Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

out of bounds write in H5FD_s3comms_aws_canonical_request #1168

Closed
mwhudson opened this issue Nov 8, 2021 · 2 comments
Closed

out of bounds write in H5FD_s3comms_aws_canonical_request #1168

mwhudson opened this issue Nov 8, 2021 · 2 comments
Assignees
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 2. Medium ⏹ It would be nice to have this in the next release Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub
Milestone

Comments

@mwhudson
Copy link

mwhudson commented Nov 8, 2021

hdf5 was failing to build in ubuntu on s390x, seen here https://launchpad.net/ubuntu/+source/hdf5/1.10.7+repack-4/+build/22296161 and I feared some kind of endianness thing but instead it was a failure in test_aws_canonical_request that turned out to be caused by an out of bounds write in H5FD_s3comms_aws_canonical_request, specifically

    /* remove trailing ';' from signed headers sequence */
    signed_headers_dest[HDstrlen(signed_headers_dest) - 1] = '\0';

when signed_headers_dest is the empty string, which happens for the last of the test cases in the function (this manifested as a scribble over a different local variable's value in test_aws_canonical_request's stack frame so took a bit of figuring out).

I've no idea why this only just started failing for us or why it only fails on s390x but either way it's clearly buggy code.

@mwhudson
Copy link
Author

mwhudson commented Nov 8, 2021

On reflection I guess this bug does have a degree of endian dependence: on a little endian system (with the same stack layout) it would result in a NUL being written to the most significant byte of a heap pointer, and that's not going to do anything.

Anyway, we applied the following very unsophisticated patch in Ubuntu:

--- a/src/H5FDs3comms.c
+++ b/src/H5FDs3comms.c
@@ -1717,8 +1717,10 @@
         node = node->next;
     } /* end while node is not NULL */
 
-    /* remove trailing ';' from signed headers sequence */
-    signed_headers_dest[HDstrlen(signed_headers_dest) - 1] = '\0';
+    if (*signed_headers_dest != '\0') {
+        /* remove trailing ';' from signed headers sequence */
+        signed_headers_dest[HDstrlen(signed_headers_dest) - 1] = '\0';
+    }
 
     /* append signed headers and payload hash
      * NOTE: at present, no HTTP body is handled, per the nature of

@derobins derobins added Priority - 2. Medium ⏹ It would be nice to have this in the next release Component - C Library Core C library issues (usually in the src directory) Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub labels May 4, 2023
@derobins derobins assigned derobins and unassigned vchoi-hdfgroup Oct 9, 2023
@derobins derobins added this to the 1.14.3 milestone Oct 9, 2023
derobins added a commit to derobins/hdf5 that referenced this issue Oct 15, 2023
In the ros3 VFD, passing an empty string parameter to an internal
API call could result in accessing the -1th element of a string.
This would cause failures on big-endian systems like s390x.

This parameter is now checked before writing to the string.

Fixes GitHub HDFGroup#1168
lrknox pushed a commit that referenced this issue Oct 16, 2023
In the ros3 VFD, passing an empty string parameter to an internal
API call could result in accessing the -1th element of a string.
This would cause failures on big-endian systems like s390x.

This parameter is now checked before writing to the string.

Fixes GitHub #1168
@derobins
Copy link
Member

Fixed w/ #3681

brtnfld pushed a commit to brtnfld/hdf5 that referenced this issue Oct 16, 2023
In the ros3 VFD, passing an empty string parameter to an internal
API call could result in accessing the -1th element of a string.
This would cause failures on big-endian systems like s390x.

This parameter is now checked before writing to the string.

Fixes GitHub HDFGroup#1168
jhendersonHDF pushed a commit to jhendersonHDF/hdf5 that referenced this issue Oct 18, 2023
In the ros3 VFD, passing an empty string parameter to an internal
API call could result in accessing the -1th element of a string.
This would cause failures on big-endian systems like s390x.

This parameter is now checked before writing to the string.

Fixes GitHub HDFGroup#1168
derobins added a commit that referenced this issue Oct 18, 2023
* Address nagfor exceptions stoppage. (#3658)

* added cmake ieee flag for nagfor

* generalized determining the nag compiler

* fixing some misc. NAG warnings

* Simplify. (#3659)


* Address @jhendersonHDF review

* Add expedited testing support to t_filters_parallel (#3665)

* Remove clang warnings (#3656)

* Fixes test failure for gfortran -O2 and -O3, -fdefault-real-16 (#3662)

* added cmake ieee flag for nagfor

* fixes gfortran -O2 and -O3, -fdefault-real-16

* fixed sync

* updated release notes

* Fix link error on clang17/gfortran13/macOS-13 (#3666) (#3671)

* Correct fortran CMake generator expressions (#3670)

* Add AOCC GitHub Action (#3504) (#3657)

* Fix uninitialized subfiling test variable (#3675)

Picked up by gcc 10 on skybridge. Probably spurious, but no harm in
initializing it to a "bad" value.

* Add support for AOCC & Flang w/ the Autotools (#3674)

* Adds a config/clang-fflags options file to support Flang
* Corrects missing "-Wl," from linker options in the libtool wrappers
  when using Flang, the MPI Fortran compiler wrappers, and building
  the shared library. This would often result in unrecognized options
  like -soname.
* Enable -nomp w/ Flang to avoid linking to the OpenMPI library.

CMake can build the parallel, shared library w/ Fortran using AOCC
and Flang, so no changes were needed for that build system.

Fixes GitHub issues #3439, #1588, #366, #280

* Fix a strncpy call to use dest size not src (#3677)

A strncpy call in a path construction call used the size of the src
buffer instead of the dest buffer as the limit n.

This was switched to use the dest size and properly terminate the
string if truncation occurs.

* Remove CANBE_UNUSED() from subfiling VFD (#3678)

This macro was an attempt to quiet warnings about release mode unused
variables that only appear in asserts. It resolves to a void cast, which
doesn't quiet warnings when an assignment has already taken place.

* Suppress MPI_Waitall warnings w/ MPICH (#3680)

MPICH defines MPI_STATUSES_IGNORE (a pointer) to 1, which raises warnings
w/ gcc. This is a known issue that the MPICH devs are not going to fix.

See here:
    pmodels/mpich#5687

This fix suppresses those issues w/ gcc

* Fix a possible NULL pointer dereference in tests (#3676)


The dtypes test could dereference a NULL pointer if a strdup call
failed.

* Fix printf warnings in t_mpi (#3679)

* Fix printf warnings in t_mpi

The type of MPI_Offset varies with implementation. In MPICH, it's long,
which raises warnings when we attempt to use long long format
specifiers. Casting to long long fixes the warnings.

* Fix invalid memory access in S3 comms (#3681)

In the ros3 VFD, passing an empty string parameter to an internal
API call could result in accessing the -1th element of a string.
This would cause failures on big-endian systems like s390x.

This parameter is now checked before writing to the string.

Fixes GitHub #1168

* Add Doxygen for H5Pset_fapl_sec2() (#3685)

*

* switch to using time function instead of date function (#3690)

* Initialize API context MPI types to MPI_BYTE (#3688)

* Add test info output to t_filters_parallel (#3696)

* Suppress format string warnings in subfiling test (#3699)

* Fix unused variable in tselect.c (#3701)

* Fix unused variable warning in H5F_sfile_assert_num (#3700)

* Restore floating-point suffixes in tests (#3698)

A prior commit removed too many F suffixes. This restores the suffixes
for float variables.

* Sync with changes from develop

---------

Co-authored-by: Scot Breitenfeld <[email protected]>
Co-authored-by: H. Joe Lee <[email protected]>
Co-authored-by: Allen Byrne <[email protected]>
Co-authored-by: Dana Robinson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 2. Medium ⏹ It would be nice to have this in the next release Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub
Projects
None yet
Development

No branches or pull requests

3 participants