Fix out of bounds in `hdf5/src/H5Fint.c:2859` #2691

kobrineli · 2023-04-11T15:28:56Z

Hi! Some time ago I reported an out of bounds error in hdf5/src/H5Fint.c:2859 #2432.
I fixed the error by myself by adding some checks on image pointer. I've tested the fixed version on the input that led to error, now it works fine.

Closes #2432

src/H5Fsuper_cache.c

src/H5Gent.c

kobrineli · 2023-04-12T15:56:21Z

@mattjala, I've fixed

jhendersonHDF · 2023-04-12T18:22:29Z

Hi @kobrineli, apologies for the extra burden, but would it be possible to merge in the latest changes from the HDF5 "develop" branch and refactor this PR to be in the style of the other buffer checks we've been adding recently? See #2679 for example where the "buffer end" variable is set to buffer_pointer + len - 1 and then we use a new H5_IS_BUFFER_OVERFLOW macro that takes the buffer pointer, the size of the thing being checked and the buffer end pointer. This way your new checks will be consistent with all the other places that use the new macro.

kobrineli · 2023-04-12T18:24:46Z

@jhendersonHDF

Okay, I'll do it as soon as possible.

jhendersonHDF · 2023-04-12T18:30:05Z

@kobrineli Thanks! Just to move the process of getting this merged along, you should also add a small entry in release_docs/RELEASE.txt under the "bugs fixed" section describing your fix and any associated CVEs. You should see some examples of recent entries for CVE fixes there that you can use; the entries are organized by date.

kobrineli · 2023-04-12T18:34:52Z

@jhendersonHDF
I didn't registered any CVE for the issue which will be closed by this PR.
Is it possible to register it and how?

jhendersonHDF · 2023-04-12T18:39:42Z

@kobrineli If there aren't any CVE issues associated with the fix, then just list any GitHub issue number associated with the fix, if any. The typical format for RELEASE.txt entries is:

Short description

Long description

(Initials - Date, GitHub issue number/CVE number/etc.)

kobrineli · 2023-04-12T18:42:26Z

@jhendersonHDF
Got it, thanks a lot

kobrineli · 2023-04-13T12:04:34Z

@jhendersonHDF

Hi! I've changed buffer overflow checks to the new macro and updated the RELEASE.txt with the issue description.

src/H5Fsuper_cache.c

jhendersonHDF · 2023-04-13T17:40:35Z

@jhendersonHDF

Hi! I've changed buffer overflow checks to the new macro and updated the RELEASE.txt with the issue description.

Thanks for the updates! This PR looks close; just a couple minor cleanup things to take care of.

src/H5Gent.c

kobrineli · 2023-04-13T20:04:31Z

@jhendersonHDF

Something fails in the tests that is not related to changes in this PR

jhendersonHDF · 2023-04-13T20:06:51Z

@jhendersonHDF

Something fails in the tests that is not related to changes in this PR

Looks like those are mostly cascading failures from earlier on, but still related to the changes here. For example:

2023-04-13T19:59:08.0177358Z   #000: /home/runner/work/hdf5/hdf5/src/H5G.c line 598 in H5Gget_info(): unable to synchronously get group info
2023-04-13T19:59:08.0177733Z     major: Symbol table
2023-04-13T19:59:08.0178072Z     minor: Can't get value
2023-04-13T19:59:08.0178477Z   #001: /home/runner/work/hdf5/hdf5/src/H5G.c line 573 in H5G__get_info_api_common(): unable to get group info
2023-04-13T19:59:08.0178851Z     major: Symbol table
2023-04-13T19:59:08.0179159Z     minor: Can't get value
2023-04-13T19:59:08.0179720Z   #002: /home/runner/work/hdf5/hdf5/src/H5VLcallback.c line 4643 in H5VL_group_get(): group get failed
2023-04-13T19:59:08.0180107Z     major: Virtual Object Layer
2023-04-13T19:59:08.0180441Z     minor: Can't get value
2023-04-13T19:59:08.0180821Z   #003: /home/runner/work/hdf5/hdf5/src/H5VLcallback.c line 4612 in H5VL__group_get(): group get failed
2023-04-13T19:59:08.0181202Z     major: Virtual Object Layer
2023-04-13T19:59:08.0181527Z     minor: Can't get value
2023-04-13T19:59:08.0182050Z   #004: /home/runner/work/hdf5/hdf5/src/H5VLnative_group.c line 201 in H5VL__native_group_get(): can't retrieve group info
2023-04-13T19:59:08.0182439Z     major: Symbol table
2023-04-13T19:59:08.0182759Z     minor: Can't get value
2023-04-13T19:59:08.0183219Z   #005: /home/runner/work/hdf5/hdf5/src/H5Gobj.c line 741 in H5G__obj_info(): can't count objects
2023-04-13T19:59:08.0183562Z     major: Symbol table
2023-04-13T19:59:08.0183887Z     minor: Can't count elements
2023-04-13T19:59:08.0184284Z   #006: /home/runner/work/hdf5/hdf5/src/H5Gstab.c line 611 in H5G__stab_count(): iteration operator failed
2023-04-13T19:59:08.0184660Z     major: Symbol table
2023-04-13T19:59:08.0184951Z     minor: Unable to initialize object
2023-04-13T19:59:08.0185439Z   #007: /home/runner/work/hdf5/hdf5/src/H5B.c line 1194 in H5B_iterate(): B-tree iteration failed
2023-04-13T19:59:08.0185835Z     major: B-Tree node
2023-04-13T19:59:08.0186121Z     minor: Iteration failed
2023-04-13T19:59:08.0186601Z   #008: /home/runner/work/hdf5/hdf5/src/H5B.c line 1153 in H5B__iterate_helper(): B-tree iteration failed
2023-04-13T19:59:08.0187002Z     major: B-Tree node
2023-04-13T19:59:08.0187291Z     minor: Iteration failed
2023-04-13T19:59:08.0187762Z   #009: /home/runner/work/hdf5/hdf5/src/H5B.c line 1153 in H5B__iterate_helper(): B-tree iteration failed
2023-04-13T19:59:08.0188157Z     major: B-Tree node
2023-04-13T19:59:08.0188439Z     minor: Iteration failed
2023-04-13T19:59:08.0188844Z   #010: /home/runner/work/hdf5/hdf5/src/H5Gnode.c line 1021 in H5G__node_sumup(): unable to load symbol table node
2023-04-13T19:59:08.0189352Z     major: Symbol table
2023-04-13T19:59:08.0189667Z     minor: Unable to load metadata into cache
2023-04-13T19:59:08.0190069Z   #011: /home/runner/work/hdf5/hdf5/src/H5AC.c line 1350 in H5AC_protect(): H5C_protect() failed
2023-04-13T19:59:08.0190428Z     major: Object cache
2023-04-13T19:59:08.0190714Z     minor: Unable to protect metadata
2023-04-13T19:59:08.0191188Z   #012: /home/runner/work/hdf5/hdf5/src/H5C.c line 2147 in H5C_protect(): can't load entry
2023-04-13T19:59:08.0191540Z     major: Object cache
2023-04-13T19:59:08.0191850Z     minor: Unable to load metadata into cache
2023-04-13T19:59:08.0192334Z   #013: /home/runner/work/hdf5/hdf5/src/H5C.c line 6420 in H5C__load_entry(): Can't deserialize image
2023-04-13T19:59:08.0192695Z     major: Object cache
2023-04-13T19:59:08.0193006Z     minor: Unable to load metadata into cache
2023-04-13T19:59:08.0193439Z   #014: /home/runner/work/hdf5/hdf5/src/H5Gcache.c line 194 in H5G__cache_node_deserialize(): unable to decode symbol table entries
2023-04-13T19:59:08.0193846Z     major: Symbol table
2023-04-13T19:59:08.0194149Z     minor: Unable to load metadata into cache
2023-04-13T19:59:08.0194625Z   #015: /home/runner/work/hdf5/hdf5/src/H5Gent.c line 97 in H5G__ent_decode_vec(): can't decode
2023-04-13T19:59:08.0194964Z     major: Symbol table
2023-04-13T19:59:08.0195250Z     minor: Unable to decode value
2023-04-13T19:59:08.0196028Z   #016: /home/runner/work/hdf5/hdf5/src/H5Gent.c line 179 in H5G_ent_decode(): image pointer is out of bounds
2023-04-13T19:59:08.0196966Z     major: File accessibility
2023-04-13T19:59:08.0197187Z     minor: Address overflowed

src/H5Gent.c

jhendersonHDF · 2023-04-13T20:50:26Z

@kobrineli Everything looks good now. Thanks for the work on fixing this and getting the PR in shape!

kobrineli · 2023-04-13T20:51:41Z

@jhendersonHDF Thanks!

kobrineli requested review from lrknox, derobins, byrnHDF, fortnern, jhendersonHDF, qkoziol, vchoi-hdfgroup, bmribler, glennsong09, mattjala and brtnfld as code owners April 11, 2023 15:28