Accepting request 1066251 from science
- Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus input file (bsc#1207973). https://github.com/HDFGroup/hdf5/issues/2458 https://github.com/HDFGroup/hdf5/pull/2459 Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch Remove-duplicate-code.patch (forwarded request 1066178 from eeich) OBS-URL: https://build.opensuse.org/request/show/1066251 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/hdf5?expand=0&rev=81
This commit is contained in:
Dominique Leuenberger
Git OBS Bridge
commit
4b3c9b5cfc
@ -0,0 +1,66 @@
|
|||||||
|
From: Egbert Eich <eich@suse.com>
|
||||||
|
Date: Sat Feb 11 13:54:17 2023 +0100
|
||||||
|
Subject: Check for overflow when calculating on-disk attribute data size (#2459)
|
||||||
|
Patch-mainline: Not yet
|
||||||
|
Git-repo: https://github.com/HDFGroup/hdf5
|
||||||
|
Git-commit: 0d026daa13a81be72495872f651c036fdc84ae5e
|
||||||
|
References:
|
||||||
|
|
||||||
|
A bogus hdf5 file may contain dataspace messages with sizes
|
||||||
|
which lead to the on-disk data sizes to exceed what is addressable.
|
||||||
|
When calculating the size, make sure, the multiplication does not
|
||||||
|
overflow.
|
||||||
|
The test case was crafted in a way that the overflow caused the
|
||||||
|
size to be 0.
|
||||||
|
|
||||||
|
This fixes CVE-2021-37501 / Bug #2458.
|
||||||
|
|
||||||
|
Signed-off-by: Egbert Eich <eich@suse.com>
|
||||||
|
Signed-off-by: Egbert Eich <eich@suse.de>
|
||||||
|
---
|
||||||
|
src/H5Oattr.c | 3 +++
|
||||||
|
src/H5private.h | 18 ++++++++++++++++++
|
||||||
|
2 files changed, 21 insertions(+)
|
||||||
|
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
|
||||||
|
index 4dee7aa187..3ef0b99aa4 100644
|
||||||
|
--- a/src/H5Oattr.c
|
||||||
|
+++ b/src/H5Oattr.c
|
||||||
|
@@ -235,6 +235,9 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un
|
||||||
|
|
||||||
|
/* Compute the size of the data */
|
||||||
|
H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t);
|
||||||
|
+ H5_CHECK_MUL_OVERFLOW(attr->shared->data_size, ds_size, dt_size,
|
||||||
|
+ HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL,
|
||||||
|
+ "data size exceeds addressable range"))
|
||||||
|
|
||||||
|
/* Go get the data */
|
||||||
|
if (attr->shared->data_size) {
|
||||||
|
diff --git a/src/H5private.h b/src/H5private.h
|
||||||
|
index 931d7b9046..a115aee1a4 100644
|
||||||
|
--- a/src/H5private.h
|
||||||
|
+++ b/src/H5private.h
|
||||||
|
@@ -1605,6 +1605,24 @@ H5_DLL int HDvasprintf(char **bufp, const char *fmt, va_list _ap);
|
||||||
|
#define H5_CHECK_OVERFLOW(var, vartype, casttype)
|
||||||
|
#endif /* NDEBUG */
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * A macro for checking whether a multiplication has overflown
|
||||||
|
+ * r is assumed to be the result of a prior multiplication of a and b
|
||||||
|
+ */
|
||||||
|
+#define H5_CHECK_MUL_OVERFLOW(r, a, b, err) \
|
||||||
|
+ { \
|
||||||
|
+ bool mul_overflow = false; \
|
||||||
|
+ if (r != 0) { \
|
||||||
|
+ if (r / a != b) \
|
||||||
|
+ mul_overflow = true; \
|
||||||
|
+ } else { \
|
||||||
|
+ if (a != 0 && b != 0) \
|
||||||
|
+ mul_overflow = true; \
|
||||||
|
+ } \
|
||||||
|
+ if (mul_overflow) \
|
||||||
|
+ err \
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* A macro for detecting over/under-flow when assigning between types
|
||||||
|
*/
|
||||||
28
Remove-duplicate-code.patch
Normal file
28
Remove-duplicate-code.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From: Egbert Eich <eich@suse.com>
|
||||||
|
Date: Sat Feb 11 18:08:15 2023 +0100
|
||||||
|
Subject: Remove duplicate code
|
||||||
|
Patch-mainline: Not yet
|
||||||
|
Git-repo: https://github.com/HDFGroup/hdf5
|
||||||
|
Git-commit: 539bca81e2b5713b1c6c5723d742377fb92c1ac1
|
||||||
|
References:
|
||||||
|
|
||||||
|
Signed-off-by: Egbert Eich <eich@suse.com>
|
||||||
|
Signed-off-by: Egbert Eich <eich@suse.de>
|
||||||
|
---
|
||||||
|
src/H5Oattr.c | 4 ----
|
||||||
|
1 file changed, 4 deletions(-)
|
||||||
|
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
|
||||||
|
index 3ef0b99aa4..19d3abfb4c 100644
|
||||||
|
--- a/src/H5Oattr.c
|
||||||
|
+++ b/src/H5Oattr.c
|
||||||
|
@@ -222,10 +222,6 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un
|
||||||
|
else
|
||||||
|
p += attr->shared->ds_size;
|
||||||
|
|
||||||
|
- /* Get the datatype's size */
|
||||||
|
- if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
|
||||||
|
- HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
|
||||||
|
-
|
||||||
|
/* Get the datatype & dataspace sizes */
|
||||||
|
if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
|
||||||
|
HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
|
||||||
10
hdf5.changes
10
hdf5.changes
@ -1,3 +1,13 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Feb 13 09:18:05 UTC 2023 - Egbert Eich <eich@suse.com>
|
||||||
|
|
||||||
|
- Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus
|
||||||
|
input file (bsc#1207973).
|
||||||
|
https://github.com/HDFGroup/hdf5/issues/2458
|
||||||
|
https://github.com/HDFGroup/hdf5/pull/2459
|
||||||
|
Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
|
||||||
|
Remove-duplicate-code.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Nov 15 04:52:12 UTC 2022 - Atri Bhattacharya <badshah400@gmail.com>
|
Tue Nov 15 04:52:12 UTC 2022 - Atri Bhattacharya <badshah400@gmail.com>
|
||||||
|
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package hdf5
|
# spec file
|
||||||
#
|
#
|
||||||
# Copyright (c) 2022 SUSE LLC
|
# Copyright (c) 2023 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -450,6 +450,8 @@ Patch108: Make-sure-info-block-for-external-links-has-at-least-3-bytes.pat
|
|||||||
Patch109: Hot-fix-for-CVE-2020-10812.patch
|
Patch109: Hot-fix-for-CVE-2020-10812.patch
|
||||||
Patch110: Compound-datatypes-may-not-have-members-of-size-0.patch
|
Patch110: Compound-datatypes-may-not-have-members-of-size-0.patch
|
||||||
Patch111: H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch
|
Patch111: H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch
|
||||||
|
Patch112: Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
|
||||||
|
Patch113: Remove-duplicate-code.patch
|
||||||
|
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
%if 0%{?use_sz2}
|
%if 0%{?use_sz2}
|
||||||
@ -704,6 +706,8 @@ library packages.
|
|||||||
%patch109 -p1
|
%patch109 -p1
|
||||||
%patch110 -p1
|
%patch110 -p1
|
||||||
%patch111 -p1
|
%patch111 -p1
|
||||||
|
%patch112 -p1
|
||||||
|
%patch113 -p1
|
||||||
|
|
||||||
%if %{without hpc}
|
%if %{without hpc}
|
||||||
# baselibs looks different for different flavors - generate it on the fly
|
# baselibs looks different for different flavors - generate it on the fly
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user