Skip to content

Fix vuln OSV-2024-381 #5202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 6 commits into from
Closed

Fix vuln OSV-2024-381 #5202

Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ff56cbc
Fix vuln OSV-2024-381
oss-patch Dec 24, 2024
826a425
Committing clang-format changes
github-actions[bot] Dec 24, 2024
d0ae121
use H5_IS_BUFFER_OVERFLOW to check overflow
oss-patch Jan 9, 2025
7289b25
Fix format err
oss-patch Jan 9, 2025
0d7b9d6
Fix typo err
oss-patch Jan 9, 2025
634e096
Fix the last valid byte in buf
oss-patch Jan 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions src/H5Faccum.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -881,6 +881,12 @@ H5F__accum_free(H5F_shared_t *f_sh, H5FD_mem_t H5_ATTR_UNUSED type, haddr_t addr
H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t);
new_accum_size = accum->size - overlap_size;

/* Ensure overlap_size and new_accum_size are within bounds */
if (overlap_size > accum->alloc_size || new_accum_size > accum->alloc_size) {
Copy link
Collaborator

@jhendersonHDF jhendersonHDF Jan 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes the specific vulnerability, but a more complete fix may be needed here. Consider the case where both overlap_size and new_accum_size end up slightly below accum->alloc_size. It may make more sense to calculate a pointer to the last valid byte in accum->buf and then make use of the H5_IS_BUFFER_OVERFLOW macro from H5private.h.

Copy link
Contributor Author

@oss-patch oss-patch Jan 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes the specific vulnerability, but a more complete fix may be needed here. Consider the case where both overlap_size and new_accum_size end up slightly below accum->alloc_size. It may make more sense to calculate a pointer to the last valid byte in accum->buf and then make use of the H5_IS_BUFFER_OVERFLOW macro from H5private.h.

You are right. The current fix does not fully resolve the overflow

HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, FAIL,
"calculated sizes exceed allocated buffer size");
}

/* Move the accumulator buffer information to eliminate the freed block */
memmove(accum->buf, accum->buf + overlap_size, new_accum_size);

Expand Down
Loading