diff mbox series

[meta-oe,kirkstone] hdf5: Fix CVE-2021-37501

Message ID 20230911065400.2633164-1-mingli.yu@windriver.com
State New
Headers show
Series [meta-oe,kirkstone] hdf5: Fix CVE-2021-37501 | expand

Commit Message

Yu, Mingli Sept. 11, 2023, 6:54 a.m. UTC 
From: Mingli Yu <mingli.yu@windriver.com>

Backport a patch [1] to fix CVE-2021-37501.

[1] https://github.com/HDFGroup/hdf5/commit/b16ec83d4bd79f9ffaad85de16056419f3532887

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
 .../hdf5/files/CVE-2021-37501.patch           | 37 +++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb   |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch b/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch
new file mode 100644
index 000000000..01099f343
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch
@@ -0,0 +1,37 @@ 
+From 602015eacc53bf2699bf4c4e5420b63c3f067547 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Mon, 11 Sep 2023 14:01:37 +0800
+Subject: [PATCH] Check for overflow when calculating on-disk attribute data
+ size
+
+Bogus sizes in this test case causes the on-disk data size
+calculation in H5O_attr_decode() to overflow so that the
+calculated size becomes 0. This causes the read to overflow
+and h5dump to segfault.
+
+CVE: CVE-2021-37501
+
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/b16ec83d4bd79f9ffaad85de16056419f3532887]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/H5Oattr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/H5Oattr.c b/src/H5Oattr.c
+index c2c0fe3..c289344 100644
+--- a/src/H5Oattr.c
++++ b/src/H5Oattr.c
+@@ -217,6 +217,9 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED
+ 
+     /* Compute the size of the data */
+     H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, H5S_GET_EXTENT_NPOINTS(attr->shared->ds) * H5T_get_size(attr->shared->dt), hsize_t);
++    /* Check if multiplication has overflown */
++    if ((attr->shared->data_size / H5T_get_size(attr->shared->dt)) != H5S_GET_EXTENT_NPOINTS(attr->shared->ds))
++        HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range");
+ 
+     /* Go get the data */
+     if(attr->shared->data_size) {
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb b/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb
index 7b886a463..4110e9cea 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb
@@ -17,6 +17,7 @@  SRC_URI = " \
     file://0001-cross-compiling-support.patch \
     file://0002-Remove-suffix-shared-from-shared-library-name.patch \
     file://0001-cmake-remove-build-flags.patch \
+    file://CVE-2021-37501.patch \
 "
 SRC_URI[md5sum] = "2d2408f2a9dfb5c7b79998002e9a90e9"
 SRC_URI[sha256sum] = "e5b1b1dee44a64b795a91c3321ab7196d9e0871fe50d42969761794e3899f40d"