From 85c5ee8738e446efc7a1c8affd023fd0990e5d05 Mon Sep 17 00:00:00 2001 From: wangxiao65 <287608437@qq.com> Date: Tue, 10 Nov 2020 09:26:13 +0800 Subject: [PATCH] fix cves --- CVE-2018-17233.patch | 88 ++++++++++ CVE-2018-17234.patch | 84 ++++++++++ CVE-2018-17237.patch | 247 ++++++++++++++++++++++++++++ CVE-2018-17434-CVE-2018-17437.patch | 200 ++++++++++++++++++++++ CVE-2018-17438.patch | 70 ++++++++ hdf5.spec | 17 +- 6 files changed, 700 insertions(+), 6 deletions(-) create mode 100644 CVE-2018-17233.patch create mode 100644 CVE-2018-17234.patch create mode 100644 CVE-2018-17237.patch create mode 100644 CVE-2018-17434-CVE-2018-17437.patch create mode 100644 CVE-2018-17438.patch diff --git a/CVE-2018-17233.patch b/CVE-2018-17233.patch new file mode 100644 index 0000000..0f2bd27 --- /dev/null +++ b/CVE-2018-17233.patch @@ -0,0 +1,88 @@ +From f891c38c6e724e9032a534512618b9650be76377 Mon Sep 17 00:00:00 2001 +From: Binh-Minh Ribler +Date: Fri, 4 Jan 2019 11:46:29 -0600 +Subject: [PATCH] Fixed CVE division-by-zero issues Description: Fixed + HDFFV-10577 and similar issues found in H5Dchunk.c. All the occurrences + are in: H5D__create_chunk_map_single + H5D__create_chunk_file_map_hyper H5D__chunk_allocate + H5D__chunk_update_old_edge_chunks H5D__chunk_prune_by_extent + H5D__chunk_copy_cb H5D__chunk_collective_fill Also updated + RELEASE.txt for the chunk query functions and removed some blank lines in + chunk_info.c. Platforms tested: Linux/64 (jelly) Linux/64 (platypus) + Darwin (osx1010test) + +--- + src/H5Dchunk.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/src/H5Dchunk.c b/src/H5Dchunk.c +index 021335f..1dc7a25 100644 +--- a/src/H5Dchunk.c ++++ b/src/H5Dchunk.c +@@ -1380,6 +1380,9 @@ H5D__create_chunk_map_single(H5D_chunk_map_t *fm, const H5D_io_info_t + + /* Set chunk location & hyperslab size */ + for(u = 0; u < fm->f_ndims; u++) { ++ /* Validate this chunk dimension */ ++ if(fm->layout->u.chunk.dim[u] == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", u) + HDassert(sel_start[u] == sel_end[u]); + chunk_info->coords[u] = (sel_start[u] / fm->layout->u.chunk.dim[u]) * fm->layout->u.chunk.dim[u]; + } /* end for */ +@@ -1465,6 +1468,9 @@ H5D__create_chunk_file_map_hyper(H5D_chunk_map_t *fm, const H5D_io_info_t + + /* Set initial chunk location & hyperslab size */ + for(u = 0; u < fm->f_ndims; u++) { ++ /* Validate this chunk dimension */ ++ if(fm->layout->u.chunk.dim[u] == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", u) + start_coords[u] = (sel_start[u] / fm->layout->u.chunk.dim[u]) * fm->layout->u.chunk.dim[u]; + coords[u] = start_coords[u]; + end[u] = (coords[u] + fm->chunk_dim[u]) - 1; +@@ -3595,6 +3601,9 @@ H5D__chunk_allocate(const H5D_t *dset, hid_t dxpl_id, hbool_t full_overwrite, + * that we assume here that all elements of space_dim are > 0. This is + * checked at the top of this function */ + for(op_dim=0; op_dim 0, dim = %u ", op_dim) + min_unalloc[op_dim] = ((old_dim[op_dim] + chunk_dim[op_dim] - 1) + / chunk_dim[op_dim]) * chunk_dim[op_dim]; + max_unalloc[op_dim] = ((space_dim[op_dim] - 1) / chunk_dim[op_dim]) +@@ -3865,6 +3874,8 @@ H5D__chunk_collective_fill(const H5D_t *dset, hid_t dxpl_id, + HGOTO_ERROR(H5E_PLIST, H5E_CANTCOPY, FAIL, "can't copy property list") + + /* Distribute evenly the number of blocks between processes. */ ++ if(mpi_size == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "Resulted in division by zero") + num_blocks = chunk_info->num_io / mpi_size; /* value should be the same on all procs */ + + /* after evenly distributing the blocks between processes, are +@@ -4324,6 +4335,10 @@ H5D__chunk_prune_by_extent(H5D_t *dset, hid_t dxpl_id, const hsize_t *old_dim) + HDmemset(min_mod_chunk_off, 0, sizeof(min_mod_chunk_off)); + HDmemset(max_mod_chunk_off, 0, sizeof(max_mod_chunk_off)); + for(op_dim = 0; op_dim < space_ndims; op_dim++) { ++ /* Validate this chunk dimension */ ++ if(chunk_dim[op_dim] == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "chunk size must be > 0, dim = %u ", op_dim) ++ + /* Calculate the largest offset of chunks that might need to be + * modified in this dimension */ + max_mod_chunk_off[op_dim] = chunk_dim[op_dim] * ((old_dim[op_dim] - 1) +@@ -4929,9 +4944,12 @@ H5D__chunk_copy_cb(const H5D_chunk_rec_t *chunk_rec, void *_udata) + /* (background buffer has already been zeroed out, if not expanding) */ + if(udata->cpy_info->expand_ref) { + size_t ref_count; ++ size_t dt_size; + + /* Determine # of reference elements to copy */ +- ref_count = nbytes / H5T_get_size(udata->dt_src); ++ if((dt_size = H5T_get_size(udata->dt_src)) == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, FAIL, "size must not be 0") ++ ref_count = nbytes / dt_size; + + /* Copy the reference elements */ + if(H5O_copy_expand_ref(udata->file_src, buf, udata->idx_info_dst->dxpl_id, udata->idx_info_dst->f, bkg, ref_count, H5T_get_ref_type(udata->dt_src), udata->cpy_info) < 0) +-- +2.23.0 + diff --git a/CVE-2018-17234.patch b/CVE-2018-17234.patch new file mode 100644 index 0000000..31d8937 --- /dev/null +++ b/CVE-2018-17234.patch @@ -0,0 +1,84 @@ +From f4138013dbc6851e968ea3d37b32776538ef306b Mon Sep 17 00:00:00 2001 +From: Binh-Minh Ribler +Date: Tue, 15 Jan 2019 13:07:22 -0600 +Subject: [PATCH] Fixed HDFFV-10578 + +Description: + - HDFFV-10578 - CVE-2018-17234 Memory leak in H5O__chunk_deserialize() + Actually, the leak was in h5tools_util. Applied Neil's fix. + - Changed an assert to if/HGOTO_ERROR to fail gracefully. +Platforms tested: + Linux/64 (jelly) + Linux/64 (platypus) + Darwin (osx1010test) +--- + src/H5Ocache.c | 3 ++- + src/H5VM.c | 2 +- + tools/lib/h5tools_utils.c | 17 ++++++++++++++++- + 3 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/src/H5Ocache.c b/src/H5Ocache.c +index ebae3f5..454b287 100644 +--- a/src/H5Ocache.c ++++ b/src/H5Ocache.c +@@ -1116,7 +1116,8 @@ H5O_chunk_deserialize(H5O_t *oh, haddr_t addr, size_t len, const uint8_t *image, + + /* Message size */ + UINT16DECODE(p, mesg_size); +- HDassert(mesg_size == H5O_ALIGN_OH(oh, mesg_size)); ++ if(mesg_size != H5O_ALIGN_OH(oh, mesg_size)) ++ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned") + + /* Message flags */ + flags = *p++; +diff --git a/src/H5VM.c b/src/H5VM.c +index 4e48001..db6362c 100644 +--- a/src/H5VM.c ++++ b/src/H5VM.c +@@ -1503,7 +1503,7 @@ done: + * + * Purpose: Given source and destination buffers in memory (SRC & DST) + * copy sequences of from the source buffer into the destination +- * buffer. Each set of sequnces has an array of lengths, an ++ * buffer. Each set of sequences has an array of lengths, an + * array of offsets, the maximum number of sequences and the + * current sequence to start at in the sequence. + * +diff --git a/tools/lib/h5tools_utils.c b/tools/lib/h5tools_utils.c +index 3f66ef6..2e19bfa 100644 +--- a/tools/lib/h5tools_utils.c ++++ b/tools/lib/h5tools_utils.c +@@ -562,6 +562,8 @@ herr_t + init_objs(hid_t fid, find_objs_t *info, table_t **group_table, + table_t **dset_table, table_t **type_table) + { ++ herr_t ret_value = SUCCEED; ++ + /* Initialize the tables */ + init_table(group_table); + init_table(dset_table); +@@ -574,7 +576,20 @@ init_objs(hid_t fid, find_objs_t *info, table_t **group_table, + info->dset_table = *dset_table; + + /* Find all shared objects */ +- return(h5trav_visit(fid, "/", TRUE, TRUE, find_objs_cb, NULL, info)); ++ if((ret_value = h5trav_visit(fid, "/", TRUE, TRUE, find_objs_cb, NULL, info)) <0) ++ HGOTO_ERROR(FAIL, H5E_tools_min_id_g, "finding shared objects failed") ++ ++done: ++ /* Release resources */ ++ if(ret_value < 0) { ++ free_table(*group_table); ++ info->group_table = NULL; ++ free_table(*type_table); ++ info->type_table = NULL; ++ free_table(*dset_table); ++ info->dset_table = NULL; ++ } ++ return ret_value; + } + + +-- +2.23.0 + diff --git a/CVE-2018-17237.patch b/CVE-2018-17237.patch new file mode 100644 index 0000000..51d78e9 --- /dev/null +++ b/CVE-2018-17237.patch @@ -0,0 +1,247 @@ +From 4e31361dad4add06792b652dbe5b97e501f9031d Mon Sep 17 00:00:00 2001 +From: Songyu Lu +Date: Tue, 12 Feb 2019 13:48:49 -0600 +Subject: [PATCH] I'm bringing the fixes for the following Jira issues from the + develop branch to 1.10 branch: HDFFV-10571: Divided by Zero vulnerability. + HDFFV-10601: Issues with chunk cache hash value calcuation. HDFFV-10607: + Patches for warnings in the core libraries. HDFFV-10635: HDF5 library + segmentation fault with H5Sselect_element. + +--- + src/H5Dchunk.c | 3 ++ + src/H5HG.c | 8 +++- + src/H5Olayout.c | 8 +++- + src/H5RS.c | 4 +- + src/H5RSprivate.h | 2 +- + test/tvlstr.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++ + 6 files changed, 122 insertions(+), 5 deletions(-) + +diff --git a/src/H5Dchunk.c b/src/H5Dchunk.c +index 021335f..6183ad8 100644 +--- a/src/H5Dchunk.c ++++ b/src/H5Dchunk.c +@@ -641,6 +641,9 @@ H5D__chunk_set_info_real(H5O_layout_chunk_t *layout, unsigned ndims, const hsize + + /* Compute the # of chunks in dataset dimensions */ + for(u = 0, layout->nchunks = 1; u < ndims; u++) { ++ /* Sanity check */ ++ HDassert(layout->dim[u] > 0); ++ + /* Round up to the next integer # of chunks, to accomodate partial chunks */ + layout->chunks[u] = ((curr_dims[u] + layout->dim[u]) - 1) / layout->dim[u]; + +diff --git a/src/H5HG.c b/src/H5HG.c +index 194e4eb..e07ca0e 100644 +--- a/src/H5HG.c ++++ b/src/H5HG.c +@@ -757,7 +757,13 @@ H5HG_remove (H5F_t *f, hid_t dxpl_id, H5HG_t *hobj) + HGOTO_ERROR(H5E_HEAP, H5E_CANTPROTECT, FAIL, "unable to protect global heap") + + HDassert(hobj->idx < heap->nused); +- HDassert(heap->obj[hobj->idx].begin); ++ /* When the application selects the same location to rewrite the VL element by using H5Sselect_elements, ++ * it can happen that the entry has been removed by first rewrite. Here we simply skip the removal of ++ * the entry and let the second rewrite happen (see HDFFV-10635). In the future, it'd be nice to handle ++ * this situation in H5T_conv_vlen in H5Tconv.c instead of this level (HDFFV-10648). */ ++ if(heap->obj[hobj->idx].nrefs == 0 && heap->obj[hobj->idx].size == 0 && !heap->obj[hobj->idx].begin) ++ HGOTO_DONE(ret_value) ++ + obj_start = heap->obj[hobj->idx].begin; + /* Include object header size */ + need = H5HG_ALIGN(heap->obj[hobj->idx].size) + H5HG_SIZEOF_OBJHDR(f); +diff --git a/src/H5Olayout.c b/src/H5Olayout.c +index 17385c2..3bbee12 100644 +--- a/src/H5Olayout.c ++++ b/src/H5Olayout.c +@@ -223,9 +223,15 @@ H5O_layout_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED * + H5F_addr_decode(f, &p, &(mesg->storage.u.chunk.idx_addr)); + + /* Chunk dimensions */ +- for(u = 0; u < mesg->u.chunk.ndims; u++) ++ for(u = 0; u < mesg->u.chunk.ndims; u++) { + UINT32DECODE(p, mesg->u.chunk.dim[u]); + ++ /* Just in case that something goes very wrong, such as file corruption. */ ++ if(mesg->u.chunk.dim[u] == 0) ++ HGOTO_ERROR(H5E_DATASET, H5E_BADVALUE, NULL, "chunk dimension must be positive: mesg->u.chunk.dim[%u] = %u", ++ u, mesg->u.chunk.dim[u]) ++ } /* end for */ ++ + /* Compute chunk size */ + for(u = 1, mesg->u.chunk.size = mesg->u.chunk.dim[0]; u < mesg->u.chunk.ndims; u++) + mesg->u.chunk.size *= mesg->u.chunk.dim[u]; +diff --git a/src/H5RS.c b/src/H5RS.c +index 0a3fff0..ae500c5 100644 +--- a/src/H5RS.c ++++ b/src/H5RS.c +@@ -137,7 +137,7 @@ done: + REVISION LOG + --------------------------------------------------------------------------*/ + H5RS_str_t * +-H5RS_wrap(char *s) ++H5RS_wrap(const char *s) + { + H5RS_str_t *ret_value; /* Return value */ + +@@ -148,7 +148,7 @@ H5RS_wrap(char *s) + HGOTO_ERROR(H5E_RS, H5E_NOSPACE, NULL, "memory allocation failed") + + /* Set the internal fields */ +- ret_value->s = s; ++ ret_value->s = (char *)s; + ret_value->wrapped = 1; + ret_value->n = 1; + +diff --git a/src/H5RSprivate.h b/src/H5RSprivate.h +index f69624a..1d26a18 100644 +--- a/src/H5RSprivate.h ++++ b/src/H5RSprivate.h +@@ -44,7 +44,7 @@ typedef struct H5RS_str_t H5RS_str_t; + /* Private routines */ + /********************/ + H5_DLL H5RS_str_t *H5RS_create(const char *s); +-H5_DLL H5RS_str_t *H5RS_wrap(char *s); ++H5_DLL H5RS_str_t *H5RS_wrap(const char *s); + H5_DLL H5RS_str_t *H5RS_own(char *s); + H5_DLL herr_t H5RS_decr(H5RS_str_t *rs); + H5_DLL herr_t H5RS_incr(H5RS_str_t *rs); +diff --git a/test/tvlstr.c b/test/tvlstr.c +index e5b2a60..bb860a2 100644 +--- a/test/tvlstr.c ++++ b/test/tvlstr.c +@@ -25,10 +25,14 @@ + + #define DATAFILE "tvlstr.h5" + #define DATAFILE2 "tvlstr2.h5" ++#define DATAFILE3 "sel2el.h5" ++ ++#define DATASET "1Darray" + + /* 1-D dataset with fixed dimensions */ + #define SPACE1_RANK 1 + #define SPACE1_DIM1 4 ++#define NUMP 4 + + #define VLSTR_TYPE "vl_string_type" + +@@ -846,6 +850,101 @@ static void test_vl_rewrite(void) + return; + } /* end test_vl_rewrite() */ + ++/**************************************************************** ++ ** ++ ** test_write_same_element(): ++ ** Tests writing to the same element of VL string using ++ ** H5Sselect_element. ++ ** ++ ****************************************************************/ ++static void test_write_same_element(void) ++{ ++ hid_t file1, dataset1; ++ hid_t mspace, fspace, dtype; ++ hsize_t fdim[] = {SPACE1_DIM1}; ++ char *val[SPACE1_DIM1] = {"But", "reuniting", "is a", "great joy"}; ++ hsize_t marray[] = {NUMP}; ++ hsize_t coord[SPACE1_RANK][NUMP]; ++ herr_t ret; ++ ++ char *wdata[SPACE1_DIM1] = {"Parting", "is such a", "sweet", "sorrow."}; ++ ++ file1 = H5Fcreate(DATAFILE3, H5F_ACC_TRUNC, H5P_DEFAULT, H5P_DEFAULT); ++ CHECK(file1, FAIL, "H5Fcreate"); ++ ++ dtype = H5Tcopy(H5T_C_S1); ++ CHECK(dtype, FAIL, "H5Tcopy"); ++ ++ ret = H5Tset_size(dtype, H5T_VARIABLE); ++ CHECK(ret, FAIL, "H5Tset_size"); ++ ++ fspace = H5Screate_simple(SPACE1_RANK, fdim, NULL); ++ CHECK(fspace, FAIL, "H5Screate_simple"); ++ ++ dataset1 = H5Dcreate(file1, DATASET, dtype, fspace, H5P_DEFAULT, ++ H5P_DEFAULT, H5P_DEFAULT); ++ CHECK(dataset1, FAIL, "H5Dcreate"); ++ ++ ret = H5Dwrite(dataset1, dtype, H5S_ALL, H5S_ALL, H5P_DEFAULT, wdata); ++ CHECK(ret, FAIL, "H5Dwrite"); ++ ++ ret = H5Dclose(dataset1); ++ CHECK(ret, FAIL, "H5Dclose"); ++ ++ ret = H5Tclose(dtype); ++ CHECK(ret, FAIL, "H5Tclose"); ++ ++ ret = H5Sclose(fspace); ++ CHECK(ret, FAIL, "H5Sclose"); ++ ++ ret = H5Fclose(file1); ++ CHECK(ret, FAIL, "H5Fclose"); ++ ++ /* ++ * Open the file. Select the same points, write values to those point locations. ++ */ ++ file1 = H5Fopen(DATAFILE3, H5F_ACC_RDWR, H5P_DEFAULT); ++ CHECK(file1, FAIL, "H5Fopen"); ++ ++ dataset1 = H5Dopen(file1, DATASET, H5P_DEFAULT); ++ CHECK(dataset1, FAIL, "H5Dopen"); ++ ++ fspace = H5Dget_space(dataset1); ++ CHECK(fspace, FAIL, "H5Dget_space"); ++ ++ dtype = H5Dget_type(dataset1); ++ CHECK(dtype, FAIL, "H5Dget_type"); ++ ++ mspace = H5Screate_simple(1, marray, NULL); ++ CHECK(mspace, FAIL, "H5Screate_simple"); ++ ++ coord[0][0] = 0; ++ coord[0][1] = 2; ++ coord[0][2] = 2; ++ coord[0][3] = 0; ++ ++ ret = H5Sselect_elements(fspace, H5S_SELECT_SET, NUMP, (const hsize_t *)&coord); ++ CHECK(ret, FAIL, "H5Sselect_elements"); ++ ++ ret = H5Dwrite(dataset1, dtype, mspace, fspace, H5P_DEFAULT, val); ++ CHECK(ret, FAIL, "H5Dwrite"); ++ ++ ret = H5Tclose(dtype); ++ CHECK(ret, FAIL, "H5Tclose"); ++ ++ ret = H5Dclose(dataset1); ++ CHECK(ret, FAIL, "H5Dclose"); ++ ++ ret = H5Sclose(fspace); ++ CHECK(ret, FAIL, "H5Dclose"); ++ ++ ret = H5Sclose(mspace); ++ CHECK(ret, FAIL, "H5Sclose"); ++ ++ ret = H5Fclose(file1); ++ CHECK(ret, FAIL, "H5Fclose"); ++} /* test_write_same_element */ ++ + /**************************************************************** + ** + ** test_vlstrings(): Main VL string testing routine. +@@ -870,6 +969,8 @@ test_vlstrings(void) + + /* Test writing VL datasets in files with lots of unlinking */ + test_vl_rewrite(); ++ /* Test writing to the same element more than once using H5Sselect_elements */ ++ test_write_same_element(); + } /* test_vlstrings() */ + + +@@ -892,5 +993,6 @@ cleanup_vlstrings(void) + { + HDremove(DATAFILE); + HDremove(DATAFILE2); ++ HDremove(DATAFILE3); + } + +-- +2.23.0 + diff --git a/CVE-2018-17434-CVE-2018-17437.patch b/CVE-2018-17434-CVE-2018-17437.patch new file mode 100644 index 0000000..b57c696 --- /dev/null +++ b/CVE-2018-17434-CVE-2018-17437.patch @@ -0,0 +1,200 @@ +From 02d03b4624122955ee3de635699a4e3880fea377 Mon Sep 17 00:00:00 2001 +From: Binh-Minh Ribler +Date: Wed, 30 Jan 2019 20:04:30 -0600 +Subject: [PATCH] Fixed HDFFV-10586, HDFFV-10588, and HDFFV-10684 + +Description: + HDFFV-10586 CVE-2018-17434 Divide by zero in h5repack_filters + Added a check for zero value + HDFFV-10588 CVE-2018-17437 Memory leak in H5O_dtype_decode_helper + This is actually an Invalid read issue. It was found that the + attribute name length in an attribute message was corrupted, + which caused the buffer pointer to be advanced too far and later + caused an invalid read. + Added a check to detect attribute name and its length mismatch. The + fix does not cover all cases, but it'll reduce the chance of this issue + when a name length is corrupted or the attribute name is corrupted. + HDFFV-10684 H5Ewalk does not stop until all errors in the stack are visited + The test for HDFFV-10588 has revealed a bug in H5Ewalk. + H5Ewalk did not stop midway even when the call back function returns + H5_ITER_STOP. This is because a condition is missing from the for + loops in H5E__walk causing the callback functions unable to stop until + all the errors in the stack are iterated. Quincey advised on the final + fix. In this fix, "status" is switched to "ret_value" and HGOTO_ERROR + to HERROR, and the for loops won't continue when "ret_value" is not 0. +Platforms tested: + Linux/64 (jelly) + Linux/64 (platypus) + Darwin (osx1011test) +--- + src/H5E.c | 6 ++--- + src/H5Eint.c | 37 ++++++++++++++----------------- + src/H5Oattr.c | 5 +++++ + tools/h5repack/h5repack_filters.c | 6 +++-- + 4 files changed, 29 insertions(+), 25 deletions(-) + +diff --git a/src/H5E.c b/src/H5E.c +index a94c5bc..e8da166 100644 +--- a/src/H5E.c ++++ b/src/H5E.c +@@ -1471,7 +1471,7 @@ done: + * + * Purpose: Prints the error stack in some default way. This is just a + * convenience function for H5Ewalk() with a function that +- * prints error messages. Users are encouraged to write there ++ * prints error messages. Users are encouraged to write their + * own more specific error handlers. + * + * Return: Non-negative on success/Negative on failure +@@ -1553,8 +1553,8 @@ H5Ewalk2(hid_t err_stack, H5E_direction_t direction, H5E_walk2_t stack_func, voi + /* Walk the error stack */ + op.vers = 2; + op.u.func2 = stack_func; +- if(H5E_walk(estack, direction, &op, client_data) < 0) +- HGOTO_ERROR(H5E_ERROR, H5E_CANTLIST, FAIL, "can't walk error stack") ++ if((ret_value = H5E_walk(estack, direction, &op, client_data)) < 0) ++ HERROR(H5E_ERROR, H5E_CANTLIST, "can't walk error stack"); + + done: + FUNC_LEAVE_API(ret_value) +diff --git a/src/H5Eint.c b/src/H5Eint.c +index 636866b..85edb90 100644 +--- a/src/H5Eint.c ++++ b/src/H5Eint.c +@@ -442,13 +442,13 @@ done: + /*------------------------------------------------------------------------- + * Function: H5E_print + * +- * Purpose: Private function to print the error stack in some default ++ * Purpose: Private function to print the error stack in some default + * way. This is just a convenience function for H5Ewalk() and + * H5Ewalk2() with a function that prints error messages. +- * Users are encouraged to write there own more specific error ++ * Users are encouraged to write their own more specific error + * handlers. + * +- * Return: Non-negative on success/Negative on failure ++ * Return: Non-negative on success/Negative on failure + * + * Programmer: Robb Matzke + * Friday, February 27, 1998 +@@ -533,9 +533,8 @@ herr_t + H5E_walk(const H5E_t *estack, H5E_direction_t direction, const H5E_walk_op_t *op, + void *client_data) + { +- int i; /* Local index variable */ +- herr_t status; /* Status from callback function */ +- herr_t ret_value = SUCCEED; /* Return value */ ++ int i; /* Local index variable */ ++ herr_t ret_value = H5_ITER_CONT; /* Return value */ + + FUNC_ENTER_NOAPI_NOINIT + +@@ -553,9 +552,8 @@ H5E_walk(const H5E_t *estack, H5E_direction_t direction, const H5E_walk_op_t *op + if(op->u.func1) { + H5E_error1_t old_err; + +- status = SUCCEED; + if(H5E_WALK_UPWARD == direction) { +- for(i = 0; i < (int)estack->nused && status >= 0; i++) { ++ for(i = 0; i < (int)estack->nused && ret_value == H5_ITER_CONT; i++) { + /* Point to each error record on the stack and pass it to callback function.*/ + old_err.maj_num = estack->slot[i].maj_num; + old_err.min_num = estack->slot[i].min_num; +@@ -564,12 +562,12 @@ H5E_walk(const H5E_t *estack, H5E_direction_t direction, const H5E_walk_op_t *op + old_err.desc = estack->slot[i].desc; + old_err.line = estack->slot[i].line; + +- status = (op->u.func1)(i, &old_err, client_data); ++ ret_value = (op->u.func1)(i, &old_err, client_data); + } /* end for */ + } /* end if */ + else { + H5_CHECK_OVERFLOW(estack->nused - 1, size_t, int); +- for(i = (int)(estack->nused - 1); i >= 0 && status >= 0; i--) { ++ for(i = (int)(estack->nused - 1); i >= 0 && ret_value == H5_ITER_CONT; i--) { + /* Point to each error record on the stack and pass it to callback function.*/ + old_err.maj_num = estack->slot[i].maj_num; + old_err.min_num = estack->slot[i].min_num; +@@ -578,12 +576,12 @@ H5E_walk(const H5E_t *estack, H5E_direction_t direction, const H5E_walk_op_t *op + old_err.desc = estack->slot[i].desc; + old_err.line = estack->slot[i].line; + +- status = (op->u.func1)((int)(estack->nused - (size_t)(i + 1)), &old_err, client_data); ++ ret_value = (op->u.func1)((int)(estack->nused - (size_t)(i + 1)), &old_err, client_data); + } /* end for */ + } /* end else */ + +- if(status < 0) +- HGOTO_ERROR(H5E_ERROR, H5E_CANTLIST, FAIL, "can't walk error stack") ++ if(ret_value < 0) ++ HERROR(H5E_ERROR, H5E_CANTLIST, "can't walk error stack"); + } /* end if */ + #else /* H5_NO_DEPRECATED_SYMBOLS */ + HDassert(0 && "version 1 error stack walk without deprecated symbols!"); +@@ -592,19 +590,18 @@ H5E_walk(const H5E_t *estack, H5E_direction_t direction, const H5E_walk_op_t *op + else { + HDassert(op->vers == 2); + if(op->u.func2) { +- status = SUCCEED; + if(H5E_WALK_UPWARD == direction) { +- for(i = 0; i < (int)estack->nused && status >= 0; i++) +- status = (op->u.func2)((unsigned)i, estack->slot + i, client_data); ++ for(i = 0; i < (int)estack->nused && ret_value == H5_ITER_CONT; i++) ++ ret_value = (op->u.func2)((unsigned)i, estack->slot + i, client_data); + } /* end if */ + else { + H5_CHECK_OVERFLOW(estack->nused - 1, size_t, int); +- for(i = (int)(estack->nused - 1); i >= 0 && status >= 0; i--) +- status = (op->u.func2)((unsigned)(estack->nused - (size_t)(i + 1)), estack->slot + i, client_data); ++ for(i = (int)(estack->nused - 1); i >= 0 && ret_value == H5_ITER_CONT; i--) ++ ret_value = (op->u.func2)((unsigned)(estack->nused - (size_t)(i + 1)), estack->slot + i, client_data); + } /* end else */ + +- if(status < 0) +- HGOTO_ERROR(H5E_ERROR, H5E_CANTLIST, FAIL, "can't walk error stack") ++ if(ret_value < 0) ++ HERROR(H5E_ERROR, H5E_CANTLIST, "can't walk error stack"); + } /* end if */ + } /* end else */ + +diff --git a/src/H5Oattr.c b/src/H5Oattr.c +index 149f04a..a8d2a31 100644 +--- a/src/H5Oattr.c ++++ b/src/H5Oattr.c +@@ -175,6 +175,11 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED + /* Decode and store the name */ + if(NULL == (attr->shared->name = H5MM_strdup((const char *)p))) + HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") ++ ++ /* Make an attempt to detect corrupted name or name length - HDFFV-10588 */ ++ if(name_len != (HDstrlen(attr->shared->name) + 1)) ++ HGOTO_ERROR(H5E_ATTR, H5E_CANTDECODE, NULL, "attribute name has different length than stored length") ++ + if(attr->shared->version < H5O_ATTR_VERSION_2) + p += H5O_ALIGN_OLD(name_len); /* advance the memory pointer */ + else +diff --git a/tools/h5repack/h5repack_filters.c b/tools/h5repack/h5repack_filters.c +index 523f81a..1eea3e9 100644 +--- a/tools/h5repack/h5repack_filters.c ++++ b/tools/h5repack/h5repack_filters.c +@@ -333,12 +333,14 @@ int apply_filters(const char* name, /* object name from traverse list */ + + sm_nbytes = msize; + for (i = rank; i > 0; --i) { +- hsize_t size = H5TOOLS_BUFSIZE / sm_nbytes; ++ hsize_t size = 0; ++ if(sm_nbytes == 0) ++ HGOTO_ERROR(FAIL, H5E_tools_min_id_g, "number of bytes per stripmine must be > 0"); ++ size = H5TOOLS_BUFSIZE / sm_nbytes; + if (size == 0) /* datum size > H5TOOLS_BUFSIZE */ + size = 1; + sm_size[i - 1] = MIN(dims[i - 1], size); + sm_nbytes *= sm_size[i - 1]; +- HDassert(sm_nbytes > 0); + } + + for (i = 0; i < rank; i++) { +-- +2.23.0 + diff --git a/CVE-2018-17438.patch b/CVE-2018-17438.patch new file mode 100644 index 0000000..ba973fd --- /dev/null +++ b/CVE-2018-17438.patch @@ -0,0 +1,70 @@ +From 7add52ff4f2443357648d53d52add274d1b18b5f Mon Sep 17 00:00:00 2001 +From: Binh-Minh Ribler +Date: Wed, 20 Mar 2019 14:03:48 -0500 +Subject: [PATCH] Fixed HDFFV-10210 and HDFFV-10587 Description: - Added + parameter validation (HDFFV-10210) - Added detection of division by zero + (HDFFV-10587 - CVE-2018-17438) - Fixed typos in various tests Platforms + tested: Linux/64 (jelly) Linux/64 (platypus) Darwin (osx1011test) + +--- + src/H5Dselect.c | 2 ++ + src/H5I.c | 3 +++ + test/tid.c | 15 +++++++++++++++ + 3 files changed, 20 insertions(+) + +diff --git a/src/H5Dselect.c b/src/H5Dselect.c +index 7e86b9d..84cd849 100644 +--- a/src/H5Dselect.c ++++ b/src/H5Dselect.c +@@ -220,6 +220,8 @@ H5D__select_io(const H5D_io_info_t *io_info, size_t elmt_size, + + /* Decrement number of elements left to process */ + HDassert(((size_t)tmp_file_len % elmt_size) == 0); ++ if(elmt_size == 0) ++ HGOTO_ERROR(H5E_DATASPACE, H5E_BADVALUE, FAIL, "Resulted in division by zero") + nelmts -= ((size_t)tmp_file_len / elmt_size); + } /* end while */ + } /* end else */ +diff --git a/src/H5I.c b/src/H5I.c +index 2a4a38c..5cc8e69 100644 +--- a/src/H5I.c ++++ b/src/H5I.c +@@ -406,6 +406,9 @@ H5Itype_exists(H5I_type_t type) + FUNC_ENTER_API(FAIL) + H5TRACE1("t", "It", type); + ++ if(H5I_IS_LIB_TYPE(type)) ++ HGOTO_ERROR(H5E_ATOM, H5E_BADGROUP, FAIL, "cannot call public function on library type") ++ + if(type <= H5I_BADID || type >= H5I_next_type) + HGOTO_ERROR(H5E_ARGS, H5E_BADRANGE, FAIL, "invalid type number") + +diff --git a/test/tid.c b/test/tid.c +index c98514b..aca32fd 100644 +--- a/test/tid.c ++++ b/test/tid.c +@@ -224,6 +224,21 @@ static int basic_id_test(void) + goto out; + H5E_END_TRY + ++ /* Test that H5Itype_exists cannot be called on library types because ++ * it is a public function ++ */ ++ H5E_BEGIN_TRY ++ err = H5Itype_exists(H5I_GROUP); ++ if(err >= 0) ++ goto out; ++ H5E_END_TRY ++ ++ H5E_BEGIN_TRY ++ err = H5Itype_exists(H5I_ATTR); ++ if(err >= 0) ++ goto out; ++ H5E_END_TRY ++ + return 0; + + out: +-- +2.23.0 + diff --git a/hdf5.spec b/hdf5.spec index db8688d..2189115 100644 --- a/hdf5.spec +++ b/hdf5.spec @@ -1,15 +1,20 @@ Name: hdf5 Version: 1.8.20 -Release: 8 +Release: 9 Summary: A data model, library, and file format for storing and managing data License: BSD -URL: https://portal.hdfgroup.org/display/HDF5/HDF5 +URL: https://portal.hdfgroup.org/display/HDF5/HDF5 Source0: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.8/hdf5-1.8.20/src/hdf5-1.8.20.tar.bz2 Patch0: hdf5-LD_LIBRARY_PATH.patch Patch1: hdf5-mpi.patch Patch2: hdf5-ldouble-ppc64le.patch +Patch3: CVE-2018-17233.patch +Patch4: CVE-2018-17234.patch +Patch5: CVE-2018-17237.patch +Patch6: CVE-2018-17434-CVE-2018-17437.patch +Patch7: CVE-2018-17438.patch BuildRequires: gcc, gcc-c++ BuildRequires: krb5-devel, openssl-devel, zlib-devel, gcc-gfortran, time @@ -31,10 +36,7 @@ Requires: gcc-gfortran%{?_isa} HDF5 development headers and libraries. %prep -%setup -q -n %{name}-%{version} -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 +%autosetup -n %{name}-%{version} -p1 sed -i -e '/^STATIC_AVAILABLE=/s/=.*/=no/' */*/h5[cf]*.in autoreconf -f -i @@ -154,6 +156,9 @@ make -C build check %{_rpmmacrodir}/macros.hdf5 %changelog +* Mon Nov 9 2020 wangxiao - 1.8.20-9 +- fix CVE-2018-17233 CVE-2018-17234 CVE-2018-17237 CVE-2018-17434 CVE-2018-17437 CVE-2018-17438 + * Thu Sep 17 2020 shaoqiang kang - 1.8.20-8 - Modify source0 -- Gitee