From 6f25c82d21967bafdf8b67185d0eb1004db8b064 Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Sat, 11 Feb 2023 13:54:17 +0100 Subject: [PATCH] Check for overflow when calculating on-disk attribute data size (#2459) A bogus hdf5 file may contain dataspace messages with sizes which lead to the on-disk data sizes to exceed what is addressable. When calculating the size, make sure, the multiplication does not overflow. The test case was crafted in a way that the overflow caused the size to be 0. This fixes CVE-2021-37501 / Bug #2458. Signed-off-by: Egbert Eich --- release_docs/RELEASE.txt | 13 +++++++++++++ src/H5Oattr.c | 3 +++ src/H5private.h | 18 ++++++++++++++++++ 3 files changed, 34 insertions(+) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index baf85fbaa40..1c7d2b6f9c2 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -207,6 +207,19 @@ Bug Fixes since HDF5-1.13.3 release =================================== Library ------- + - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf + + Check for overflow when calculating on-disk attribute data size. + + A bogus hdf5 file may contain dataspace messages with sizes + which lead to the on-disk data sizes to exceed what is addressable. + When calculating the size, make sure, the multiplication does not + overflow. + The test case was crafted in a way that the overflow caused the + size to be 0. + + (EFE - 2023/02/11 GH-2458) + - Seg fault on file close h5debug fails at file close with core dump on a file that has an diff --git a/src/H5Oattr.c b/src/H5Oattr.c index a7e964dd707..a1b77fc7043 100644 --- a/src/H5Oattr.c +++ b/src/H5Oattr.c @@ -230,6 +230,9 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u /* Compute the size of the data */ H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t); + H5_CHECK_MUL_OVERFLOW(attr->shared->data_size, ds_size, dt_size, + HGOTO_ERROR(H5E_ATTR, H5E_OVERFLOW, NULL, + "data size exceeds addressable range")) /* Go get the data */ if (attr->shared->data_size) { diff --git a/src/H5private.h b/src/H5private.h index 6ed0aa2a98a..0d33f0a6653 100644 --- a/src/H5private.h +++ b/src/H5private.h @@ -1562,6 +1562,24 @@ H5_DLL int HDvasprintf(char **bufp, const char *fmt, va_list _ap); #define H5_CHECK_OVERFLOW(var, vartype, casttype) #endif /* NDEBUG */ +/* + * A macro for checking whether a multiplication has overflown + * r is assumed to be the result of a prior multiplication of a and b + */ +#define H5_CHECK_MUL_OVERFLOW(r, a, b, err) \ + { \ + bool mul_overflow = false; \ + if (r != 0) { \ + if (r / a != b) \ + mul_overflow = true; \ + } else { \ + if (a != 0 && b != 0) \ + mul_overflow = true; \ + } \ + if (mul_overflow) \ + err \ + } + /* * A macro for detecting over/under-flow when assigning between types */