hdf5: Fix CVE-2021-37501

Backport a patch [1] to fix CVE-2021-37501. [1] https://github.com/HDFGroup/hdf5/commit/b16ec83d4bd79f9ffaad85de16056419f3532887 Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Mingli Yu <mingli.yu@windriver.com> 2023-09-11 14:54:00 +0800
committer: Armin Kuster <akuster808@gmail.com> 2023-09-19 07:55:11 -0400
commit: 04423e6ee7c1f90db38dd4bff8b1261b638c0774 (patch)
tree: 12e3bdef5a89b590b3c47973e6dbe533b6150914
parent: a88cb922f91fda95e8a584cee3092083d5ad3e98 (diff)
download: meta-openembedded-04423e6ee7c1f90db38dd4bff8b1261b638c0774.tar.gz
2 files changed, 38 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch b/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch
new file mode 100644
index 0000000000..01099f3438
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch
@@ -0,0 +1,37 @@
+From 602015eacc53bf2699bf4c4e5420b63c3f067547 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Mon, 11 Sep 2023 14:01:37 +0800
+Subject: [PATCH] Check for overflow when calculating on-disk attribute data
+ size
+Bogus sizes in this test case causes the on-disk data size
+calculation in H5O_attr_decode() to overflow so that the
+calculated size becomes 0. This causes the read to overflow
+and h5dump to segfault.
+CVE: CVE-2021-37501
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/b16ec83d4bd79f9ffaad85de16056419f3532887]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/H5Oattr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/H5Oattr.c b/src/H5Oattr.c
+index c2c0fe3..c289344 100644
+--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
+@@ -217,6 +217,9 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED
+ 
+     /* Compute the size of the data */
+     H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, H5S_GET_EXTENT_NPOINTS(attr->shared->ds) * H5T_get_size(attr->shared->dt), hsize_t);
+    /* Check if multiplication has overflown */
+    if ((attr->shared->data_size / H5T_get_size(attr->shared->dt)) != H5S_GET_EXTENT_NPOINTS(attr->shared->ds))
+        HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range");
+ 
+     /* Go get the data */
+     if(attr->shared->data_size) {
+-- 
+2.25.1
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb b/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb
index 7b886a4635..4110e9cea4 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb
@@ -17,6 +17,7 @@ SRC_URI = " \
    file://0001-cross-compiling-support.patch \
    file://0002-Remove-suffix-shared-from-shared-library-name.patch \
    file://0001-cmake-remove-build-flags.patch \
+    file://CVE-2021-37501.patch \
 "
 SRC_URI[md5sum] = "2d2408f2a9dfb5c7b79998002e9a90e9"
 SRC_URI[sha256sum] = "e5b1b1dee44a64b795a91c3321ab7196d9e0871fe50d42969761794e3899f40d"
author	Mingli Yu <mingli.yu@windriver.com>	2023-09-11 14:54:00 +0800
committer	Armin Kuster <akuster808@gmail.com>	2023-09-19 07:55:11 -0400
commit	04423e6ee7c1f90db38dd4bff8b1261b638c0774 (patch)
tree	12e3bdef5a89b590b3c47973e6dbe533b6150914
parent	a88cb922f91fda95e8a584cee3092083d5ad3e98 (diff)
download	meta-openembedded-04423e6ee7c1f90db38dd4bff8b1261b638c0774.tar.gz

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch b/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch new file mode 100644 index 0000000000..01099f3438 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch
@@ -0,0 +1,37 @@
		1	From 602015eacc53bf2699bf4c4e5420b63c3f067547 Mon Sep 17 00:00:00 2001
		2	From: Mingli Yu <mingli.yu@windriver.com>
		3	Date: Mon, 11 Sep 2023 14:01:37 +0800
		4	Subject: [PATCH] Check for overflow when calculating on-disk attribute data
		5	size
		6
		7	Bogus sizes in this test case causes the on-disk data size
		8	calculation in H5O_attr_decode() to overflow so that the
		9	calculated size becomes 0. This causes the read to overflow
		10	and h5dump to segfault.
		11
		12	CVE: CVE-2021-37501
		13
		14	Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/b16ec83d4bd79f9ffaad85de16056419f3532887]
		15
		16	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		17	---
		18	src/H5Oattr.c \| 3 +++
		19	1 file changed, 3 insertions(+)
		20
		21	diff --git a/src/H5Oattr.c b/src/H5Oattr.c
		22	index c2c0fe3..c289344 100644
		23	--- a/src/H5Oattr.c
		24	+++ b/src/H5Oattr.c
		25	@@ -217,6 +217,9 @@ H5O_attr_decode(H5F_t f, hid_t dxpl_id, H5O_t open_oh, unsigned H5_ATTR_UNUSED
		26
		27	/* Compute the size of the data */
		28	H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, H5S_GET_EXTENT_NPOINTS(attr->shared->ds) * H5T_get_size(attr->shared->dt), hsize_t);
		29	+ /* Check if multiplication has overflown */
		30	+ if ((attr->shared->data_size / H5T_get_size(attr->shared->dt)) != H5S_GET_EXTENT_NPOINTS(attr->shared->ds))
		31	+ HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range");
		32
		33	/* Go get the data */
		34	if(attr->shared->data_size) {
		35	--
		36	2.25.1
		37


diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb b/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb index 7b886a4635..4110e9cea4 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb
@@ -17,6 +17,7 @@ SRC_URI = " \
17	file://0001-cross-compiling-support.patch \	17	file://0001-cross-compiling-support.patch \
18	file://0002-Remove-suffix-shared-from-shared-library-name.patch \	18	file://0002-Remove-suffix-shared-from-shared-library-name.patch \
19	file://0001-cmake-remove-build-flags.patch \	19	file://0001-cmake-remove-build-flags.patch \
		20	file://CVE-2021-37501.patch \
20	"	21	"
21	SRC_URI[md5sum] = "2d2408f2a9dfb5c7b79998002e9a90e9"	22	SRC_URI[md5sum] = "2d2408f2a9dfb5c7b79998002e9a90e9"
22	SRC_URI[sha256sum] = "e5b1b1dee44a64b795a91c3321ab7196d9e0871fe50d42969761794e3899f40d"	23	SRC_URI[sha256sum] = "e5b1b1dee44a64b795a91c3321ab7196d9e0871fe50d42969761794e3899f40d"