pool/hdf5
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1066251 from science

Browse Source 
- Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus
  input file (bsc#1207973).
  https://github.com/HDFGroup/hdf5/issues/2458
  https://github.com/HDFGroup/hdf5/pull/2459
  Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
  Remove-duplicate-code.patch (forwarded request 1066178 from eeich)

OBS-URL: https://build.opensuse.org/request/show/1066251
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/hdf5?expand=0&rev=81
This commit is contained in:
Dominique Leuenberger 2023-02-17 15:44:17 +00:00 committed by Git OBS Bridge
commit 4b3c9b5cfc
4 changed files with 110 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch Normal file
View File

@ -0,0 +1,66 @@
From: Egbert Eich <eich@suse.com>
Date: Sat Feb 11 13:54:17 2023 +0100
Subject: Check for overflow when calculating on-disk attribute data size (#2459)
Patch-mainline: Not yet
Git-repo: https://github.com/HDFGroup/hdf5
Git-commit: 0d026daa13a81be72495872f651c036fdc84ae5e
References:
A bogus hdf5 file may contain dataspace messages with sizes
which lead to the on-disk data sizes to exceed what is addressable.
When calculating the size, make sure, the multiplication does not
overflow.
The test case was crafted in a way that the overflow caused the
size to be 0.
This fixes CVE-2021-37501 / Bug #2458.
Signed-off-by: Egbert Eich <eich@suse.com>
Signed-off-by: Egbert Eich <eich@suse.de>
---
src/H5Oattr.c | 3 +++
src/H5private.h | 18 ++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
index 4dee7aa187..3ef0b99aa4 100644
--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
@@ -235,6 +235,9 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un
/* Compute the size of the data */
H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t);
+ H5_CHECK_MUL_OVERFLOW(attr->shared->data_size, ds_size, dt_size,
+ HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL,
+ "data size exceeds addressable range"))
/* Go get the data */
if (attr->shared->data_size) {
diff --git a/src/H5private.h b/src/H5private.h
index 931d7b9046..a115aee1a4 100644
--- a/src/H5private.h
+++ b/src/H5private.h
@@ -1605,6 +1605,24 @@ H5_DLL int HDvasprintf(char **bufp, const char *fmt, va_list _ap);
#define H5_CHECK_OVERFLOW(var, vartype, casttype)
#endif /* NDEBUG */
+/*
+ * A macro for checking whether a multiplication has overflown
+ * r is assumed to be the result of a prior multiplication of a and b
+ */
+#define H5_CHECK_MUL_OVERFLOW(r, a, b, err) \
+ { \
+ bool mul_overflow = false; \
+ if (r != 0) { \
+ if (r / a != b) \
+ mul_overflow = true; \
+ } else { \
+ if (a != 0 && b != 0) \
+ mul_overflow = true; \
+ } \
+ if (mul_overflow) \
+ err \
+ }
+
/*
* A macro for detecting over/under-flow when assigning between types
*/

28
Remove-duplicate-code.patch Normal file
View File

@ -0,0 +1,28 @@
From: Egbert Eich <eich@suse.com>
Date: Sat Feb 11 18:08:15 2023 +0100
Subject: Remove duplicate code
Patch-mainline: Not yet
Git-repo: https://github.com/HDFGroup/hdf5
Git-commit: 539bca81e2b5713b1c6c5723d742377fb92c1ac1
References:
Signed-off-by: Egbert Eich <eich@suse.com>
Signed-off-by: Egbert Eich <eich@suse.de>
---
src/H5Oattr.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
index 3ef0b99aa4..19d3abfb4c 100644
--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
@@ -222,10 +222,6 @@ H5O_attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, un
else
p += attr->shared->ds_size;
- /* Get the datatype's size */
- if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
- HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
-
/* Get the datatype & dataspace sizes */
if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")

10
hdf5.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Mon Feb 13 09:18:05 UTC 2023 - Egbert Eich <eich@suse.com>
- Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus
input file (bsc#1207973).
https://github.com/HDFGroup/hdf5/issues/2458
https://github.com/HDFGroup/hdf5/pull/2459
Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
Remove-duplicate-code.patch
-------------------------------------------------------------------
Tue Nov 15 04:52:12 UTC 2022 - Atri Bhattacharya <badshah400@gmail.com>

8
hdf5.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package hdf5
# spec file
#
# Copyright (c) 2022 SUSE LLC
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -450,6 +450,8 @@ Patch108: Make-sure-info-block-for-external-links-has-at-least-3-bytes.pat
Patch109: Hot-fix-for-CVE-2020-10812.patch
Patch110: Compound-datatypes-may-not-have-members-of-size-0.patch
Patch111: H5IMget_image_info-H5Sget_simple_extent_dims-does-not-exceed-array-size.patch
Patch112: Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch
Patch113: Remove-duplicate-code.patch
BuildRequires: fdupes
%if 0%{?use_sz2}
@ -704,6 +706,8 @@ library packages.
%patch109 -p1
%patch110 -p1
%patch111 -p1
%patch112 -p1
%patch113 -p1
%if %{without hpc}
# baselibs looks different for different flavors - generate it on the fly