diff options
author | Mingli Yu <mingli.yu@windriver.com> | 2023-09-11 14:54:00 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-09-19 07:55:11 -0400 |
commit | 04423e6ee7c1f90db38dd4bff8b1261b638c0774 (patch) | |
tree | 12e3bdef5a89b590b3c47973e6dbe533b6150914 | |
parent | a88cb922f91fda95e8a584cee3092083d5ad3e98 (diff) | |
download | meta-openembedded-04423e6ee7c1f90db38dd4bff8b1261b638c0774.tar.gz |
hdf5: Fix CVE-2021-37501
Backport a patch [1] to fix CVE-2021-37501.
[1] https://github.com/HDFGroup/hdf5/commit/b16ec83d4bd79f9ffaad85de16056419f3532887
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch | 37 | ||||
-rw-r--r-- | meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch b/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch new file mode 100644 index 0000000000..01099f3438 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch @@ -0,0 +1,37 @@ +From 602015eacc53bf2699bf4c4e5420b63c3f067547 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Mon, 11 Sep 2023 14:01:37 +0800 +Subject: [PATCH] Check for overflow when calculating on-disk attribute data + size + +Bogus sizes in this test case causes the on-disk data size +calculation in H5O_attr_decode() to overflow so that the +calculated size becomes 0. This causes the read to overflow +and h5dump to segfault. + +CVE: CVE-2021-37501 + +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/b16ec83d4bd79f9ffaad85de16056419f3532887] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/H5Oattr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/H5Oattr.c b/src/H5Oattr.c +index c2c0fe3..c289344 100644 +--- a/src/H5Oattr.c ++++ b/src/H5Oattr.c +@@ -217,6 +217,9 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED + + /* Compute the size of the data */ + H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, H5S_GET_EXTENT_NPOINTS(attr->shared->ds) * H5T_get_size(attr->shared->dt), hsize_t); ++ /* Check if multiplication has overflown */ ++ if ((attr->shared->data_size / H5T_get_size(attr->shared->dt)) != H5S_GET_EXTENT_NPOINTS(attr->shared->ds)) ++ HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range"); + + /* Go get the data */ + if(attr->shared->data_size) { +-- +2.25.1 + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb b/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb index 7b886a4635..4110e9cea4 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb @@ -17,6 +17,7 @@ SRC_URI = " \ file://0001-cross-compiling-support.patch \ file://0002-Remove-suffix-shared-from-shared-library-name.patch \ file://0001-cmake-remove-build-flags.patch \ + file://CVE-2021-37501.patch \ " SRC_URI[md5sum] = "2d2408f2a9dfb5c7b79998002e9a90e9" SRC_URI[sha256sum] = "e5b1b1dee44a64b795a91c3321ab7196d9e0871fe50d42969761794e3899f40d" |