packages/hdf5
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix cves

Browse Source
This commit is contained in:
guoxiaoqi 2020-12-14 10:46:04 +08:00
parent 437c6be165
commit 91fb3ff44d
7 changed files with 2285 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1869
CVE-2017-17506.patch Normal file
View File

File diff suppressed because it is too large Load Diff

77
CVE-2018-13869-CVE-2018-13870.patch Normal file
View File

@ -0,0 +1,77 @@
From 068fc878c39a37c0b3865cb6cd01eb57f4dbde74 Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Mon, 3 Aug 2020 12:48:58 -0500
Subject: [PATCH] Fix HDFFV-11120 and HDFFV-11121 (CVE-2018-13870 and
CVE-2018-13869)
Description:
When a buffer overflow occurred because a name length was corrupted
and became very large, h5dump produced a segfault on one file and a
memcpy parameter overlap on another file. This commit added checks
that detect a read pass the end of the buffer to prevent these error
conditions.
Platforms tested:
Linux/64 (jelly)
---
src/H5Olink.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/H5Olink.c b/src/H5Olink.c
index c0dd1d8c4b..e48ec45c74 100644
--- a/src/H5Olink.c
+++ b/src/H5Olink.c
@@ -118,11 +118,12 @@ H5FL_DEFINE_STATIC(H5O_link_t);
static void *
H5O_link_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh,
unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags,
- size_t H5_ATTR_UNUSED p_size, const uint8_t *p)
+ size_t p_size, const uint8_t *p)
{
H5O_link_t *lnk = NULL; /* Pointer to link message */
size_t len = 0; /* Length of a string in the message */
unsigned char link_flags; /* Flags for encoding link info */
+ const uint8_t *p_end = p + p_size; /* End of the p buffer */
void *ret_value; /* Return value */
FUNC_ENTER_NOAPI_NOINIT
@@ -198,6 +199,11 @@ H5O_link_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *op
if(len == 0)
HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "invalid name length")
+ /* Make sure that length doesn't exceed buffer size, which could occur
+ when the file is corrupted */
+ if(p + len > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "name length causes read past end of buffer")
+
/* Get the link's name */
if(NULL == (lnk->name = (char *)H5MM_malloc(len + 1)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
@@ -217,6 +223,12 @@ H5O_link_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *op
UINT16DECODE(p, len)
if(len == 0)
HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, NULL, "invalid link length")
+
+ /* Make sure that length doesn't exceed buffer size, which could occur
+ when the file is corrupted */
+ if(p + len > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "name length causes read past end of buffer")
+
if(NULL == (lnk->u.soft.name = (char *)H5MM_malloc((size_t)len + 1)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
HDmemcpy(lnk->u.soft.name, p, len);
@@ -237,6 +249,11 @@ H5O_link_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *op
lnk->u.ud.size = len;
if(len > 0)
{
+ /* Make sure that length doesn't exceed buffer size, which could
+ occur when the file is corrupted */
+ if(p + len > p_end)
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "name length causes read past end of buffer")
+
if(NULL == (lnk->u.ud.udata = H5MM_malloc((size_t)len)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
HDmemcpy(lnk->u.ud.udata, p, len);
--
2.23.0

54
CVE-2018-13873.patch Normal file
View File

@ -0,0 +1,54 @@
From e1b59919bb96f68f3b372a73790ecbe4ac3b395a Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Sun, 6 Jan 2019 01:44:40 -0600
Subject: [PATCH] HDFFV-10578 and HDFFV-10676 Description: HDFFV-10578 -
CVE-2018-17234 The file has some issue, however, there was a bug in
h5dump that caused memory leaks after the problem in the file was
encountered. The bug was that an if statement was missing in the
function table_list_add() resulting in the memory not being freed at
a later time. After the fix had been applied, there were no more
leaks after h5dump detected the issue in the file and reported the
error.
In H5O__chunk_deserialize, replaced an assert with an if statement
and reporting error, per Neil's recommendation
HDFFV-10676 - CVE-2018-13873
Also in H5O__chunk_deserialize, added an assertion to detect
out of bound ids
---
src/H5Ocache.c | 5 ++++-
tools/src/h5dump/h5dump.c | 7 ++++---
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/H5Ocache.c b/src/H5Ocache.c
index fba4f6e586..034048fd4e 100644
--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
@@ -1129,6 +1129,8 @@ H5O_chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image
HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message")
if((flags & H5O_MSG_FLAG_WAS_UNKNOWN) && !(flags & H5O_MSG_FLAG_MARK_IF_UNKNOWN))
HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "bad flag combination for message")
+
+ HDassert(id < NELMTS(H5O_msg_class_g));
if((flags & H5O_MSG_FLAG_SHAREABLE)
&& H5O_msg_class_g[id]
&& !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE))
diff --git a/tools/src/h5dump/h5dump.c b/tools/src/h5dump/h5dump.c
index b9e37e8379..5267188dad 100644
--- a/tools/h5dump/h5dump.c
+++ b/tools/h5dump/h5dump.c
@@ -403,9 +403,10 @@ table_list_add(hid_t oid, unsigned long file_no)
}
if(init_objs(oid, &info, &table_list.tables[idx].group_table,
&table_list.tables[idx].dset_table, &table_list.tables[idx].type_table) < 0) {
- H5Idec_ref(oid);
- table_list.nused--;
- return -1;
+ if (H5Idec_ref(oid) < 0) {
+ table_list.nused--;
+ return -1;
+ }
}
#ifdef H5DUMP_DEBUG

61
CVE-2018-17432.patch Normal file
View File

@ -0,0 +1,61 @@
From 7bfa10018ecf5efe54b4a699bb684d31468c8b42 Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Mon, 26 Oct 2020 08:36:27 -0500
Subject: [PATCH] Fix HDFFV-10590
Description
This is to fix the CVE issue CVE-2018-17432.
h5repack produced a segfault on a corrupted file. This fix modified
the
dataspace encode and decode functions per Quincey's suggestion to
prevent
the segfault. h5repack only failed for the corrupted file now.
Platforms tested:
Linux/64 (jelly)
---
src/H5Osdspace.c | 23 +-
1 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/src/H5Osdspace.c b/src/H5Osdspace.c
index 627ea190a3..6e34960d87 100644
--- a/src/H5Osdspace.c
+++ b/src/H5Osdspace.c
@@ -143,8 +143,11 @@ H5O_sdspace_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED
flags = *p++;
/* Get or determine the type of the extent */
- if(version >= H5O_SDSPACE_VERSION_2)
+ if(version >= H5O_SDSPACE_VERSION_2) {
sdim->type = (H5S_class_t)*p++;
+ if(sdim->type != H5S_SIMPLE && sdim->rank > 0)
+ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid rank for scalar or NULL dataspace")
+ } /* end if */
else {
/* Set the dataspace type to be simple or scalar as appropriate */
if(sdim->rank > 0)
@@ -267,14 +270,16 @@ H5O_sdspace_encode(H5F_t *f, uint8_t *p, const void *_mesg)
*p++ = 0; /*reserved*/
} /* end else */
- /* Current & maximum dimensions */
- if(sdim->rank > 0) {
- for(u = 0; u < sdim->rank; u++)
- H5F_ENCODE_LENGTH(f, p, sdim->size[u]);
- if(flags & H5S_VALID_MAX) {
- for(u = 0; u < sdim->rank; u++)
- H5F_ENCODE_LENGTH(f, p, sdim->max[u]);
- } /* end if */
+ /* Encode dataspace dimensions for simple dataspaces */
+ if(H5S_SIMPLE == sdim->type) {
+ /* Encode current & maximum dimensions */
+ if(sdim->rank > 0) {
+ for(u = 0; u < sdim->rank; u++)
+ H5F_ENCODE_LENGTH(f, p, sdim->size[u]);
+ if(flags & H5S_VALID_MAX)
+ for(u = 0; u < sdim->rank; u++)
+ H5F_ENCODE_LENGTH(f, p, sdim->max[u]);
+ } /* end if */
} /* end if */
FUNC_LEAVE_NOAPI(SUCCEED)

114
CVE-2018-17435.patch Normal file
View File

@ -0,0 +1,114 @@
From c12da4884f18dda4c9dbc23efd10eb053ec7cf0d Mon Sep 17 00:00:00 2001
From: Binh-Minh Ribler <bmribler@hdfgroup.org>
Date: Fri, 19 Jun 2020 10:53:32 -0500
Subject: [PATCH] Fix HDFFV-10591
Description:
h52gif produced a segfault when a buffer overflow occurred because
the data size was corrupted and became very large. This commit
added
a check on the data size against the buffer size to prevent the
segfault.
It also added error reporting to h52gif to display an error message
instead of silently exiting when the failure occurred.
Platforms tested:
Linux/64 (jelly)
SunOS 5.11 (emu)
---
hl/src/H5IM.c | 3 ++-
hl/tools/gif2h5/hdf2gif.c | 19 +++++++++++++++----
src/H5Oattr.c | 5 +++++
3 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/hl/src/H5IM.c b/hl/src/H5IM.c
index f76f029ae2..495f296625 100644
--- a/hl/src/H5IM.c
+++ b/hl/src/H5IM.c
@@ -274,7 +274,8 @@ herr_t H5IMget_image_info( hid_t loc_id,
return -1;
/* Try to find the attribute "INTERLACE_MODE" on the >>image<< dataset */
- has_attr = H5LT_find_attribute(did, "INTERLACE_MODE");
+ if ((has_attr = H5LT_find_attribute(did, "INTERLACE_MODE")) < 0)
+ goto out;
/* It exists, get it */
if(has_attr == 1)
diff --git a/hl/tools/gif2h5/hdf2gif.c b/hl/tools/gif2h5/hdf2gif.c
index ce9d8786f8..ec81194a71 100644
--- a/hl/tools/gif2h5/hdf2gif.c
+++ b/hl/tools/gif2h5/hdf2gif.c
@@ -143,17 +143,22 @@ int main(int argc , char **argv)
goto out;
}
- /* read image */
+ /* get image's information */
if ( H5IMget_image_info( fid, image_name, &width, &height, &planes, interlace, &npals ) < 0 )
+ {
+ fprintf(stderr , "Unable to get information of the image. Aborting.\n");
goto out;
+ }
- if (width > IMAGE_WIDTH_MAX || height > IMAGE_HEIGHT_MAX){
+ if (width > IMAGE_WIDTH_MAX || height > IMAGE_HEIGHT_MAX)
+ {
fprintf(stderr, "HDF5 image is too large. Limit is %d by %d.\n", IMAGE_WIDTH_MAX, IMAGE_HEIGHT_MAX);
goto out;
}
/* tool can handle single plane images only. */
- if (planes > 1){
+ if (planes > 1)
+ {
fprintf(stderr, "Cannot handle multiple planes image\n");
goto out;
}
@@ -161,12 +166,18 @@ int main(int argc , char **argv)
Image = (BYTE*) malloc( (size_t) width * (size_t) height );
if ( H5IMread_image( fid, image_name, Image ) < 0 )
+ {
+ fprintf(stderr , "Unable to read the image. Aborting.\n");
goto out;
+ }
if (npals)
{
if ( H5IMget_palette_info( fid, image_name, 0, pal_dims ) < 0 )
+ {
+ fprintf(stderr , "Unable to get information of the palette. Aborting.\n");
goto out;
+ }
pal = (BYTE*) malloc( (size_t) pal_dims[0] * (size_t) pal_dims[1] );
@@ -240,7 +251,7 @@ int main(int argc , char **argv)
if (j==i)
{
/* wasn't found */
- pc2nc[i] = (BYTE)nc;
+ pc2nc[i] = (BYTE)nc;
r1[nc] = Red[i];
g1[nc] = Green[i];
b1[nc] = Blue[i];
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
index 882912155a..a13c944264 100644
--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
@@ -225,6 +225,11 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED
/* Go get the data */
if(attr->shared->data_size) {
+ /* Ensure that data size doesn't exceed buffer size, in case of
+ it's being corrupted in the file */
+ if(attr->shared->data_size > p_size)
+ HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds buffer size")
+
if(NULL == (attr->shared->data = H5FL_BLK_MALLOC(attr_buf, attr->shared->data_size)))
HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed")
HDmemcpy(attr->shared->data, p, attr->shared->data_size);
--
2.23.0

100
fix-compile-error.patch Normal file
View File

@ -0,0 +1,100 @@
From aa52644d1f9e5a1103e4f670b56074c4e46a04f2 Mon Sep 17 00:00:00 2001
From: lrknox <lrknox>
Date: Fri, 11 May 2018 11:02:43 -0500
Subject: [PATCH] Address compile errors and merge conflicts.
---
src/H5Abtree2.c | 2 +-
src/H5HFcache.c | 2 +-
src/H5Ocache.c | 4 ++--
src/H5T.c | 8 +++-----
4 files changed, 7 insertions(+), 8 deletions(-)
diff --git a/src/H5Abtree2.c b/src/H5Abtree2.c
index 02fffce21c..318c60d750 100644
--- a/src/H5Abtree2.c
+++ b/src/H5Abtree2.c
@@ -162,7 +162,7 @@ const H5B2_class_t H5A_BT2_CORDER[1]={{ /* B-tree class information */
*-------------------------------------------------------------------------
*/
static herr_t
-H5A__dense_fh_name_cmp(const void *obj, size_t obj_len, void *_udata)
+H5A_dense_fh_name_cmp(const void *obj, size_t obj_len, void *_udata)
{
H5A_fh_ud_cmp_t *udata = (H5A_fh_ud_cmp_t *)_udata; /* User data for 'op' callback */
H5A_t *attr = NULL; /* Pointer to attribute created from heap object */
diff --git a/src/H5HFcache.c b/src/H5HFcache.c
index 319a865438..0d25dbf603 100644
--- a/src/H5HFcache.c
+++ b/src/H5HFcache.c
@@ -384,7 +384,7 @@ H5HF_cache_hdr_load(H5F_t *f, hid_t dxpl_id, haddr_t addr, void *_udata)
UINT32DECODE(p, hdr->pline_root_direct_filter_mask);
/* Decode I/O filter information */
- if(NULL == (pline = (H5O_pline_t *)H5O_msg_decode(hdr->f, udata->dxpl_id, NULL, H5O_PLINE_ID, len, image)))
+ if(NULL == (pline = (H5O_pline_t *)H5O_msg_decode(hdr->f, udata->dxpl_id, NULL, H5O_PLINE_ID, hdr->filter_len, p)))
HGOTO_ERROR(H5E_HEAP, H5E_CANTDECODE, NULL, "can't decode I/O pipeline filters")
p += hdr->filter_len;
diff --git a/src/H5Ocache.c b/src/H5Ocache.c
index ebae3f55bf..39f3ca330f 100644
--- a/src/H5Ocache.c
+++ b/src/H5Ocache.c
@@ -1288,7 +1288,7 @@ H5O_chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image,
unsigned ioflags = 0; /* Flags for decode routine */
/* Decode continuation message */
- cont = (H5O_cont_t *)(H5O_MSG_CONT->decode)(udata->f, udata->dxpl_id, NULL, 0, &ioflags, oh->mesg[curmesg].raw);
+ cont = (H5O_cont_t *)(H5O_MSG_CONT->decode)(udata->f, udata->dxpl_id, NULL, 0, &ioflags, oh->mesg[curmesg].raw_size, oh->mesg[curmesg].raw);
cont->chunkno = udata->cont_msg_info->nmsgs + 1; /*the next continuation message/chunk */
/* Save 'native' form of continuation message */
@@ -1312,7 +1312,7 @@ H5O_chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image,
/* Decode ref. count message */
HDassert(oh->version > H5O_VERSION_1);
- refcount = (H5O_refcount_t *)(H5O_MSG_REFCOUNT->decode)(udata->f, udata->dxpl_id, NULL, 0, &ioflags, oh->mesg[curmesg].raw);
+ refcount = (H5O_refcount_t *)(H5O_MSG_REFCOUNT->decode)(udata->f, udata->dxpl_id, NULL, 0, &ioflags, oh->mesg[curmesg].raw_size, oh->mesg[curmesg].raw);
/* Save 'native' form of ref. count message */
oh->mesg[curmesg].native = refcount;
diff --git a/src/H5T.c b/src/H5T.c
index 9eeb7db193..36b4c63001 100644
--- a/src/H5T.c
+++ b/src/H5T.c
@@ -298,8 +298,6 @@ static herr_t H5T_unregister(H5T_pers_t pers, const char *name, H5T_t *src,
static herr_t H5T_register(H5T_pers_t pers, const char *name, H5T_t *src,
H5T_t *dst, H5T_conv_t func, hid_t dxpl_id, hbool_t api_call);
static htri_t H5T_compiler_conv(H5T_t *src, H5T_t *dst);
-static herr_t H5T_encode(H5T_t *obj, unsigned char *buf, size_t *nalloc);
-static H5T_t *H5T_decode(const unsigned char *buf);
static herr_t H5T_set_size(H5T_t *dt, size_t size);
@@ -2839,7 +2837,7 @@ H5Tdecode(const void *buf)
*
*-------------------------------------------------------------------------
*/
-static herr_t
+herr_t
H5T_encode(H5T_t *obj, unsigned char *buf, size_t *nalloc)
{
size_t buf_size; /* Encoded size of datatype */
@@ -2895,7 +2893,7 @@ H5T_encode(H5T_t *obj, unsigned char *buf, size_t *nalloc)
*
*-------------------------------------------------------------------------
*/
-static H5T_t *
+H5T_t *
H5T_decode(size_t buf_size, const unsigned char *buf)
{
H5F_t *f = NULL; /* Fake file structure*/
@@ -2916,7 +2914,7 @@ H5T_decode(size_t buf_size, const unsigned char *buf)
HGOTO_ERROR(H5E_DATATYPE, H5E_VERSION, NULL, "unknown version of encoded datatype")
/* Decode the serialized datatype message */
- if(NULL == (ret_value = (H5T_t *)H5O_msg_decode(f, H5AC_noio_dxpl_id, NULL, H5O_DTYPE_ID, buf_size, buf)))
+ if(NULL == (ret_value = (H5T_t *)H5O_msg_decode(f, H5AC_ind_dxpl_id, NULL, H5O_DTYPE_ID, buf_size, buf)))
HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, NULL, "can't decode object")
/* Mark datatype as being in memory now */

11
hdf5.spec
View File

@ -1,6 +1,6 @@
Name: hdf5
Version: 1.8.20
Release: 9
Release: 10
Summary: A data model, library, and file format for storing and managing data
License: BSD
@ -15,6 +15,12 @@ Patch4: CVE-2018-17234.patch
Patch5: CVE-2018-17237.patch
Patch6: CVE-2018-17434-CVE-2018-17437.patch
Patch7: CVE-2018-17438.patch
Patch8: CVE-2017-17506.patch
Patch9: fix-compile-error.patch
Patch10: CVE-2018-17432.patch
Patch11: CVE-2018-17435.patch
Patch12: CVE-2018-13869-CVE-2018-13870.patch
Patch13: CVE-2018-13873.patch
BuildRequires: gcc, gcc-c++
BuildRequires: krb5-devel, openssl-devel, zlib-devel, gcc-gfortran, time
@ -156,6 +162,9 @@ make -C build check
%{_rpmmacrodir}/macros.hdf5
%changelog
* Mon Dec 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.20-10
- fix CVE-2017-17506 CVE-2018-17432 CVE-2018-17435 CVE-2018-13869 CVE-2018-13870 CVE-2018-13873
* Mon Nov 9 2020 wangxiao <wangxiao65@huawei.com> - 1.8.20-9
- fix CVE-2018-17233 CVE-2018-17234 CVE-2018-17237 CVE-2018-17434 CVE-2018-17437 CVE-2018-17438