CBL-Mariner/SPECS/hdf5/CVE-2021-37501.patch

From 22917cd03c688a2810adc8571fcf1285a4d23d68 Mon Sep 17 00:00:00 2001
From: Egbert Eich <eich@suse.com>
Date: Thu, 2 Mar 2023 18:17:49 +0100
Subject: [PATCH] Check for overflow when calculating on-disk attribute data
 size (#2459)

* Remove duplicate code

Signed-off-by: Egbert Eich <eich@suse.com>

* Add test case for CVE-2021-37501

Bogus sizes in this test case causes the on-disk data size
calculation in H5O__attr_decode() to overflow so that the
calculated size becomes 0. This causes the read to overflow
and h5dump to segfault.
This test case was crafted, the test file was not directly
generated by HDF5.
Test case from:
https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.md
---
 release_docs/RELEASE.txt                       |  13 +++++++++++++
 src/H5Oattr.c                                  |   7 +++----
 tools/test/h5dump/CMakeTests.cmake             |   5 +++++
 tools/test/h5dump/testh5dump.sh.in             |  14 ++++++++++++++
 tools/testfiles/tCVE-2021-37501_attr_decode.h5 | Bin 0 -> 48544 bytes
 5 files changed, 35 insertions(+), 4 deletions(-)
 create mode 100644 tools/testfiles/tCVE-2021-37501_attr_decode.h5

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 1a93f89307..3d9336dc4b 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -635,6 +635,19 @@ Bug Fixes since HDF5-1.12.0 release
 
     Library
     -------
+    - Fix CVE-2021-37501 / GHSA-rfgw-5vq3-wrjf
+
+      Check for overflow when calculating on-disk attribute data size.
+
+      A bogus hdf5 file may contain dataspace messages with sizes
+      which lead to the on-disk data sizes to exceed what is addressable.
+      When calculating the size, make sure, the multiplication does not
+      overflow.
+      The test case was crafted in a way that the overflow caused the
+      size to be 0.
+
+      (EFE - 2023/02/11 GH-2458)
+
     - Fixed CVE-2018-14460
 
       The tool h5repack produced a segfault when the rank in dataspace
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
index ac643eafac0..cb06f25a725 100644
--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
@@ -221,10 +221,6 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
     else
         p += attr->shared->ds_size;
 
-    /* Get the datatype's size */
-    if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
-        HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
-
     /* Get the datatype & dataspace sizes */
     if (0 == (dt_size = H5T_get_size(attr->shared->dt)))
         HGOTO_ERROR(H5E_ATTR, H5E_CANTGET, NULL, "unable to get datatype size")
@@ -234,6 +230,9 @@ H5O__attr_decode(H5F_t *f, H5O_t *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, u
 
     /* Compute the size of the data */
     H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, ds_size * (hsize_t)dt_size, hsize_t);
+    /* Check if multiplication has overflown */
+    if ((attr->shared->data_size / dt_size) != ds_size)
+        HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range")
 
     /* Go get the data */
     if (attr->shared->data_size) {
diff --git a/tools/test/h5dump/CMakeTests.cmake b/tools/test/h5dump/CMakeTests.cmake
index 2505e847bc6..be1a414fce7 100644
--- a/tools/test/h5dump/CMakeTests.cmake
+++ b/tools/test/h5dump/CMakeTests.cmake
@@ -339,6 +339,7 @@
       ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_old.h5
       ${HDF5_TOOLS_DIR}/testfiles/tCVE_2018_11206_fill_new.h5
       ${HDF5_TOOLS_DIR}/testfiles/zerodim.h5
+      ${HDF5_TOOLS_DIR}/testfiles/tCVE-2021-37501_attr_decode.h5
       #STD_REF_OBJ files
       ${HDF5_TOOLS_DIR}/testfiles/trefer_attr.h5
       ${HDF5_TOOLS_DIR}/testfiles/trefer_compat.h5
@@ -1187,6 +1188,10 @@
   ADD_H5_TEST (tCVE_2018_11206_fill_old 1 tCVE_2018_11206_fill_old.h5)
   ADD_H5_TEST (tCVE_2018_11206_fill_new 1 tCVE_2018_11206_fill_new.h5)
 
+  # test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
+  # https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
+  ADD_H5_TEST (tCVE-2021-37501_attr_decode 1 tCVE-2021-37501_attr_decode.h5)
+
 ##############################################################################
 ###    P L U G I N  T E S T S
 ##############################################################################
diff --git a/tools/test/h5dump/testh5dump.sh.in b/tools/test/h5dump/testh5dump.sh.in
index 5d7ff8828a1..899bd33db75 100644
--- a/tools/test/h5dump/testh5dump.sh.in
+++ b/tools/test/h5dump/testh5dump.sh.in
@@ -183,6 +183,16 @@ $SRC_H5DUMP_TESTFILES/tvms.h5
 $SRC_H5DUMP_TESTFILES/err_attr_dspace.h5
 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_old.h5
 $SRC_H5DUMP_TESTFILES/tCVE_2018_11206_fill_new.h5
+<<<<<<< HEAD
+=======
+$SRC_H5DUMP_TESTFILES/tCVE-2021-37501_attr_decode.h5
+$SRC_H5DUMP_TESTFILES/tst_onion_objs.h5
+$SRC_H5DUMP_TESTFILES/tst_onion_objs.h5.onion
+$SRC_H5DUMP_TESTFILES/tst_onion_dset_ext.h5
+$SRC_H5DUMP_TESTFILES/tst_onion_dset_ext.h5.onion
+$SRC_H5DUMP_TESTFILES/tst_onion_dset_1d.h5
+$SRC_H5DUMP_TESTFILES/tst_onion_dset_1d.h5.onion
+>>>>>>> b16ec83... Check for overflow when calculating on-disk attribute data size (#2459)
 "
 
 LIST_OTHER_TEST_FILES="
@@ -1485,6 +1495,10 @@ TOOLTEST err_attr_dspace.ddl err_attr_dspace.h5
 TOOLTEST_FAIL tCVE_2018_11206_fill_old.h5
 TOOLTEST_FAIL tCVE_2018_11206_fill_new.h5
 
+# test to verify fix for CVE-2021-37501: multiplication overflow in H5O__attr_decode()
+# https://github.com/ST4RF4LL/Something_Found/blob/main/HDF5_v1.13.0_h5dump_heap_overflow.assets/poc
+TOOLTEST_FAIL tCVE-2021-37501_attr_decode.h5
+
 # Clean up temporary files/directories
 CLEAN_TESTFILES_AND_TESTDIR