[CVE-2021-37501] buffer overflow in h5dump #2458
Assignees
Labels
Component - C Library
Core C library issues (usually in the src directory)
Priority - 0. Blocker ⛔
This MUST be merged for the release to happen
Type - Bug / Bugfix
Please report security issues to [email protected] instead of creating an issue on GitHub
Comments
e4t
added a commit
to e4t/hdf5
that referenced
this issue
Feb 11, 2023
…roup#2459) A bogus hdf5 file may contain dataspace messages with sizes which lead to the on-disk data sizes to exceed what is addressable. When calculating the size, make sure, the multiplication does not overflow. The test case was crafted in a way that the overflow caused the size to be 0. This fixes CVE-2021-37501 / Bug HDFGroup#2458. Signed-off-by: Egbert Eich <[email protected]>
e4t
added a commit
to e4t/hdf5
that referenced
this issue
Feb 13, 2023
…roup#2459) A bogus hdf5 file may contain dataspace messages with sizes which lead to the on-disk data sizes to exceed what is addressable. When calculating the size, make sure, the multiplication does not overflow. The test case was crafted in a way that the overflow caused the size to be 0. This fixes CVE-2021-37501 / Bug HDFGroup#2458. Signed-off-by: Egbert Eich <[email protected]>
e4t
added a commit
to e4t/hdf5
that referenced
this issue
Feb 13, 2023
…roup#2458) A bogus hdf5 file may contain dataspace messages with sizes which lead to the on-disk data sizes to exceed what is addressable. When calculating the size, make sure, the multiplication does not overflow. The test case was crafted in a way that the overflow caused the size to be 0. This fixes CVE-2021-37501 / Bug HDFGroup#2458. Signed-off-by: Egbert Eich <[email protected]>
e4t
added a commit
to e4t/hdf5
that referenced
this issue
Feb 13, 2023
…roup#2456) A bogus hdf5 file may contain dataspace messages with sizes which lead to the on-disk data sizes to exceed what is addressable. When calculating the size, make sure, the multiplication does not overflow. The test case was crafted in a way that the overflow caused the size to be 0. This fixes CVE-2021-37501 / Bug HDFGroup#2458. Signed-off-by: Egbert Eich <[email protected]>
bmwiedemann
pushed a commit
to bmwiedemann/openSUSE
that referenced
this issue
Feb 17, 2023
https://build.opensuse.org/request/show/1066251 by user eeich + dimstar_suse - Fix CVE-2021-37501 - overflow in calculation of data buffer due to bogus input file (bsc#1207973). HDFGroup/hdf5#2458 HDFGroup/hdf5#2459 Check-for-overflow-when-calculating-on-disk-attribute-data-size-2459.patch Remove-duplicate-code.patch (forwarded request 1066178 from eeich)
e4t
added a commit
to e4t/hdf5
that referenced
this issue
Feb 25, 2023
…roup#2459) A bogus hdf5 file may contain dataspace messages with sizes which lead to the on-disk data sizes to exceed what is addressable. When calculating the size, make sure, the multiplication hasn't overflown. The test case was crafted in a way that the overflow caused the size to be 0. This fixes CVE-2021-37501 / Bug HDFGroup#2458. Signed-off-by: Egbert Eich <[email protected]> Co-authored-by: Allen Byrne <[email protected]>
e4t
added a commit
to e4t/hdf5
that referenced
this issue
Feb 25, 2023
…roup#2459) A bogus hdf5 file may contain dataspace messages with sizes which lead to the on-disk data sizes to exceed what is addressable. When calculating the size, make sure, the multiplication hasn't overflown. The test case was crafted in a way that the overflow caused the size to be 0. This fixes CVE-2021-37501 / Bug HDFGroup#2458. Signed-off-by: Egbert Eich <[email protected]> Co-authored-by: Allen Byrne <[email protected]>
e4t
added a commit
to e4t/hdf5
that referenced
this issue
Feb 27, 2023
…roup#2459) A bogus hdf5 file may contain dataspace messages with sizes which lead to the on-disk data sizes to exceed what is addressable. When calculating the size, make sure, the multiplication hasn't overflown. The test case was crafted in a way that the overflow caused the size to be 0. This fixes CVE-2021-37501 / Bug HDFGroup#2458. Signed-off-by: Egbert Eich <[email protected]> Co-authored-by: Allen Byrne <[email protected]>
|
Does the version 1.8.21 have the CVE-2021-37501 issue? Thanks! |
derobins
changed the title
derobins
added
Priority - 1. High 🔼
Unfortunately, we no longer support HDF5 1.8 |
Could you help hint if the CVE-2021-37501 issue exist in hdf5 1.8.21 or not? Thanks! |
@Mingli-Yu, yes, this CVE issue exists in the 1.8.21 release, as well as 1.8.22 and 1.8.23. |
derobins
added
Priority - 0. Blocker ⛔
Closed
|
The reproducer file can be found here |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
CVE-2021-37501 (GHSA-rfgw-5vq3-wrjf) describes a buffer overflow in h5dump, a reproducer and description for this can be found in
https://github.com/ST4RF4LL/Something_Found.
The root cause is an artificially large size of a dimension in a dataspace message which causes the size of the on-disk data to exceed the addressable range and thus causes a multiplication to overflow.
In
src/H5Oattr.c:H5O__attr_decode()withds_sizebeing set to 4611686018427387904 (0x4000000000000000) anddt_sizeequal to 8, the multiplication in:overflows and is truncated to 0.
Since there is no provision to detect the overflow, the size is underestimated which will finally lead to a heap buffer overflow when the data is read with a subsequent segfault.
Expected behavior
The size overflow should be detected and the respective decode function should report an error so that the caller will terminate gracefully.
Platform
configure --enable-fortran --enable-unsupported --enable-hl --enable-shared --enable-threadsafe --enable-build-mode=production --enable-cxx --with-pthreadThe text was updated successfully, but these errors were encountered: