diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index e0ecfac8c7a..f08a7a31433 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -198,6 +198,19 @@ Bug Fixes since HDF5-1.10.9 release =================================== Library ------- + - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf + + Check for overflow when calculating on-disk attribute data size. + + A bogus hdf5 file may contain dataspace messages with sizes + which lead to the on-disk data sizes to exceed what is addressable. + When calculating the size, make sure, the multiplication does not + overflow. + The test case was crafted in a way that the overflow caused the + size to be 0. + + (EFE - 2023/02/11 GH-2458) + - Fixed an issue with variable length attributes Previously, if a variable length attribute was held open while its file diff --git a/src/H5Oattr.c b/src/H5Oattr.c index d5adb81d48d..1523572f77a 100644 --- a/src/H5Oattr.c +++ b/src/H5Oattr.c @@ -221,10 +221,6 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un else p += attr->shared->ds_size; - /* Get the datatype's size */ - if (0 == (dt_size = H5T_get_size(attr->shared->dt))) - HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size") - /* Get the datatype & dataspace sizes */ if (0 == (dt_size = H5T_get_size(attr->shared->dt))) HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size") @@ -234,6 +230,9 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un /* Compute the size of the data */ H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t); + /* Check if multiplication has overflown */ + if ((attr->shared->data_size / dt_size) != ds_size) + HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range") /* Go get the data */ if (attr->shared->data_size) { diff --git a/tools/test/h5dump/CMakeTests.cmake b/tools/test/h5dump/CMakeTests.cmake index 8dc815a72a4..509d29af40d 100644 --- a/tools/test/h5dump/CMakeTests.cmake +++ b/tools/test/h5dump/CMakeTests.cmake @@ -327,6 +327,7 @@ ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_old.h5 ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_new.h5 ${HDF5_TOOLS_DIR}/testfiles/zerodim.h5 + ${HDF5_TOOLS_DIR}/testfiles/tCVE-2021-37501_attr_decode.h5 ) set (HDF5_ERROR_REFERENCE_TEST_FILES ${PROJECT_SOURCE_DIR}/errfiles/filter_fail.err @@ -1145,6 +1146,9 @@ # test to verify HDFFV-10480: out of bounds read in H5O_fill_new[old]_decode ADD_H5_TEST (tCVE_2018_11206_fill_old 1 tCVE_2018_11206_fill_old.h5) ADD_H5_TEST (tCVE_2018_11206_fill_new 1 tCVE_2018_11206_fill_new.h5) + # test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode() + # https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc + ADD_H5_TEST (tCVE-2021-37501_attr_decode 1 tCVE-2021-37501_attr_decode.h5) ############################################################################## ### P L U G I N T E S T S diff --git a/tools/test/h5dump/testh5dump.sh.in b/tools/test/h5dump/testh5dump.sh.in index cf1b92d89d6..8d0e03f52a3 100644 --- a/tools/test/h5dump/testh5dump.sh.in +++ b/tools/test/h5dump/testh5dump.sh.in @@ -180,6 +180,7 @@ $SRC_H5DUMP_TESTFILES/tvlstr.h5 $SRC_H5DUMP_TESTFILES/tvms.h5 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_old.h5 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_new.h5 +$SRC_H5DUMP_TESTFILES/tCVE-2021-37501_attr_decode.h5 " LIST_OTHER_TEST_FILES=" @@ -1475,6 +1476,10 @@ TOOLTEST3 non_existing.ddl --enable-error-stack tgroup.h5 non_existing.h5 TOOLTEST_FAIL tCVE_2018_11206_fill_old.h5 TOOLTEST_FAIL tCVE_2018_11206_fill_new.h5 +# test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode() +# https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc +TOOLTEST_FAIL tCVE-2021-37501_attr_decode.h5 + # Clean up temporary files/directories CLEAN_TESTFILES_AND_TESTDIR diff --git a/tools/testfiles/tCVE-2021-37501_attr_decode.h5 b/tools/testfiles/tCVE-2021-37501_attr_decode.h5 new file mode 100644 index 00000000000..331b05b5936 Binary files /dev/null and b/tools/testfiles/tCVE-2021-37501_attr_decode.h5 differ