Bring CVE fixes from develop (HDFGroup#3447)

* Bring CVE fixes from develop * Fix for CVE-2018-15671 * Fix for CVE-2016-4332 * Update the CVE matrix
jhendersonHDF · Aug 30, 2023 · 4646ac8 · 4646ac8
1 parent 8063108
commit 4646ac8
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 48 deletions.
diff --git a/CVE_list_1_14.md b/CVE_list_1_14.md
@@ -35,7 +35,7 @@
 | [CVE-2018-17233](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17233) | | | | |
 | [CVE-2018-16438](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16438) | | | | |
 | [CVE-2018-15672](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15672) | | | | |
-| [CVE-2018-15671](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15671) | FAILED | FAILED | FAILED | FAILED |
+| [CVE-2018-15671](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15671) | FAILED | FAILED | FAILED |   |
 | [CVE-2018-14460](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14460) | | | | |
 | [CVE-2018-14035](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14035) | | | | |
 | [CVE-2018-14034](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14034) | | | | |
@@ -63,13 +63,12 @@
 | [CVE-2017-17507](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17507) | FAILED | FAILED | | |
 | [CVE-2017-17506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17506) | | | | |
 | [CVE-2017-17505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17505) | | | | |
-| [CVE-2016-4333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333) | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
-| [CVE-2016-4332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332) | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
-| [CVE-2016-4331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331) | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
-| [CVE-2016-4330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330) | UNTESTED | UNTESTED | UNTESTED | UNTESTED |
+| [CVE-2016-4333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333) |  | | |  |
+| [CVE-2016-4332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332) | FAILED | FAILED | FAILED |  |
+| [CVE-2016-4331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331) |  | | |  |
+| [CVE-2016-4330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330) |  | | |  |
 
 ## NOTES
-* No test files are available for the 2016 CVE issues as Talos doesn't release proof-of-vulnerability files. We will add our own proof-of-vulnerability files in the future.
 * CVE-2021-45832 has no known proof of vulnerability file. We will attempt to create our own.
 * CVE-2021-31009 is not a specific vulnerability against HDF5.
 * CVE-2022-25942, CVE-2022-25972, and CVE-2022-26061 are not tested. Those vulnerabilities involve the high-level GIF tools and can be avoided by disabling those tools at build time.
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
@@ -109,6 +109,18 @@ Bug Fixes since HDF5-1.14.2 release
 ===================================
  Library
  -------
+ - Fixed an assertion in a previous fix for CVE-2016-4332
+
+ An assert could fail when processing corrupt files that have invalid
+ shared message flags (as in CVE-2016-4332).
+
+ The assert statement in question has been replaced with pointer checks
+ that don't raise errors. Since the function is in cleanup code, we do
+ our best to close and free things, even when presented with partially
+ initialized structs.
+
+ Fixes CVE-2016-4332 and HDFFV-9950 (confirmed via the cve_hdf5 repo)
+
  - Fixed performance regression with some compound type conversions
 
  In-place type conversion was introduced for most use cases in 1.14.2.
@@ -119,8 +131,6 @@ Bug Fixes since HDF5-1.14.2 release
  this optimized conversion and there is no benefit in terms of the I/O
  size.
 
- - Fixed an assertion in a previous fix for CVE-2016-4332
-
 
  Java Library
  ------------

diff --git a/src/H5Gint.c b/src/H5Gint.c
@@ -977,15 +977,13 @@ H5G__visit_cb(const H5O_link_t *lnk, void *_udata)
  /* Check if we've seen the object the link references before */
  if (NULL == H5SL_search(udata->visited, &obj_pos)) {
  H5O_type_t otype; /* Basic object type (group, dataset, etc.) */
- unsigned rc; /* Reference count of object */
 
  /* Get the object's reference count and type */
- if (H5O_get_rc_and_type(&obj_oloc, &rc, &otype) < 0)
+ if (H5O_get_rc_and_type(&obj_oloc, NULL, &otype) < 0)
  HGOTO_ERROR(H5E_SYM, H5E_CANTGET, H5_ITER_ERROR, "unable to get object info");
 
- /* If its ref count is > 1, we add it to the list of visited objects */
- /* (because it could come up again during traversal) */
- if (rc > 1) {
+ /* Add it to the list of visited objects */
+ {
  H5_obj_t *new_node; /* New object node for visited list */
 
  /* Allocate new object "position" node */
@@ -999,7 +997,7 @@ H5G__visit_cb(const H5O_link_t *lnk, void *_udata)
  if (H5SL_insert(udata->visited, new_node, new_node) < 0)
  HGOTO_ERROR(H5E_SYM, H5E_CANTINSERT, H5_ITER_ERROR,
  "can't insert object node into visited list");
- } /* end if */
+ }
 
  /* If it's a group, we recurse into it */
  if (otype == H5O_TYPE_GROUP) {
@@ -1094,7 +1092,6 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o
  hid_t gid = H5I_INVALID_HID; /* Group ID */
  H5G_t *grp = NULL; /* Group opened */
  H5G_loc_t start_loc; /* Location of starting group */
- unsigned rc; /* Reference count of object */
  herr_t ret_value = FAIL; /* Return value */
 
  /* Portably clear udata struct (before FUNC_ENTER) */
@@ -1136,13 +1133,8 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o
  if ((udata.visited = H5SL_create(H5SL_TYPE_OBJ, NULL)) == NULL)
  HGOTO_ERROR(H5E_SYM, H5E_CANTCREATE, FAIL, "can't create skip list for visited objects");
 
- /* Get the group's reference count */
- if (H5O_get_rc_and_type(&grp->oloc, &rc, NULL) < 0)
- HGOTO_ERROR(H5E_SYM, H5E_CANTGET, FAIL, "unable to get object info");
-
- /* If its ref count is > 1, we add it to the list of visited objects */
- /* (because it could come up again during traversal) */
- if (rc > 1) {
+ /* Add it to the list of visited objects */
+ {
  H5_obj_t *obj_pos; /* New object node for visited list */
 
  /* Allocate new object "position" node */
@@ -1156,7 +1148,7 @@ H5G_visit(H5G_loc_t *loc, const char *group_name, H5_index_t idx_type, H5_iter_o
  /* Add to list of visited objects */
  if (H5SL_insert(udata.visited, obj_pos, obj_pos) < 0)
  HGOTO_ERROR(H5E_SYM, H5E_CANTINSERT, FAIL, "can't insert object node into visited list");
- } /* end if */
+ }
 
  /* Attempt to get the link info for this group */
  if ((linfo_exists = H5G__obj_get_linfo(&(grp->oloc), &linfo)) < 0)

diff --git a/src/H5Omessage.c b/src/H5Omessage.c
@@ -619,13 +619,12 @@ H5O__msg_free_mesg(H5O_mesg_t *mesg)
 } /* end H5O__msg_free_mesg() */
 
 /*-------------------------------------------------------------------------
- * Function: H5O_msg_free_real
+ * Function: H5O_msg_free_real
  *
- * Purpose: Similar to H5O_msg_reset() except it also frees the message
- * pointer.
+ * Purpose: Similar to H5O_msg_reset() except it also frees the message
+ * pointer
  *
- * Return: Success: NULL
- * Failure: NULL
+ * Return: NULL (always)
  *
  *-------------------------------------------------------------------------
  */
@@ -634,16 +633,15 @@ H5O_msg_free_real(const H5O_msg_class_t *type, void *msg_native)
 {
  FUNC_ENTER_NOAPI_NOINIT_NOERR
 
- /* check args */
- assert(type);
+ /* Don't assert on args since this could be called in cleanup code */
 
  if (msg_native) {
  H5O__msg_reset_real(type, msg_native);
- if (NULL != (type->free))
+ if (type && type->free)
  (type->free)(msg_native);
  else
  H5MM_xfree(msg_native);
- } /* end if */
+ }
 
  FUNC_LEAVE_NOAPI(NULL)
 } /* end H5O_msg_free_real() */

diff --git a/tools/src/h5dump/h5dump_ddl.c b/tools/src/h5dump/h5dump_ddl.c
@@ -853,10 +853,7 @@ dump_group(hid_t gid, const char *name)
 
  H5Oget_info3(gid, &oinfo, H5O_INFO_BASIC);
 
- /* Must check for uniqueness of all objects if we've traversed an elink,
- * otherwise only check if the reference count > 1.
- */
- if (oinfo.rc > 1 || hit_elink) {
+ {
  obj_t *found_obj; /* Found object */
 
  found_obj = search_obj(group_table, &oinfo.token);
@@ -880,10 +877,6 @@ dump_group(hid_t gid, const char *name)
  link_iteration(gid, crt_order_flags);
  }
  }
- else {
- attr_iteration(gid, attr_crt_order_flags);
- link_iteration(gid, crt_order_flags);
- }
 
  dump_indent -= COL;
  ctx.indent_level--;

diff --git a/tools/testfiles/tgroup-2.ddl b/tools/testfiles/tgroup-2.ddl
@@ -17,14 +17,7 @@ GROUP "/" {
  }
  }
  GROUP "g2" {
- GROUP "g2.1" {
- GROUP "g2.1.1" {
- }
- GROUP "g2.1.2" {
- }
- GROUP "g2.1.3" {
- }
- }
+ HARDLINK "/g2"
  }
  GROUP "g3" {
  GROUP "g3.1" {