From c9110c7129a745f73b9da8c1bcfc273e84739455 Mon Sep 17 00:00:00 2001 From: aled-ua Date: Tue, 24 Dec 2024 07:55:30 +0000 Subject: [PATCH 1/6] Fix vuln OSV-2023-77 --- src/H5Cimage.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/H5Cimage.c b/src/H5Cimage.c index d626640dbdd..ac8c2fa0690 100644 --- a/src/H5Cimage.c +++ b/src/H5Cimage.c @@ -1287,6 +1287,11 @@ H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t * /* Point to buffer to decode */ p = *buf; + /* Ensure buffer has enough data for signature comparison */ + if ((size_t)(*buf + H5C__MDCI_BLOCK_SIGNATURE_LEN - p) > cache_ptr->image_len) + HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, FAIL, "Insufficient buffer size for signature"); + + /* Check signature */ if (memcmp(p, H5C__MDCI_BLOCK_SIGNATURE, (size_t)H5C__MDCI_BLOCK_SIGNATURE_LEN) != 0) HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, FAIL, "Bad metadata cache image header signature"); From 8cebb9cb418a90d0e897b4971a46debffd5d5bb2 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 24 Dec 2024 13:07:24 +0000 Subject: [PATCH 2/6] Committing clang-format changes --- src/H5Cimage.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/H5Cimage.c b/src/H5Cimage.c index ac8c2fa0690..c0b805a402d 100644 --- a/src/H5Cimage.c +++ b/src/H5Cimage.c @@ -1291,7 +1291,6 @@ H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t * if ((size_t)(*buf + H5C__MDCI_BLOCK_SIGNATURE_LEN - p) > cache_ptr->image_len) HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, FAIL, "Insufficient buffer size for signature"); - /* Check signature */ if (memcmp(p, H5C__MDCI_BLOCK_SIGNATURE, (size_t)H5C__MDCI_BLOCK_SIGNATURE_LEN) != 0) HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, FAIL, "Bad metadata cache image header signature"); From 2d5377dc4bfac375e26763122e4feb71e4ed7607 Mon Sep 17 00:00:00 2001 From: aled-ua Date: Thu, 9 Jan 2025 11:09:26 +0800 Subject: [PATCH 3/6] use H5_IS_BUFFER_OVERFLOW to check overflow --- src/H5Cimage.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/H5Cimage.c b/src/H5Cimage.c index c0b805a402d..29abb493c6f 100644 --- a/src/H5Cimage.c +++ b/src/H5Cimage.c @@ -1288,7 +1288,7 @@ H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t * p = *buf; /* Ensure buffer has enough data for signature comparison */ - if ((size_t)(*buf + H5C__MDCI_BLOCK_SIGNATURE_LEN - p) > cache_ptr->image_len) + if (H5_IS_BUFFER_OVERFLOW(p, H5C__MDCI_BLOCK_SIGNATURE_LEN, *buf + cache_ptr->image_len)) HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, FAIL, "Insufficient buffer size for signature"); /* Check signature */ From b4ebd7047538ed4dff81e6bbcb7125c5de196e4b Mon Sep 17 00:00:00 2001 From: aled-ua Date: Fri, 10 Jan 2025 10:03:08 +0800 Subject: [PATCH 4/6] add size parameter --- src/H5Cimage.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/H5Cimage.c b/src/H5Cimage.c index 29abb493c6f..daa74b8ceef 100644 --- a/src/H5Cimage.c +++ b/src/H5Cimage.c @@ -116,7 +116,7 @@ /* Helper routines */ static size_t H5C__cache_image_block_entry_header_size(const H5F_t *f); static size_t H5C__cache_image_block_header_size(const H5F_t *f); -static herr_t H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf); +static herr_t H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf, size_t buf_size); #ifndef NDEBUG /* only used in assertions */ static herr_t H5C__decode_cache_image_entry(const H5F_t *f, const H5C_t *cache_ptr, const uint8_t **buf, unsigned entry_num); @@ -297,7 +297,7 @@ H5C__construct_cache_image_buffer(H5F_t *f, H5C_t *cache_ptr) /* needed for sanity checks */ fake_cache_ptr->image_len = cache_ptr->image_len; q = (const uint8_t *)cache_ptr->image_buffer; - status = H5C__decode_cache_image_header(f, fake_cache_ptr, &q); + status = H5C__decode_cache_image_header(f, fake_cache_ptr, &q, cache_ptr->image_len + 1); assert(status >= 0); assert(NULL != p); @@ -1267,7 +1267,7 @@ H5C__cache_image_block_header_size(const H5F_t *f) *------------------------------------------------------------------------- */ static herr_t -H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf) +H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf, size_t buf_size) { uint8_t version; uint8_t flags; @@ -1288,7 +1288,7 @@ H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t * p = *buf; /* Ensure buffer has enough data for signature comparison */ - if (H5_IS_BUFFER_OVERFLOW(p, H5C__MDCI_BLOCK_SIGNATURE_LEN, *buf + cache_ptr->image_len)) + if (H5_IS_BUFFER_OVERFLOW(p, H5C__MDCI_BLOCK_SIGNATURE_LEN, *buf + buf_size)) HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, FAIL, "Insufficient buffer size for signature"); /* Check signature */ @@ -2390,7 +2390,7 @@ H5C__reconstruct_cache_contents(H5F_t *f, H5C_t *cache_ptr) /* Decode metadata cache image header */ p = (uint8_t *)cache_ptr->image_buffer; - if (H5C__decode_cache_image_header(f, cache_ptr, &p) < 0) + if (H5C__decode_cache_image_header(f, cache_ptr, &p, cache_ptr->image_len + 1) < 0) HGOTO_ERROR(H5E_CACHE, H5E_CANTDECODE, FAIL, "cache image header decode failed"); assert((size_t)(p - (uint8_t *)cache_ptr->image_buffer) < cache_ptr->image_len); From 7e54602913340aca4b813e39478f8fa1596e3678 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 10 Jan 2025 02:04:21 +0000 Subject: [PATCH 5/6] Committing clang-format changes --- src/H5Cimage.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/H5Cimage.c b/src/H5Cimage.c index daa74b8ceef..dbf26d0352f 100644 --- a/src/H5Cimage.c +++ b/src/H5Cimage.c @@ -116,7 +116,8 @@ /* Helper routines */ static size_t H5C__cache_image_block_entry_header_size(const H5F_t *f); static size_t H5C__cache_image_block_header_size(const H5F_t *f); -static herr_t H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf, size_t buf_size); +static herr_t H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t **buf, + size_t buf_size); #ifndef NDEBUG /* only used in assertions */ static herr_t H5C__decode_cache_image_entry(const H5F_t *f, const H5C_t *cache_ptr, const uint8_t **buf, unsigned entry_num); @@ -297,7 +298,7 @@ H5C__construct_cache_image_buffer(H5F_t *f, H5C_t *cache_ptr) /* needed for sanity checks */ fake_cache_ptr->image_len = cache_ptr->image_len; q = (const uint8_t *)cache_ptr->image_buffer; - status = H5C__decode_cache_image_header(f, fake_cache_ptr, &q, cache_ptr->image_len + 1); + status = H5C__decode_cache_image_header(f, fake_cache_ptr, &q, cache_ptr->image_len + 1); assert(status >= 0); assert(NULL != p); From 79e7168eb56384dc6cb22b886261b45a423ae91b Mon Sep 17 00:00:00 2001 From: aled-ua Date: Wed, 15 Jan 2025 20:40:02 +0800 Subject: [PATCH 6/6] Fix the last valid byte in buf --- src/H5Cimage.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/H5Cimage.c b/src/H5Cimage.c index dbf26d0352f..24fcafaabb3 100644 --- a/src/H5Cimage.c +++ b/src/H5Cimage.c @@ -1289,7 +1289,7 @@ H5C__decode_cache_image_header(const H5F_t *f, H5C_t *cache_ptr, const uint8_t * p = *buf; /* Ensure buffer has enough data for signature comparison */ - if (H5_IS_BUFFER_OVERFLOW(p, H5C__MDCI_BLOCK_SIGNATURE_LEN, *buf + buf_size)) + if (H5_IS_BUFFER_OVERFLOW(p, H5C__MDCI_BLOCK_SIGNATURE_LEN, *buf + buf_size - 1)) HGOTO_ERROR(H5E_CACHE, H5E_OVERFLOW, FAIL, "Insufficient buffer size for signature"); /* Check signature */