CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

hdf5: Fix CVE-2021-37501

Browse Source 
Backport a patch [1] to fix CVE-2021-37501.

[1] b16ec83d4b

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Mingli Yu 2023-09-11 14:54:00 +08:00 committed by Armin Kuster
parent a88cb922f9
commit 04423e6ee7
2 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
meta-oe/recipes-support/hdf5/files/CVE-2021-37501.patch Normal file
View File

@ -0,0 +1,37 @@
From 602015eacc53bf2699bf4c4e5420b63c3f067547 Mon Sep 17 00:00:00 2001
From: Mingli Yu <mingli.yu@windriver.com>
Date: Mon, 11 Sep 2023 14:01:37 +0800
Subject: [PATCH] Check for overflow when calculating on-disk attribute data
size
Bogus sizes in this test case causes the on-disk data size
calculation in H5O_attr_decode() to overflow so that the
calculated size becomes 0. This causes the read to overflow
and h5dump to segfault.
CVE: CVE-2021-37501
Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/b16ec83d4bd79f9ffaad85de16056419f3532887]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
src/H5Oattr.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/H5Oattr.c b/src/H5Oattr.c
index c2c0fe3..c289344 100644
--- a/src/H5Oattr.c
+++ b/src/H5Oattr.c
@@ -217,6 +217,9 @@ H5O_attr_decode(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned H5_ATTR_UNUSED
/* Compute the size of the data */
H5_CHECKED_ASSIGN(attr->shared->data_size, size_t, H5S_GET_EXTENT_NPOINTS(attr->shared->ds) * H5T_get_size(attr->shared->dt), hsize_t);
+ /* Check if multiplication has overflown */
+ if ((attr->shared->data_size / H5T_get_size(attr->shared->dt)) != H5S_GET_EXTENT_NPOINTS(attr->shared->ds))
+ HGOTO_ERROR(H5E_RESOURCE, H5E_OVERFLOW, NULL, "data size exceeds addressable range");
/* Go get the data */
if(attr->shared->data_size) {
--
2.25.1

1
meta-oe/recipes-support/hdf5/hdf5_1.8.21.bb
View File

@ -17,6 +17,7 @@ SRC_URI = " \
file://0001-cross-compiling-support.patch \
file://0002-Remove-suffix-shared-from-shared-library-name.patch \
file://0001-cmake-remove-build-flags.patch \
file://CVE-2021-37501.patch \
"
SRC_URI[md5sum] = "2d2408f2a9dfb5c7b79998002e9a90e9"
SRC_URI[sha256sum] = "e5b1b1dee44a64b795a91c3321ab7196d9e0871fe50d42969761794e3899f40d"