4331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331) | UNTESTED | UNTESTED | UNTESTED | UNTESTED | -| [CVE-2016-4330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330) | UNTESTED | UNTESTED | UNTESTED | UNTESTED | +| [CVE-2016-4333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333) | | | | | +| [CVE-2016-4332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332) | FAILED | FAILED | FAILED | | +| [CVE-2016-4331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331) | | | | | +| [CVE-2016-4330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330) | | | | | ## NOTES -* No test files are available for the 2016 CVE issues as Talos doesn't release proof-of-vulnerability files. We will add our own proof-of-vulnerability files in the future. * CVE-2021-45832 has no known proof of vulnerability file. We will attempt to create our own. * CVE-2021-31009 is not a specific vulnerability against HDF5. * CVE-2022-25942, CVE-2022-25972, and CVE-2022-26061 are not tested. Those vulnerabilities involve the high-level GIF tools and can be avoided by disabling those tools at build time. diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 40faff6ef79..db6b27aaf08 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -109,6 +109,18 @@ Bug Fixes since HDF5-1.14.2 release =================================== Library ------- + - Fixed an assertion in a previous fix for CVE-2016-4332 + + An assert could fail when processing corrupt files that have invalid + shared message flags (as in CVE-2016-4332). + + The assert statement in question has been replaced with pointer checks + that don't raise errors. Since the function is in cleanup code, we do + our best to close and free things, even when presented with partially + initialized structs. + + Fixes CVE-2016-4332 and HDFFV-9950 (confirmed via the cve_hdf5 repo) + - Fixed performance regression with some compound type conversions In-place type conversion was introduced for most use cases in 1.14.2. @@ -119,8 +131,6 @@ Bug Fixes since HDF5-1.14.2 release this optimized conversion and there is no benefit in terms of the I/O size. - - Fixed an assertion in a previous fix for CVE-2016-4332 - Java Library ------------ diff --git a/src/H5Gint.c b/src/H5Gint.c index 1a9b3351435..8607c3b1212 100644 --- a/src/H5Gint.c +++ b/src/H5Gint.c @@ -977,15 +977,13 @@ H5G__visit_cb(const H5O_link_t *lnk, void *_udata) /* Check if we've seen the object the link references before */ if (NULL == H5SL_search(udata->visited, &obj_pos)) { H5O_type_t otype; /* Basic object type (group, dataset, etc.) */ - unsigned rc; /* Reference count of object */ /* Get the object's reference count and type */ - if (H5O_get_rc_and_type(&obj_oloc, &rc, &otype) < 0) + if (H5O_get_rc_and_type(&obj_oloc, NULL, &otype) < 0) HGOTO_ERROR(H5E_SYM, H5E_CANTGET, H5_ITER_ERROR, "unable to get object info"); - /* If its ref count is > 1, we add it to the list of visited objects */ - /* (because it could come up again during traversal) */ - if (rc > 1) { + /* Add it to the list of visited objects */ + { H5_obj_t *new_node; /* New object node for visited list */ /* Allocate new object "position" node */ @@ -999,7 +997,7 @@ H5G__visit_cb(const H5O_link_t *lnk, void *_udata) if (H5SL_insert(udata->visited, new_node, new_node) < 0) HGOTO_ERROR(H5E_SYM, H5E_CANTINSERT, H5_ITER_ERROR, "can't insert object node into visited list"); - } /* end if */ + } /* If it's a group, we recurse into it */ if (otype == H5O_TYPE_GROUP) { @@ -1094,7 +1092,6 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o hid_t gid = H5I_INVALID_HID; /* Group ID */ H5G_t *grp = NULL; /* Group opened */ H5G_loc_t start_loc; /* Location of starting group */ - unsigned rc; /* Reference count of object */ herr_t ret_value = FAIL; /* Return value */ /* Portably clear udata struct (before FUNC_ENTER) */ @@ -1136,13 +1133,8 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o if ((udata.visited = H5SL_create(H5SL_TYPE_OBJ, NULL)) == NULL) HGOTO_ERROR(H5E_SYM, H5E_CANTCREATE, FAIL, "can't create skip list for visited objects"); - /* Get the group's reference count */ - if (H5O_get_rc_and_type(&grp->oloc, &rc, NULL) < 0) - HGOTO_ERROR(H5E_SYM, H5E_CANTGET, FAIL, "unable to get object info"); - - /* If its ref count is > 1, we add it to the list of visited objects */ - /* (because it could come up again during traversal) */ - if (rc > 1) { + /* Add it to the list of visited objects */ + { H5_obj_t *obj_pos; /* New object node for visited list */ /* Allocate new object "position" node */ @@ -1156,7 +1148,7 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o /* Add to list of visited objects */ if (H5SL_insert(udata.visited, obj_pos, obj_pos) < 0) HGOTO_ERROR(H5E_SYM, H5E_CANTINSERT, FAIL, "can't insert object node into visited list"); - } /* end if */ + } /* Attempt to get the link info for this group */ if ((linfo_exists = H5G__obj_get_linfo(&(grp->oloc), &linfo)) < 0) diff --git a/src/H5Omessage.c b/src/H5Omessage.c index d76409d55a2..e492ceb3467 100644 --- a/src/H5Omessage.c +++ b/src/H5Omessage.c @@ -619,13 +619,12 @@ H5O__msg_free_mesg(H5O_mesg_t *mesg) } /* end H5O__msg_free_mesg() */ /*------------------------------------------------------------------------- - * Function: H5O_msg_free_real + * Function: H5O_msg_free_real * - * Purpose: Similar to H5O_msg_reset() except it also frees the message - * pointer. + * Purpose: Similar to H5O_msg_reset() except it also frees the message + * pointer * - * Return: Success: NULL - * Failure: NULL + * Return: NULL (always) * *------------------------------------------------------------------------- */ @@ -634,16 +633,15 @@ H5O_msg_free_real(const H5O_msg_class_t *type, void *msg_native) { FUNC_ENTER_NOAPI_NOINIT_NOERR - /* check args */ - assert(type); + /* Don't assert on args since this could be called in cleanup code */ if (msg_native) { H5O__msg_reset_real(type, msg_native); - if (NULL != (type->free)) + if (type && type->free) (type->free)(msg_native); else H5MM_xfree(msg_native); - } /* end if */ + } FUNC_LEAVE_NOAPI(NULL) } /* end H5O_msg_free_real() */ diff --git a/tools/src/h5dump/h5dump_ddl.c b/tools/src/h5dump/h5dump_ddl.c index 8a02a496bfa..adc8585ac38 100644 --- a/tools/src/h5dump/h5dump_ddl.c +++ b/tools/src/h5dump/h5dump_ddl.c @@ -853,10 +853,7 @@ dump_group(hid_t gid, const char *name) H5Oget_info3(gid, &oinfo, H5O_INFO_BASIC); - /* Must check for uniqueness of all objects if we've traversed an elink, - * otherwise only check if the reference count > 1. - */ - if (oinfo.rc > 1 || hit_elink) { + { obj_t *found_obj; /* Found object */ found_obj = search_obj(group_table, &oinfo.token); @@ -880,10 +877,6 @@ dump_group(hid_t gid, const char *name) link_iteration(gid, crt_order_flags); } } - else { - attr_iteration(gid, attr_crt_order_flags); - link_iteration(gid, crt_order_flags); - } dump_indent -= COL; ctx.indent_level--; diff --git a/tools/testfiles/tgroup-2.ddl b/tools/testfiles/tgroup-2.ddl index 2ac8ac6ef5b..5374742a73a 100644 --- a/tools/testfiles/tgroup-2.ddl +++ b/tools/testfiles/tgroup-2.ddl @@ -17,14 +17,7 @@ GROUP "/" { } } GROUP "g2" { - GROUP "g2.1" { - GROUP "g2.1.1" { - } - GROUP "g2.1.2" { - } - GROUP "g2.1.3" { - } - } + HARDLINK "/g2" } GROUP "g3" { GROUP "g3.1" {