Fix divide-by-zero when page buf page size is 0 #4296
Conversation
If a corrupt file sets the page buffer size in the superblock to zero, the library could attempt to divide by zero when allocating space in the file. The library now checks for valid page buffer sizes when reading the superblock message. Fixes oss-fuzz issue 58762
derobins
added
Merge - To 1.14
Priority - 0. Blocker ⛔
derobins
requested review from
lrknox,
byrnHDF,
fortnern,
jhendersonHDF,
qkoziol,
vchoi-hdfgroup,
bmribler,
glennsong09,
mattjala and
brtnfld
as code owners
| @@ -606,8 +606,10 @@ H5MF__sect_small_add(H5FS_section_info_t **_sect, unsigned *flags, void *_udata) | |||
| HGOTO_DONE(ret_value); | |||
|
|
|||
| sect_end = (*sect)->sect_info.addr + (*sect)->sect_info.size; | |||
| rem = sect_end % udata->f->shared->fs_page_size; | |||
| prem = udata->f->shared->fs_page_size - rem; | |||
| if (0 == udata->f->shared->fs_page_size) | |||
There was a problem hiding this comment.
Could this be an assertion, since we already checked it when reading the file?
There was a problem hiding this comment.
I prefer to not use asserts for error checking, aside from verifying input parameters, since a bunch of the CVE fixes have involved switching an assert out for real error checking (as here, in H5Fsuper.c). What if there were an overflow and something scribbled 0s on the struct member?
There was a problem hiding this comment.
It's not practical to protect against those types of memory errors by checking for their effects. I feel strongly that asserts should be used for these sorts of internal consistency checks, otherwise we'd have to use error checks everywhere at a substantial performance penalty
There was a problem hiding this comment.
Implementing a policy that internal consistency checks should be error checks and not asserts also creates an incentive to not add internal consistency checks.
There was a problem hiding this comment.
Agreed with @fortnern's points and I'd make the argument that asserts are exactly the appropriate tool to use when checking for something that may have overflowed. That's an internal consistency check for something that should not happen. Throwing an error in that case is nothing more than confusing.
There was a problem hiding this comment.
I can switch it to an assert, but I'm a fan of "test what you ship" vs. "debug builds have the error checks". Also, our intuition for "should not happen" isn't always great, as we've had to switch asserts to real error checking to fix multiple issues, some of which were CVEs (again, as in this PR).
I also seriously doubt a couple of extra if statements are going to cause significant overhead. The vast majority of non-trivial statements in our library involve a bonus if check.
|
Generally speaking, I'm trending toward: "use errors for things that happen outside your code (file not found, bad user argument, out of memory, etc) and use asserts for things you do to yourself inside your code (weird, that shouldn't happen!)" If you are confused about the state of your code, it's probably an assertion issue and you shouldn't really trust throwing an error - there's nothing the user can do about your code being wrong. Errors should be for things that users can do something about. Unfortunately, we need to treat "the file got corrupted" as an error (done to us), where we previously (naively) thought it was an assertion issue (done to ourselves). |
If a corrupt file sets the page buffer size in the superblock to zero, the library could attempt to divide by zero when allocating space in the file. The library now checks for valid page buffer sizes when reading the superblock message. Fixes oss-fuzz issue 58762
* Fix divide-by-zero when page buf page size is 0 (#4296) If a corrupt file sets the page buffer size in the superblock to zero, the library could attempt to divide by zero when allocating space in the file. The library now checks for valid page buffer sizes when reading the superblock message. Fixes oss-fuzz issue 58762 * Fix typo - Cnversion (#4301) * Bump the github-actions group with 3 updates (#4300) Bumps the github-actions group with 3 updates: [actions/download-artifact](https://github.com/actions/download-artifact), [softprops/action-gh-release](https://github.com/softprops/action-gh-release) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/download-artifact` from 4.1.1 to 4.1.4 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v4.1.1...c850b93) Updates `softprops/action-gh-release` from 1 to 2 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@de2c0eb...9d7c94c) Updates `github/codeql-action` from 3.24.6 to 3.24.9 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@8a470fd...1b1aada) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix typo - glueing (#4299) * Prepend MPI_TEST_ to parallel example test names (#4306) * Report build options of VFDs (#4304) * changed to if string contains instead * return status of VFDs in libhdf5.settings * use *_ENABLE_* settings instead to report the state * added map state * updated resetting status if cmake option fails * PR merge workflows (#4303) * Merge the Test Express workflows into the PR CI * Split merge request triggers into autotools vs cmake * Fix typo - differetly (#4311) * Fix README badges (#4313) * Remove old wait_H5Tinit.cmake file (#4314) * Update branch names: develop=>hdf5_1_14 in 2 new workflows merged from develop.
If a corrupt file sets the page buffer size in the superblock to zero, the library could attempt to divide by zero when allocating space in the file. The library now checks for valid page buffer sizes when reading the superblock message.
Fixes oss-fuzz issue 58762