Skip to content

Commit

Permalink
Fix heap-buffer-overflow in H5Fio.c (HDFGroup#4450)
Browse files Browse the repository at this point in the history
The buffer size for checksum was smaller than H5_SIZEOF_CHKSUM, causing an
overflow while calculating the offset to the checksum in the buffer.

A check was added so H5F_get_checksums would fail appropriately in all
of its occurrences.

Fix HDFGroupgh-4434
  • Loading branch information
bmribler authored and byrnHDF committed May 14, 2024
1 parent afb9f22 commit 38e454c
Show file tree
Hide file tree
Showing 9 changed files with 89 additions and 42 deletions.
18 changes: 12 additions & 6 deletions src/H5B2cache.c
Original file line number Diff line number Diff line change
Expand Up @@ -194,17 +194,19 @@ H5B2__cache_hdr_verify_chksum(const void *_image, size_t len, void H5_ATTR_UNUSE
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true; /* Return value */

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_BTREE, H5E_CANTGET, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5B2__cache_hdr_verify_chksum() */

Expand Down Expand Up @@ -557,7 +559,7 @@ H5B2__cache_int_verify_chksum(const void *_image, size_t H5_ATTR_UNUSED len, voi
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true; /* Return value */

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);
Expand All @@ -568,11 +570,13 @@ H5B2__cache_int_verify_chksum(const void *_image, size_t H5_ATTR_UNUSED len, voi
((size_t)(udata->nrec + 1) * H5B2_INT_POINTER_SIZE(udata->hdr, udata->depth));

/* Get stored and computed checksums */
H5F_get_checksums(image, chk_size, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, chk_size, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_BTREE, H5E_CANTGET, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5B2__cache_int_verify_chksum() */

Expand Down Expand Up @@ -956,7 +960,7 @@ H5B2__cache_leaf_verify_chksum(const void *_image, size_t H5_ATTR_UNUSED len, vo
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true; /* Return value */

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);
Expand All @@ -966,11 +970,13 @@ H5B2__cache_leaf_verify_chksum(const void *_image, size_t H5_ATTR_UNUSED len, vo
chk_size = H5B2_LEAF_PREFIX_SIZE + (udata->nrec * udata->hdr->rrec_size);

/* Get stored and computed checksums */
H5F_get_checksums(image, chk_size, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, chk_size, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_BTREE, H5E_CANTGET, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5B2__cache_leaf_verify_chksum() */

Expand Down
30 changes: 20 additions & 10 deletions src/H5EAcache.c
Original file line number Diff line number Diff line change
Expand Up @@ -249,17 +249,19 @@ H5EA__cache_hdr_verify_chksum(const void *_image, size_t len, void H5_ATTR_UNUSE
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true;

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_EARRAY, H5E_CANTDECODE, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5EA__cache_hdr_verify_chksum() */

Expand Down Expand Up @@ -639,17 +641,19 @@ H5EA__cache_iblock_verify_chksum(const void *_image, size_t len, void H5_ATTR_UN
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true;

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_EARRAY, H5E_CANTDECODE, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5EA__cache_iblock_verify_chksum() */

Expand Down Expand Up @@ -1039,17 +1043,19 @@ H5EA__cache_sblock_verify_chksum(const void *_image, size_t len, void H5_ATTR_UN
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true;

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_EARRAY, H5E_CANTDECODE, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5EA__cache_sblock_verify_chksum() */

Expand Down Expand Up @@ -1445,17 +1451,19 @@ H5EA__cache_dblock_verify_chksum(const void *_image, size_t len, void H5_ATTR_UN
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true;

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_EARRAY, H5E_CANTDECODE, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5EA__cache_sblock_verify_chksum() */

Expand Down Expand Up @@ -1866,17 +1874,19 @@ H5EA__cache_dblk_page_verify_chksum(const void *_image, size_t len, void H5_ATTR
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true;

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_EARRAY, H5E_CANTDECODE, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5EA__cache_dblk_page_verify_chksum() */

Expand Down
18 changes: 12 additions & 6 deletions src/H5FAcache.c
Original file line number Diff line number Diff line change
Expand Up @@ -195,17 +195,19 @@ H5FA__cache_hdr_verify_chksum(const void *_image, size_t len, void H5_ATTR_UNUSE
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true;

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_FARRAY, H5E_CANTGET, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5FA__cache_hdr_verify_chksum() */

Expand Down Expand Up @@ -578,17 +580,19 @@ H5FA__cache_dblock_verify_chksum(const void *_image, size_t len, void H5_ATTR_UN
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true;

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_FARRAY, H5E_CANTGET, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5FA__cache_dblock_verify_chksum() */

Expand Down Expand Up @@ -980,17 +984,19 @@ H5FA__cache_dblk_page_verify_chksum(const void *_image, size_t len, void H5_ATTR
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true;

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_FARRAY, H5E_CANTGET, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5FA__cache_dblk_page_verify_chksum() */

Expand Down
12 changes: 8 additions & 4 deletions src/H5FScache.c
Original file line number Diff line number Diff line change
Expand Up @@ -184,17 +184,19 @@ H5FS__cache_hdr_verify_chksum(const void *_image, size_t len, void H5_ATTR_UNUSE
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true; /* Return value */

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_FSPACE, H5E_CANTGET, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5FS__cache_hdr_verify_chksum() */

Expand Down Expand Up @@ -887,17 +889,19 @@ H5FS__cache_sinfo_verify_chksum(const void *_image, size_t len, void H5_ATTR_UNU
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true; /* Return value */

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_FSPACE, H5E_CANTGET, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5FS__cache_sinfo_verify_chksum() */

Expand Down
11 changes: 9 additions & 2 deletions src/H5Fio.c
Original file line number Diff line number Diff line change
Expand Up @@ -498,12 +498,18 @@ H5F__evict_cache_entries(H5F_t *f)
herr_t
H5F_get_checksums(const uint8_t *buf, size_t buf_size, uint32_t *s_chksum /*out*/, uint32_t *c_chksum /*out*/)
{
FUNC_ENTER_NOAPI_NOINIT_NOERR
herr_t ret_value = SUCCEED;

FUNC_ENTER_NOAPI_NOINIT

/* Check arguments */
assert(buf);
assert(buf_size);

/* Check for buffer size smaller than H5_SIZEOF_CHKSUM */
if (buf_size < H5_SIZEOF_CHKSUM)
HGOTO_ERROR(H5E_IO, H5E_BADVALUE, FAIL, "checksum buffer is smaller than expected");

/* Return the stored checksum */
if (s_chksum) {
const uint8_t *chk_p; /* Pointer into raw data buffer */
Expand All @@ -519,5 +525,6 @@ H5F_get_checksums(const uint8_t *buf, size_t buf_size, uint32_t *s_chksum /*out*
if (c_chksum)
*c_chksum = H5_checksum_metadata(buf, buf_size - H5_SIZEOF_CHKSUM, 0);

FUNC_LEAVE_NOAPI(SUCCEED)
done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5F_get_chksums() */
6 changes: 4 additions & 2 deletions src/H5Fsuper_cache.c
Original file line number Diff line number Diff line change
Expand Up @@ -371,7 +371,7 @@ H5F__cache_superblock_verify_chksum(const void *_image, size_t len, void *_udata
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true;

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

assert(image);
assert(udata);
Expand All @@ -380,12 +380,14 @@ H5F__cache_superblock_verify_chksum(const void *_image, size_t len, void *_udata
if (udata->super_vers >= HDF5_SUPERBLOCK_VERSION_2) {

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_FILE, H5E_CANTGET, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;
}

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5F__cache_superblock_verify_chksum() */

Expand Down
12 changes: 8 additions & 4 deletions src/H5HFcache.c
Original file line number Diff line number Diff line change
Expand Up @@ -412,17 +412,19 @@ H5HF__cache_hdr_verify_chksum(const void *_image, size_t len, void H5_ATTR_UNUSE
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true; /* Return value */

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_HEAP, H5E_CANTGET, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5HF__cache_hdr_verify_chksum() */

Expand Down Expand Up @@ -867,17 +869,19 @@ H5HF__cache_iblock_verify_chksum(const void *_image, size_t len, void H5_ATTR_UN
uint32_t computed_chksum; /* Computed metadata checksum value */
htri_t ret_value = true; /* Return value */

FUNC_ENTER_PACKAGE_NOERR
FUNC_ENTER_PACKAGE

/* Check arguments */
assert(image);

/* Get stored and computed checksums */
H5F_get_checksums(image, len, &stored_chksum, &computed_chksum);
if (H5F_get_checksums(image, len, &stored_chksum, &computed_chksum) < 0)
HGOTO_ERROR(H5E_HEAP, H5E_CANTGET, FAIL, "can't get checksums");

if (stored_chksum != computed_chksum)
ret_value = false;

done:
FUNC_LEAVE_NOAPI(ret_value)
} /* end H5HF__cache_iblock_verify_chksum() */

Expand Down
Loading

0 comments on commit 38e454c

Please sign in to comment.