packages/hdf5
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!8 fix cves

Browse Source 
From: @wangxiao65
Reviewed-by: @wang_yue111,@small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2020-11-10 11:53:29 +08:00 committed by Gitee
commit 437c6be165
6 changed files with 699 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
CVE-2018-17233.patch Normal file
View File

@ -0,0 +1,88 @@
From f891c38c6e724e9032a534512618b9650be76377 Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Fri, 4 Jan 2019 11:46:29 -0600
Subject: [PATCH] Fixed CVE division-by-zero issues Description: Fixed
HDFFV-10577 and similar issues found in H5Dchunk.c. All the occurrences
are in: H5D__create_chunk_map_single
H5D__create_chunk_file_map_hyper H5D__chunk_allocate
H5D__chunk_update_old_edge_chunks H5D__chunk_prune_by_extent
H5D__chunk_copy_cb H5D__chunk_collective_fill Also updated
RELEASE.txt for the chunk query functions and removed some blank lines in
chunk_info.c. Platforms tested: Linux/64 (jelly) Linux/64 (platypus)
Darwin (osx1010test)
---
src/H5Dchunk.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/H5Dchunk.c b/src/H5Dchunk.c
index 021335f..1dc7a25 100644
--- a/src/H5Dchunk.c
+++ b/src/H5Dchunk.c
@@ -1380,6 +1380,9 @@ H5D__create_chunk_map_single(H5D_chunk_map_t *fm, const H5D_io_info_t
/* Set chunk location & hyperslab size */
for(u = 0; u < fm->f_ndims; u++) {
+ /* Validate this chunk dimension */
+ if(fm->layout->u.chunk.dim[u] == 0)
+ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", u)
HDassert(sel_start[u] == sel_end[u]);
chunk_info->coords[u] = (sel_start[u] / fm->layout->u.chunk.dim[u]) * fm->layout->u.chunk.dim[u];
} /* end for */
@@ -1465,6 +1468,9 @@ H5D__create_chunk_file_map_hyper(H5D_chunk_map_t *fm, const H5D_io_info_t
/* Set initial chunk location & hyperslab size */
for(u = 0; u < fm->f_ndims; u++) {
+ /* Validate this chunk dimension */
+ if(fm->layout->u.chunk.dim[u] == 0)
+ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", u)
start_coords[u] = (sel_start[u] / fm->layout->u.chunk.dim[u]) * fm->layout->u.chunk.dim[u];
coords[u] = start_coords[u];
end[u] = (coords[u] + fm->chunk_dim[u]) - 1;
@@ -3595,6 +3601,9 @@ H5D__chunk_allocate(const H5D_t *dset, hid_t dxpl_id, hbool_t full_overwrite,
* that we assume here that all elements of space_dim are > 0. This is
* checked at the top of this function */
for(op_dim=0; op_dim<space_ndims; op_dim++) {
+ /* Validate this chunk dimension */
+ if(chunk_dim[op_dim] == 0)
+ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", op_dim)
min_unalloc[op_dim] = ((old_dim[op_dim] + chunk_dim[op_dim] - 1)
/ chunk_dim[op_dim]) * chunk_dim[op_dim];
max_unalloc[op_dim] = ((space_dim[op_dim] - 1) / chunk_dim[op_dim])
@@ -3865,6 +3874,8 @@ H5D__chunk_collective_fill(const H5D_t *dset, hid_t dxpl_id,
HGOTO_ERROR(H5E_PLIST, H5E_CANTCOPY, FAIL, "can't copy property list")
/* Distribute evenly the number of blocks between processes. */
+ if(mpi_size == 0)
+ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "Resulted in division by zero")
num_blocks = chunk_info->num_io / mpi_size; /* value should be the same on all procs */
/* after evenly distributing the blocks between processes, are
@@ -4324,6 +4335,10 @@ H5D__chunk_prune_by_extent(H5D_t *dset, hid_t dxpl_id, const hsize_t *old_dim)
HDmemset(min_mod_chunk_off, 0, sizeof(min_mod_chunk_off));
HDmemset(max_mod_chunk_off, 0, sizeof(max_mod_chunk_off));
for(op_dim = 0; op_dim < space_ndims; op_dim++) {
+ /* Validate this chunk dimension */
+ if(chunk_dim[op_dim] == 0)
+ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", op_dim)
+
/* Calculate the largest offset of chunks that might need to be
* modified in this dimension */
max_mod_chunk_off[op_dim] = chunk_dim[op_dim] * ((old_dim[op_dim] - 1)
@@ -4929,9 +4944,12 @@ H5D__chunk_copy_cb(const H5D_chunk_rec_t *chunk_rec, void *_udata)
/* (background buffer has already been zeroed out, if not expanding) */
if(udata->cpy_info->expand_ref) {
size_t ref_count;
+ size_t dt_size;
/* Determine # of reference elements to copy */
- ref_count = nbytes / H5T_get_size(udata->dt_src);
+ if((dt_size = H5T_get_size(udata->dt_src)) == 0)
+ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "size must not be 0")
+ ref_count = nbytes / dt_size;
/* Copy the reference elements */
if(H5O_copy_expand_ref(udata->file_src, buf, udata->idx_info_dst->dxpl_id, udata->idx_info_dst->f, bkg, ref_count, H5T_get_ref_type(udata->dt_src), udata->cpy_info) < 0)
--
2.23.0

84
CVE-2018-17234.patch Normal file
View File

@ -0,0 +1,84 @@
From f4138013dbc6851e968ea3d37b32776538ef306b Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Tue, 15 Jan 2019 13:07:22 -0600
Subject: [PATCH] Fixed HDFFV-10578
Description:
- HDFFV-10578 - CVE-2018-17234 Memory leak in H5O__chunk_deserialize()
Actually, the leak was in h5tools_util. Applied Neil's fix.
- Changed an assert to if/HGOTO_ERROR to fail gracefully.
Platforms tested:
Linux/64 (jelly)
Linux/64 (platypus)
Darwin (osx1010test)
---
src/H5Ocache.c | 3 ++-
src/H5VM.c | 2 +-
tools/lib/h5tools_utils.c | 17 ++++++++++++++++-
3 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/src/H5Ocache.c b/src/H5Ocache.c
index ebae3f5..454b287 100644
--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
@@ -1116,7 +1116,8 @@ H5O_chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image,
/* Message size */
UINT16DECODE(p, mesg_size);
- HDassert(mesg_size == H5O_ALIGN_OH(oh, mesg_size));
+ if(mesg_size != H5O_ALIGN_OH(oh, mesg_size))
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned")
/* Message flags */
flags = *p++;
diff --git a/src/H5VM.c b/src/H5VM.c
index 4e48001..db6362c 100644
--- a/src/H5VM.c
+++ b/src/H5VM.c
@@ -1503,7 +1503,7 @@ done:
*
* Purpose: Given source and destination buffers in memory (SRC & DST)
* copy sequences of from the source buffer into the destination
- * buffer. Each set of sequnces has an array of lengths, an
+ * buffer. Each set of sequences has an array of lengths, an
* array of offsets, the maximum number of sequences and the
* current sequence to start at in the sequence.
*
diff --git a/tools/lib/h5tools_utils.c b/tools/lib/h5tools_utils.c
index 3f66ef6..2e19bfa 100644
--- a/tools/lib/h5tools_utils.c
+++ b/tools/lib/h5tools_utils.c
@@ -562,6 +562,8 @@ herr_t
init_objs(hid_t fid, find_objs_t *info, table_t **group_table,
table_t **dset_table, table_t **type_table)
{
+ herr_t ret_value = SUCCEED;
+
/* Initialize the tables */
init_table(group_table);
init_table(dset_table);
@@ -574,7 +576,20 @@ init_objs(hid_t fid, find_objs_t *info, table_t **group_table,
info->dset_table = *dset_table;
/* Find all shared objects */
- return(h5trav_visit(fid, "/", TRUE, TRUE, find_objs_cb, NULL, info));
+ if((ret_value = h5trav_visit(fid, "/", TRUE, TRUE, find_objs_cb, NULL, info)) <0)
+ HGOTO_ERROR(FAIL, H5E_tools_min_id_g, "finding shared objects failed")
+
+done:
+ /* Release resources */
+ if(ret_value < 0) {
+ free_table(*group_table);
+ info->group_table = NULL;
+ free_table(*type_table);
+ info->type_table = NULL;
+ free_table(*dset_table);
+ info->dset_table = NULL;
+ }
+ return ret_value;
}
--
2.23.0

247
CVE-2018-17237.patch Normal file
View File

@ -0,0 +1,247 @@
From 4e31361dad4add06792b652dbe5b97e501f9031d Mon Sep 17 00:00:00 2001
From: Songyu Lu <songyulu@hdfgroup.org>
Date: Tue, 12 Feb 2019 13:48:49 -0600
Subject: [PATCH] I'm bringing the fixes for the following Jira issues from the
develop branch to 1.10 branch: HDFFV-10571: Divided by Zero vulnerability.
HDFFV-10601: Issues with chunk cache hash value calcuation. HDFFV-10607:
Patches for warnings in the core libraries. HDFFV-10635: HDF5 library
segmentation fault with H5Sselect_element.
---
src/H5Dchunk.c | 3 ++
src/H5HG.c | 8 +++-
src/H5Olayout.c | 8 +++-
src/H5RS.c | 4 +-
src/H5RSprivate.h | 2 +-
test/tvlstr.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++
6 files changed, 122 insertions(+), 5 deletions(-)
diff --git a/src/H5Dchunk.c b/src/H5Dchunk.c
index 021335f..6183ad8 100644
--- a/src/H5Dchunk.c
+++ b/src/H5Dchunk.c
@@ -641,6 +641,9 @@ H5D__chunk_set_info_real(H5O_layout_chunk_t *layout, unsigned ndims, const hsize
/* Compute the # of chunks in dataset dimensions */
for(u = 0, layout->nchunks = 1; u < ndims; u++) {
+ /* Sanity check */
+ HDassert(layout->dim[u] > 0);
+
/* Round up to the next integer # of chunks, to accomodate partial chunks */
layout->chunks[u] = ((curr_dims[u] + layout->dim[u]) - 1) / layout->dim[u];
diff --git a/src/H5HG.c b/src/H5HG.c
index 194e4eb..e07ca0e 100644
--- a/src/H5HG.c
+++ b/src/H5HG.c
@@ -757,7 +757,13 @@ H5HG_remove (H5F_t *f, hid_t dxpl_id, H5HG_t *hobj)
HGOTO_ERROR(H5E_HEAP, H5E_CANTPROTECT, FAIL, "unable to protect global heap")
HDassert(hobj->idx < heap->nused);
- HDassert(heap->obj[hobj->idx].begin);
+ /* When the application selects the same location to rewrite the VL element by using H5Sselect_elements,
+ * it can happen that the entry has been removed by first rewrite. Here we simply skip the removal of
+ * the entry and let the second rewrite happen (see HDFFV-10635). In the future, it'd be nice to handle
+ * this situation in H5T_conv_vlen in H5Tconv.c instead of this level (HDFFV-10648). */
+ if(heap->obj[hobj->idx].nrefs == 0 && heap->obj[hobj->idx].size == 0 && !heap->obj[hobj->idx].begin)
+ HGOTO_DONE(ret_value)
+
obj_start = heap->obj[hobj->idx].begin;
/* Include object header size */
need = H5HG_ALIGN(heap->obj[hobj->idx].size) + H5HG_SIZEOF_OBJHDR(f);
diff --git a/src/H5Olayout.c b/src/H5Olayout.c
index 17385c2..3bbee12 100644
--- a/src/H5Olayout.c
+++ b/src/H5Olayout.c
@@ -223,9 +223,15 @@ H5O_layout_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *
H5F_addr_decode(f, &p, &(mesg->storage.u.chunk.idx_addr));
/* Chunk dimensions */
- for(u = 0; u < mesg->u.chunk.ndims; u++)
+ for(u = 0; u < mesg->u.chunk.ndims; u++) {
UINT32DECODE(p, mesg->u.chunk.dim[u]);
+ /* Just in case that something goes very wrong, such as file corruption. */
+ if(mesg->u.chunk.dim[u] == 0)
+ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, NULL, "chunk dimension must be positive: mesg->u.chunk.dim[%u] = %u",
+ u, mesg->u.chunk.dim[u])
+ } /* end for */
+
/* Compute chunk size */
for(u = 1, mesg->u.chunk.size = mesg->u.chunk.dim[0]; u < mesg->u.chunk.ndims; u++)
mesg->u.chunk.size *= mesg->u.chunk.dim[u];
diff --git a/src/H5RS.c b/src/H5RS.c
index 0a3fff0..ae500c5 100644
--- a/src/H5RS.c
+++ b/src/H5RS.c
@@ -137,7 +137,7 @@ done:
REVISION LOG
--------------------------------------------------------------------------*/
H5RS_str_t *
-H5RS_wrap(char *s)
+H5RS_wrap(const char *s)
{
H5RS_str_t *ret_value; /* Return value */
@@ -148,7 +148,7 @@ H5RS_wrap(char *s)
HGOTO_ERROR(H5E_RS, H5E_NOSPACE, NULL, "memory allocation failed")
/* Set the internal fields */
- ret_value->s = s;
+ ret_value->s = (char *)s;
ret_value->wrapped = 1;
ret_value->n = 1;
diff --git a/src/H5RSprivate.h b/src/H5RSprivate.h
index f69624a..1d26a18 100644
--- a/src/H5RSprivate.h
+++ b/src/H5RSprivate.h
@@ -44,7 +44,7 @@ typedef struct H5RS_str_t H5RS_str_t;
/* Private routines */
/********************/
H5_DLL H5RS_str_t *H5RS_create(const char *s);
-H5_DLL H5RS_str_t *H5RS_wrap(char *s);
+H5_DLL H5RS_str_t *H5RS_wrap(const char *s);
H5_DLL H5RS_str_t *H5RS_own(char *s);
H5_DLL herr_t H5RS_decr(H5RS_str_t *rs);
H5_DLL herr_t H5RS_incr(H5RS_str_t *rs);
diff --git a/test/tvlstr.c b/test/tvlstr.c
index e5b2a60..bb860a2 100644
--- a/test/tvlstr.c
+++ b/test/tvlstr.c
@@ -25,10 +25,14 @@
#define DATAFILE "tvlstr.h5"
#define DATAFILE2 "tvlstr2.h5"
+#define DATAFILE3 "sel2el.h5"
+
+#define DATASET "1Darray"
/* 1-D dataset with fixed dimensions */
#define SPACE1_RANK 1
#define SPACE1_DIM1 4
+#define NUMP 4
#define VLSTR_TYPE "vl_string_type"
@@ -846,6 +850,101 @@ static void test_vl_rewrite(void)
return;
} /* end test_vl_rewrite() */
+/****************************************************************
+ **
+ ** test_write_same_element():
+ ** Tests writing to the same element of VL string using
+ ** H5Sselect_element.
+ **
+ ****************************************************************/
+static void test_write_same_element(void)
+{
+ hid_t file1, dataset1;
+ hid_t mspace, fspace, dtype;
+ hsize_t fdim[] = {SPACE1_DIM1};
+ char *val[SPACE1_DIM1] = {"But", "reuniting", "is a", "great joy"};
+ hsize_t marray[] = {NUMP};
+ hsize_t coord[SPACE1_RANK][NUMP];
+ herr_t ret;
+
+ char *wdata[SPACE1_DIM1] = {"Parting", "is such a", "sweet", "sorrow."};
+
+ file1 = H5Fcreate(DATAFILE3, H5F_ACC_TRUNC, H5P_DEFAULT, H5P_DEFAULT);
+ CHECK(file1, FAIL, "H5Fcreate");
+
+ dtype = H5Tcopy(H5T_C_S1);
+ CHECK(dtype, FAIL, "H5Tcopy");
+
+ ret = H5Tset_size(dtype, H5T_VARIABLE);
+ CHECK(ret, FAIL, "H5Tset_size");
+
+ fspace = H5Screate_simple(SPACE1_RANK, fdim, NULL);
+ CHECK(fspace, FAIL, "H5Screate_simple");
+
+ dataset1 = H5Dcreate(file1, DATASET, dtype, fspace, H5P_DEFAULT,
+ H5P_DEFAULT, H5P_DEFAULT);
+ CHECK(dataset1, FAIL, "H5Dcreate");
+
+ ret = H5Dwrite(dataset1, dtype, H5S_ALL, H5S_ALL, H5P_DEFAULT, wdata);
+ CHECK(ret, FAIL, "H5Dwrite");
+
+ ret = H5Dclose(dataset1);
+ CHECK(ret, FAIL, "H5Dclose");
+
+ ret = H5Tclose(dtype);
+ CHECK(ret, FAIL, "H5Tclose");
+
+ ret = H5Sclose(fspace);
+ CHECK(ret, FAIL, "H5Sclose");
+
+ ret = H5Fclose(file1);
+ CHECK(ret, FAIL, "H5Fclose");
+
+ /*
+ * Open the file. Select the same points, write values to those point locations.
+ */
+ file1 = H5Fopen(DATAFILE3, H5F_ACC_RDWR, H5P_DEFAULT);
+ CHECK(file1, FAIL, "H5Fopen");
+
+ dataset1 = H5Dopen(file1, DATASET, H5P_DEFAULT);
+ CHECK(dataset1, FAIL, "H5Dopen");
+
+ fspace = H5Dget_space(dataset1);
+ CHECK(fspace, FAIL, "H5Dget_space");
+
+ dtype = H5Dget_type(dataset1);
+ CHECK(dtype, FAIL, "H5Dget_type");
+
+ mspace = H5Screate_simple(1, marray, NULL);
+ CHECK(mspace, FAIL, "H5Screate_simple");
+
+ coord[0][0] = 0;
+ coord[0][1] = 2;
+ coord[0][2] = 2;
+ coord[0][3] = 0;
+
+ ret = H5Sselect_elements(fspace, H5S_SELECT_SET, NUMP, (const hsize_t *)&coord);
+ CHECK(ret, FAIL, "H5Sselect_elements");
+
+ ret = H5Dwrite(dataset1, dtype, mspace, fspace, H5P_DEFAULT, val);
+ CHECK(ret, FAIL, "H5Dwrite");
+
+ ret = H5Tclose(dtype);
+ CHECK(ret, FAIL, "H5Tclose");
+
+ ret = H5Dclose(dataset1);
+ CHECK(ret, FAIL, "H5Dclose");
+
+ ret = H5Sclose(fspace);
+ CHECK(ret, FAIL, "H5Dclose");
+
+ ret = H5Sclose(mspace);
+ CHECK(ret, FAIL, "H5Sclose");
+
+ ret = H5Fclose(file1);
+ CHECK(ret, FAIL, "H5Fclose");
+} /* test_write_same_element */
+
/****************************************************************
**
** test_vlstrings(): Main VL string testing routine.
@@ -870,6 +969,8 @@ test_vlstrings(void)
/* Test writing VL datasets in files with lots of unlinking */
test_vl_rewrite();
+ /* Test writing to the same element more than once using H5Sselect_elements */
+ test_write_same_element();
} /* test_vlstrings() */
@@ -892,5 +993,6 @@ cleanup_vlstrings(void)
{
HDremove(DATAFILE);
HDremove(DATAFILE2);
+ HDremove(DATAFILE3);
}
--
2.23.0

200
CVE-2018-17434-CVE-2018-17437.patch Normal file
View File

@ -0,0 +1,200 @@
From 02d03b4624122955ee3de635699a4e3880fea377 Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Wed, 30 Jan 2019 20:04:30 -0600
Subject: [PATCH] Fixed HDFFV-10586, HDFFV-10588, and HDFFV-10684
Description:
HDFFV-10586 CVE-2018-17434 Divide by zero in h5repack_filters
Added a check for zero value
HDFFV-10588 CVE-2018-17437 Memory leak in H5O_dtype_decode_helper
This is actually an Invalid read issue. It was found that the
attribute name length in an attribute message was corrupted,
which caused the buffer pointer to be advanced too far and later
caused an invalid read.
Added a check to detect attribute name and its length mismatch. The
fix does not cover all cases, but it'll reduce the chance of this issue
when a name length is corrupted or the attribute name is corrupted.
HDFFV-10684 H5Ewalk does not stop until all errors in the stack are visited
The test for HDFFV-10588 has revealed a bug in H5Ewalk.
H5Ewalk did not stop midway even when the call back function returns
H5_ITER_STOP. This is because a condition is missing from the for
loops in H5E__walk causing the callback functions unable to stop until
all the errors in the stack are iterated. Quincey advised on the final
fix. In this fix, "status" is switched to "ret_value" and HGOTO_ERROR
to HERROR, and the for loops won't continue when "ret_value" is not 0.
Platforms tested:
Linux/64 (jelly)
Linux/64 (platypus)
Darwin (osx1011test)
---
src/H5E.c | 6 ++---
src/H5Eint.c | 37 ++++++++++++++-----------------
src/H5Oattr.c | 5 +++++
tools/h5repack/h5repack_filters.c | 6 +++--
4 files changed, 29 insertions(+), 25 deletions(-)
diff --git a/src/H5E.c b/src/H5E.c
index a94c5bc..e8da166 100644
--- a/src/H5E.c
+++ b/src/H5E.c
@@ -1471,7 +1471,7 @@ done:
*
* Purpose: Prints the error stack in some default way. This is just a
* convenience function for H5Ewalk() with a function that
- * prints error messages. Users are encouraged to write there
+ * prints error messages. Users are encouraged to write their
* own more specific error handlers.
*
* Return: Non-negative on success/Negative on failure
@@ -1553,8 +1553,8 @@ H5Ewalk2(hid_t err_stack, H5E_direction_t direction, H5E_walk2_t stack_func, voi
/* Walk the error stack */
op.vers = 2;
op.u.func2 = stack_func;
- if(H5E_walk(estack, direction, &op, client_data) < 0)
- HGOTO_ERROR(H5E_ERROR, H5E_CANTLIST, FAIL, "can't walk error stack")
+ if((ret_value = H5E_walk(estack, direction, &op, client_data)) < 0)
+ HERROR(H5E_ERROR, H5E_CANTLIST, "can't walk error stack");
done:
FUNC_LEAVE_API(ret_value)
diff --git a/src/H5Eint.c b/src/H5Eint.c
index 636866b..85edb90 100644
--- a/src/H5Eint.c
+++ b/src/H5Eint.c
@@ -442,13 +442,13 @@ done:
/*-------------------------------------------------------------------------
* Function: H5E_print
*
- * Purpose: Private function to print the error stack in some default
+ * Purpose: Private function to print the error stack in some default
* way. This is just a convenience function for H5Ewalk() and
* H5Ewalk2() with a function that prints error messages.
- * Users are encouraged to write there own more specific error
+ * Users are encouraged to write their own more specific error
* handlers.
*
- * Return: Non-negative on success/Negative on failure
+ * Return: Non-negative on success/Negative on failure
*
* Programmer: Robb Matzke
* Friday, February 27, 1998
@@ -533,9 +533,8 @@ herr_t
H5E_walk(const H5E_t *estack, H5E_direction_t direction, const H5E_walk_op_t *op,
void *client_data)
{
- int i; /* Local index variable */
- herr_t status; /* Status from callback function */
- herr_t ret_value = SUCCEED; /* Return value */
+ int i; /* Local index variable */
+ herr_t ret_value = H5_ITER_CONT; /* Return value */
FUNC_ENTER_NOAPI_NOINIT
@@ -553,9 +552,8 @@ H5E_walk(const H5E_t *estack, H5E_direction_t direction, const H5E_walk_op_t *op
if(op->u.func1) {
H5E_error1_t old_err;
- status = SUCCEED;
if(H5E_WALK_UPWARD == direction) {
- for(i = 0; i < (int)estack->nused && status >= 0; i++) {
+ for(i = 0; i < (int)estack->nused && ret_value == H5_ITER_CONT; i++) {
/* Point to each error record on the stack and pass it to callback function.*/
old_err.maj_num = estack->slot[i].maj_num;
old_err.min_num = estack->slot[i].min_num;
@@ -564,12 +562,12 @@ H5E_walk(const H5E_t *estack, H5E_direction_t direction, const H5E_walk_op_t *op
old_err.desc = estack->slot[i].desc;
old_err.line = estack->slot[i].line;
- status = (op->u.func1)(i, &old_err, client_data);
+ ret_value = (op->u.func1)(i, &old_err, client_data);
} /* end for */
} /* end if */
else {
H5_CHECK_OVERFLOW(estack->nused - 1, size_t, int);
- for(i = (int)(estack->nused - 1); i >= 0 && status >= 0; i--) {
+ for(i = (int)(estack->nused - 1); i >= 0 && ret_value == H5_ITER_CONT; i--) {
/* Point to each error record on the stack and pass it to callback function.*/
old_err.maj_num = estack->slot[i].maj_num;
old_err.min_num = estack->slot[i].min_num;
@@ -578,12 +576,12 @@ H5E_walk(const H5E_t *estack, H5E_direction_t direction, const H5E_walk_op_t *op
old_err.desc = estack->slot[i].desc;
old_err.line = estack->slot[i].line;
- status = (op->u.func1)((int)(estack->nused - (size_t)(i + 1)), &old_err, client_data);
+ ret_value = (op->u.func1)((int)(estack->nused - (size_t)(i + 1)), &old_err, client_data);
} /* end for */
} /* end else */
- if(status < 0)
- HGOTO_ERROR(H5E_ERROR, H5E_CANTLIST, FAIL, "can't walk error stack")
+ if(ret_value < 0)
+ HERROR(H5E_ERROR, H5E_CANTLIST, "can't walk error stack");
} /* end if */
#else /* H5_NO_DEPRECATED_SYMBOLS */
HDassert(0 && "version 1 error stack walk without deprecated symbols!");
@@ -592,19 +590,18 @@ H5E_walk(const H5E_t *estack, H5E_direction_t direction, const H5E_walk_op_t *op
else {
HDassert(op->vers == 2);
if(op->u.func2) {
- status = SUCCEED;
if(H5E_WALK_UPWARD == direction) {
- for(i = 0; i < (int)estack->nused && status >= 0; i++)
- status = (op->u.func2)((unsigned)i, estack->slot + i, client_data);
+ for(i = 0; i < (int)estack->nused && ret_value == H5_ITER_CONT; i++)
+ ret_value = (op->u.func2)((unsigned)i, estack->slot + i, client_data);
} /* end if */
else {
H5_CHECK_OVERFLOW(estack->nused - 1, size_t, int);
- for(i = (int)(estack->nused - 1); i >= 0 && status >= 0; i--)
- status = (op->u.func2)((unsigned)(estack->nused - (size_t)(i + 1)), estack->slot + i, client_data);
+ for(i = (int)(estack->nused - 1); i >= 0 && ret_value == H5_ITER_CONT; i--)
+ ret_value = (op->u.func2)((unsigned)(estack->nused - (size_t)(i + 1)), estack->slot + i, client_data);
} /* end else */
- if(status < 0)
- HGOTO_ERROR(H5E_ERROR, H5E_CANTLIST, FAIL, "can't walk error stack")
+ if(ret_value < 0)
+ HERROR(H5E_ERROR, H5E_CANTLIST, "can't walk error stack");
} /* end if */
} /* end else */
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
index 149f04a..a8d2a31 100644
--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
@@ -175,6 +175,11 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED
/* Decode and store the name */
if(NULL == (attr->shared->name = H5MM_strdup((const char *)p)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
+
+ /* Make an attempt to detect corrupted name or name length - HDFFV-10588 */
+ if(name_len != (HDstrlen(attr->shared->name) + 1))
+ HGOTO_ERROR(H5E_ATTR, H5E_CANTDECODE, NULL, "attribute name has different length than stored length")
+
if(attr->shared->version < H5O_ATTR_VERSION_2)
p += H5O_ALIGN_OLD(name_len); /* advance the memory pointer */
else
diff --git a/tools/h5repack/h5repack_filters.c b/tools/h5repack/h5repack_filters.c
index 523f81a..1eea3e9 100644
--- a/tools/h5repack/h5repack_filters.c
+++ b/tools/h5repack/h5repack_filters.c
@@ -333,12 +333,14 @@ int apply_filters(const char* name, /* object name from traverse list */
sm_nbytes = msize;
for (i = rank; i > 0; --i) {
- hsize_t size = H5TOOLS_BUFSIZE / sm_nbytes;
+ hsize_t size = 0;
+ if(sm_nbytes == 0)
+ HGOTO_ERROR(FAIL, H5E_tools_min_id_g, "number of bytes per stripmine must be > 0");
+ size = H5TOOLS_BUFSIZE / sm_nbytes;
if (size == 0) /* datum size > H5TOOLS_BUFSIZE */
size = 1;
sm_size[i - 1] = MIN(dims[i - 1], size);
sm_nbytes *= sm_size[i - 1];
- HDassert(sm_nbytes > 0);
}
for (i = 0; i < rank; i++) {
--
2.23.0

70
CVE-2018-17438.patch Normal file
View File

@ -0,0 +1,70 @@
From 7add52ff4f2443357648d53d52add274d1b18b5f Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Wed, 20 Mar 2019 14:03:48 -0500
Subject: [PATCH] Fixed HDFFV-10210 and HDFFV-10587 Description: - Added
parameter validation (HDFFV-10210) - Added detection of division by zero
(HDFFV-10587 - CVE-2018-17438) - Fixed typos in various tests Platforms
tested: Linux/64 (jelly) Linux/64 (platypus) Darwin (osx1011test)
---
src/H5Dselect.c | 2 ++
src/H5I.c | 3 +++
test/tid.c | 15 +++++++++++++++
3 files changed, 20 insertions(+)
diff --git a/src/H5Dselect.c b/src/H5Dselect.c
index 7e86b9d..84cd849 100644
--- a/src/H5Dselect.c
+++ b/src/H5Dselect.c
@@ -220,6 +220,8 @@ H5D__select_io(const H5D_io_info_t *io_info, size_t elmt_size,
/* Decrement number of elements left to process */
HDassert(((size_t)tmp_file_len % elmt_size) == 0);
+ if(elmt_size == 0)
+ HGOTO_ERROR(H5E_DATASPACE, H5E_BADVALUE, FAIL, "Resulted in division by zero")
nelmts -= ((size_t)tmp_file_len / elmt_size);
} /* end while */
} /* end else */
diff --git a/src/H5I.c b/src/H5I.c
index 2a4a38c..5cc8e69 100644
--- a/src/H5I.c
+++ b/src/H5I.c
@@ -406,6 +406,9 @@ H5Itype_exists(H5I_type_t type)
FUNC_ENTER_API(FAIL)
H5TRACE1("t", "It", type);
+ if(H5I_IS_LIB_TYPE(type))
+ HGOTO_ERROR(H5E_ATOM, H5E_BADGROUP, FAIL, "cannot call public function on library type")
+
if(type <= H5I_BADID || type >= H5I_next_type)
HGOTO_ERROR(H5E_ARGS, H5E_BADRANGE, FAIL, "invalid type number")
diff --git a/test/tid.c b/test/tid.c
index c98514b..aca32fd 100644
--- a/test/tid.c
+++ b/test/tid.c
@@ -224,6 +224,21 @@ static int basic_id_test(void)
goto out;
H5E_END_TRY
+ /* Test that H5Itype_exists cannot be called on library types because
+ * it is a public function
+ */
+ H5E_BEGIN_TRY
+ err = H5Itype_exists(H5I_GROUP);
+ if(err >= 0)
+ goto out;
+ H5E_END_TRY
+
+ H5E_BEGIN_TRY
+ err = H5Itype_exists(H5I_ATTR);
+ if(err >= 0)
+ goto out;
+ H5E_END_TRY
+
return 0;
out:
--
2.23.0

15
hdf5.spec
View File

@ -1,6 +1,6 @@
Name: hdf5
Version: 1.8.20
Release: 8
Release: 9
Summary: A data model, library, and file format for storing and managing data
License: BSD
@ -10,6 +10,11 @@ Source0: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8/hdf5-1.8.20/src
Patch0: hdf5-LD_LIBRARY_PATH.patch
Patch1: hdf5-mpi.patch
Patch2: hdf5-ldouble-ppc64le.patch
Patch3: CVE-2018-17233.patch
Patch4: CVE-2018-17234.patch
Patch5: CVE-2018-17237.patch
Patch6: CVE-2018-17434-CVE-2018-17437.patch
Patch7: CVE-2018-17438.patch
BuildRequires: gcc, gcc-c++
BuildRequires: krb5-devel, openssl-devel, zlib-devel, gcc-gfortran, time
@ -31,10 +36,7 @@ Requires: gcc-gfortran%{?_isa}
HDF5 development headers and libraries.
%prep
%setup -q -n %{name}-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%autosetup -n %{name}-%{version} -p1
sed -i -e '/^STATIC_AVAILABLE=/s/=.*/=no/' */*/h5[cf]*.in
autoreconf -f -i
@ -154,6 +156,9 @@ make -C build check
%{_rpmmacrodir}/macros.hdf5
%changelog
* Mon Nov 9 2020 wangxiao <wangxiao65@huawei.com> - 1.8.20-9
- fix CVE-2018-17233 CVE-2018-17234 CVE-2018-17237 CVE-2018-17434 CVE-2018-17437 CVE-2018-17438
* Tue Sep 15 2020 shaoqiang kang <kangshaoqiang1@openeuler.org> - 1.8.20-8
- Modify source