Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix divide-by-zero when page buf page size is 0 #4296

Merged
merged 2 commits into from
Apr 1, 2024

Conversation

derobins
Copy link
Member

@derobins derobins commented Apr 1, 2024

If a corrupt file sets the page buffer size in the superblock to zero, the library could attempt to divide by zero when allocating space in the file. The library now checks for valid page buffer sizes when reading the superblock message.

Fixes oss-fuzz issue 58762

If a corrupt file sets the page buffer size in the superblock to zero,
the library could attempt to divide by zero when allocating space in
the file. The library now checks for valid page buffer sizes when
reading the superblock message.

Fixes oss-fuzz issue 58762
@derobins derobins added Merge - To 1.14 Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Component - C Library Core C library issues (usually in the src directory) Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub labels Apr 1, 2024
@@ -606,8 +606,10 @@ H5MF__sect_small_add(H5FS_section_info_t **_sect, unsigned *flags, void *_udata)
HGOTO_DONE(ret_value);

sect_end = (*sect)->sect_info.addr + (*sect)->sect_info.size;
rem = sect_end % udata->f->shared->fs_page_size;
prem = udata->f->shared->fs_page_size - rem;
if (0 == udata->f->shared->fs_page_size)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be an assertion, since we already checked it when reading the file?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer to not use asserts for error checking, aside from verifying input parameters, since a bunch of the CVE fixes have involved switching an assert out for real error checking (as here, in H5Fsuper.c). What if there were an overflow and something scribbled 0s on the struct member?

Copy link
Member

@fortnern fortnern Apr 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not practical to protect against those types of memory errors by checking for their effects. I feel strongly that asserts should be used for these sorts of internal consistency checks, otherwise we'd have to use error checks everywhere at a substantial performance penalty

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implementing a policy that internal consistency checks should be error checks and not asserts also creates an incentive to not add internal consistency checks.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed with @fortnern's points and I'd make the argument that asserts are exactly the appropriate tool to use when checking for something that may have overflowed. That's an internal consistency check for something that should not happen. Throwing an error in that case is nothing more than confusing.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can switch it to an assert, but I'm a fan of "test what you ship" vs. "debug builds have the error checks". Also, our intuition for "should not happen" isn't always great, as we've had to switch asserts to real error checking to fix multiple issues, some of which were CVEs (again, as in this PR).

I also seriously doubt a couple of extra if statements are going to cause significant overhead. The vast majority of non-trivial statements in our library involve a bonus if check.

@derobins derobins merged commit a314a7a into HDFGroup:develop Apr 1, 2024
@qkoziol
Copy link
Contributor

qkoziol commented Apr 2, 2024

Generally speaking, I'm trending toward: "use errors for things that happen outside your code (file not found, bad user argument, out of memory, etc) and use asserts for things you do to yourself inside your code (weird, that shouldn't happen!)"

If you are confused about the state of your code, it's probably an assertion issue and you shouldn't really trust throwing an error - there's nothing the user can do about your code being wrong. Errors should be for things that users can do something about.

Unfortunately, we need to treat "the file got corrupted" as an error (done to us), where we previously (naively) thought it was an assertion issue (done to ourselves).

lrknox pushed a commit to lrknox/hdf5 that referenced this pull request Apr 3, 2024
If a corrupt file sets the page buffer size in the superblock to zero,
the library could attempt to divide by zero when allocating space in
the file. The library now checks for valid page buffer sizes when
reading the superblock message.

Fixes oss-fuzz issue 58762
lrknox added a commit that referenced this pull request Apr 3, 2024
* Fix divide-by-zero when page buf page size is 0 (#4296)

If a corrupt file sets the page buffer size in the superblock to zero,
the library could attempt to divide by zero when allocating space in
the file. The library now checks for valid page buffer sizes when
reading the superblock message.

Fixes oss-fuzz issue 58762

* Fix typo - Cnversion (#4301)

* Bump the github-actions group with 3 updates (#4300)

Bumps the github-actions group with 3 updates: [actions/download-artifact](https://github.com/actions/download-artifact), [softprops/action-gh-release](https://github.com/softprops/action-gh-release) and [github/codeql-action](https://github.com/github/codeql-action).


Updates `actions/download-artifact` from 4.1.1 to 4.1.4
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v4.1.1...c850b93)

Updates `softprops/action-gh-release` from 1 to 2
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](softprops/action-gh-release@de2c0eb...9d7c94c)

Updates `github/codeql-action` from 3.24.6 to 3.24.9
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@8a470fd...1b1aada)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: softprops/action-gh-release
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix typo - glueing (#4299)

* Prepend MPI_TEST_ to parallel example test names (#4306)

* Report build options of VFDs (#4304)

* changed to if string contains instead

* return status of VFDs in libhdf5.settings

* use *_ENABLE_* settings instead to report the state

* added map state

* updated resetting status if cmake option fails

* PR merge workflows (#4303)

* Merge the Test Express workflows into the PR CI

* Split merge request triggers into autotools vs cmake

* Fix typo - differetly (#4311)

* Fix README badges (#4313)

* Remove old wait_H5Tinit.cmake file (#4314)

* Update branch names: develop=>hdf5_1_14 in 2 new workflows merged from
develop.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub
Projects
Status: Needs Merged
Development

Successfully merging this pull request may close these issues.

6 participants