Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2018-17439, HDFFV-10589] Stack buffer overflow in H5O_dtype_decode_helper() #2226

Closed
e4t opened this issue Nov 7, 2022 · 1 comment
Closed

[CVE-2018-17439, HDFFV-10589] Stack buffer overflow in H5O_dtype_decode_helper() #2226

e4t opened this issue Nov 7, 2022 · 1 comment
Assignees
@bmribler
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub

Comments

@e4t
Copy link
Contributor

e4t commented Nov 7, 2022

Description
A malformed hdf5 file may cause a stack overflow in H5IMget_image_info() if the rank of the data space exceeds the array size allocated on the stack:

herr_t H5IMget_image_info( ...)
{ 
   ...
   hsize_t     dims[IMAGE24_RANK];
   ...
   if ( H5Sget_simple_extent_dims( sid, dims, NULL) < 0)
        goto out;
...
}

With:

H5Sget_simple_extent_dims(hid_t space_id, hsize_t dims[] /*out*/, hsize_t maxdims[] /*out*/) {
   int ret_value = -1;
   H5S_t *ds;
   ...
   ret_value = H5S_get_simple_extent_dims(ds, dims, maxdims);
   ...
}

int
H5S_get_simple_extent_dims(const H5S_t *ds, hsize_t dims[], hsize_t max_dims[])
{
   int ret_value = -1;
   if ((ret_value = H5S_extent_get_dims(&ds->extent, dims, max_dims)) < 0) {
       error
   }
...
}

int
H5S_extent_get_dims(const H5S_extent_t *ext, hsize_t dims[], hsize_t max_dims[])
{
 ...
    int ret_value = (int)ext->rank;
    for (i = 0; i < ret_value; i++) {
                if (dims)
                    dims[i] = ext->size[i];
      ...
    }
 ...
}

This is somewhat critical on systems with stacks growing downwards as the return address will be located above the base address of the array and thus is reachable by an out-of-bounds array index. This way, the return address can be manipulated which may open the door to arbitrary code execution.
Luckily, the fix is simple as a call to H5Sget_simple_extent_dims() with NULL arguments will simply return the rank which can then be checked against the array size.
On later versions of HDF5 (including 1.10.8) the reproducer of CVE-2018-17439 no longer triggers: it contains a dataspace rank that doesn't match its buffer size. Due to the fix for CVE-2018-14460 H5IMget_image_info() bails in H5Dopen2() already. AFAICT these issues are independent of each other: an image dataspace with rank > IMAGE24_RANK but the correct buffer size would not trigger the detection added for CVE-2018-14460 and be vulnerable to this exploit.

Platform

  • 1.10.7 and earlier
  • openSUSE Leap 15.4/ SLE 15 SP4 / openSUSE Tumbleweed
  • gcc7
  • Autotools
  • config --enable-fortran --enable-unsupported --enable-hl --enable-shared --enable-threadsafe --enable-build-mode=production --enable-cxx --with-pthread
@e4t e4t added the bug label Nov 7, 2022
e4t added a commit to e4t/hdf5 that referenced this issue Nov 7, 2022
@e4t
H5IMget_image_info: H5Sget_simple_extent_dims() does not exceed array…
f501a0a 
… size

Malformed hdf5 files may provide more dimensions than the array dim[] is
able to hold. Check number of elements first by calling
H5Sget_simple_extent_dims() with NULL for both 'dims' and 'maxdims' arguments.
This will cause the function to return only the number of dimensions.

This fixes CVE-2018-17439 / HDFFV-10589 / Bug HDFGroup#2226.

Signed-off-by: Egbert Eich <[email protected]>
@e4t e4t mentioned this issue Nov 7, 2022
Merged
@hyoklee hyoklee mentioned this issue Nov 7, 2022
Merged
e4t added a commit to e4t/hdf5 that referenced this issue Nov 10, 2022
@e4t
H5IMget_image_info(): Make sure to not exceed local array size
927a999 
Malformed hdf5 files may provide more dimensions than the array dim[] in
H5IMget_image_info() is able to hold. Check number of elements first by calling
H5Sget_simple_extent_dims() with NULL for both 'dims' and 'maxdims' arguments.
This will cause the function to return only the number of dimensions.
The fix addresse a stack overflow on write.

This fixes CVE-2018-17439 / HDFFV-10589 / Bug HDFGroup#2226.

Signed-off-by: Egbert Eich <[email protected]>
e4t added a commit to e4t/hdf5 that referenced this issue Nov 10, 2022
@e4t
H5IMget_image_info(): Make sure to not exceed local array size
1350b2c 
Malformed hdf5 files may provide more dimensions than the array dim[] in
H5IMget_image_info() is able to hold. Check number of elements first by calling
H5Sget_simple_extent_dims() with NULL for both 'dims' and 'maxdims' arguments.
This will cause the function to return only the number of dimensions.
The fix addresse a stack overflow on write.

This fixes CVE-2018-17439 / HDFFV-10589 / Bug HDFGroup#2226.

Signed-off-by: Egbert Eich <[email protected]>
lrknox pushed a commit that referenced this issue Nov 11, 2022
@e4t
H5IMget_image_info(): Make sure to not exceed local array size (#2227)
99487d9 
Malformed hdf5 files may provide more dimensions than the array dim[] in
H5IMget_image_info() is able to hold. Check number of elements first by calling
H5Sget_simple_extent_dims() with NULL for both 'dims' and 'maxdims' arguments.
This will cause the function to return only the number of dimensions.
The fix addresse a stack overflow on write.

This fixes CVE-2018-17439 / HDFFV-10589 / Bug #2226.

Signed-off-by: Egbert Eich <[email protected]>

Signed-off-by: Egbert Eich <[email protected]>
@derobins derobins removed the bug label Mar 3, 2023
@derobins derobins changed the title [BUG,CVE-2018-17439, HDFFV-10589] Stack buffer overflow in H5O_dtype_decode_helper() [CVE-2018-17439, HDFFV-10589] Stack buffer overflow in H5O_dtype_decode_helper() May 4, 2023
@derobins derobins added Priority - 1. High 🔼 These are important issues that should be resolved in the next release Component - C Library Core C library issues (usually in the src directory) Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub labels May 4, 2023
@derobins
Copy link
Member

derobins commented Sep 5, 2023

Definitely fixed in 1.14.3, 1.12.3, and 1.10.11.

@derobins derobins closed this as completed Sep 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bmribler bmribler

Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@derobins @e4t @bmribler