Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in H5Fio.c #4434

Closed
gabe-sherman opened this issue Apr 21, 2024 · 0 comments · Fixed by #4450
Closed

heap-buffer-overflow in H5Fio.c #4434

gabe-sherman opened this issue Apr 21, 2024 · 0 comments · Fixed by #4450
Labels
Component - C Library Core C library issues (usually in the src directory) Confirmed Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub
Milestone
1.14.5

Comments

@gabe-sherman
Copy link

gabe-sherman commented Apr 21, 2024
edited
Loading

A heap-buffer-overflow occurs in the h5dump program when provided with a malformed input. This behavior occurs at line 515 in H5Fio.c

How to trigger

LD_PRELOAD=path-to/libhdf5.so h5dump poc

POC File

https://github.com/FuturesLab/POC/blob/main/hdf5/poc-09

Test Environment

Ubuntu 22.04, 64bit

Version

Latest: 0394b03

Address Sanitizer Output

=================================================================
==1414505==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000486f at pc 0x555556b4c45f bp 0x7fffffffca90 sp 0x7fffffffca88
READ of size 1 at 0x60200000486f thread T0
    #0 0x555556b4c45e in H5F_get_checksums /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Fio.c:515:9
    #1 0x555556f82f04 in H5O__cache_verify_chksum /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Ocache.c:226:9
    #2 0x5555567c0393 in H5C__load_entry /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Centry.c:1167:28
    #3 0x5555567c0393 in H5C_protect /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Centry.c:3101:30
    #4 0x5555566414c2 in H5AC_protect /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5AC.c:1276:26
    #5 0x55555704e944 in H5O_protect /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Oint.c:988:32
    #6 0x5555570a9457 in H5O_msg_exists /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Omessage.c:787:23
    #7 0x555556cf010d in H5G_mkroot /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Groot.c:217:32
    #8 0x555556b1d0d6 in H5F_open /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Fint.c:2096:13
    #9 0x555557a1915e in H5VL__native_file_open /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5VLnative_file.c:127:29
    #10 0x555557992223 in H5VL__file_open /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5VLcallback.c:3629:30
    #11 0x55555799158b in H5VL_file_open /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5VLcallback.c:3778:30
    #12 0x555556ae7a06 in H5F__open_api_common /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5F.c:786:29
    #13 0x555556ae6e05 in H5Fopen /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5F.c:826:22
    #14 0x5555566003d6 in main /home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-09/harness.c:17:24
    #15 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #17 0x555556542624 in _start (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-09/harness+0xfee624) (BuildId: 67f4887fb70b6fd34e79663298e99802e72ccb93)

0x60200000486f is located 1 bytes to the left of 3-byte region [0x602000004870,0x602000004873)
allocated by thread T0 here:
    #0 0x5555565c5896 in __interceptor_realloc (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-09/harness+0x1071896) (BuildId: 67f4887fb70b6fd34e79663298e99802e72ccb93)
    #1 0x555556f4fdea in H5MM_realloc /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5MM.c:87:21
    #2 0x5555566414c2 in H5AC_protect /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5AC.c:1276:26

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Fio.c:515:9 in H5F_get_checksums
Shadow bytes around the buggy address:
  0x0c047fff88b0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff88c0: fa fa 04 fa fa fa fd fd fa fa 00 00 fa fa 00 00
  0x0c047fff88d0: fa fa 04 fa fa fa 01 fa fa fa 01 fa fa fa 04 fa
  0x0c047fff88e0: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x0c047fff88f0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8900: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa[fa]03 fa
  0x0c047fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1414505==ABORTING
@derobins derobins added Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Component - C Library Core C library issues (usually in the src directory) Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub UNCONFIRMED New issues are unconfirmed until a maintainer can duplicate them labels Apr 22, 2024
@derobins derobins added this to the 1.14.5 milestone Apr 22, 2024
@bmribler bmribler added Confirmed Branch - 1.14 and removed UNCONFIRMED New issues are unconfirmed until a maintainer can duplicate them labels Apr 23, 2024
bmribler added a commit to bmribler/hdf5_bmr23 that referenced this issue Apr 30, 2024
@bmribler
Fix heap-buffer-overflow in H5Fio.c
4331139 
The buffer size for checksum was smaller than H5_SIZEOF_CHKSUM, causing an                 overflow while calculating the offset to the checksum in the buffer.                       A check was added so H5F_get_checksums would fail appropriately in all
of its occurrences.

Fix HDFGroupgh-4434
@bmribler bmribler mentioned this issue Apr 30, 2024
Merged
derobins pushed a commit that referenced this issue May 1, 2024
@bmribler
Fix heap-buffer-overflow in H5Fio.c (#4450)
fa4f48d 
The buffer size for checksum was smaller than H5_SIZEOF_CHKSUM, causing an
overflow while calculating the offset to the checksum in the buffer.

A check was added so H5F_get_checksums would fail appropriately in all
of its occurrences.

Fix gh-4434
lrknox pushed a commit to lrknox/hdf5 that referenced this issue May 7, 2024
@bmribler @lrknox
Fix heap-buffer-overflow in H5Fio.c (HDFGroup#4450)
94cf154 
The buffer size for checksum was smaller than H5_SIZEOF_CHKSUM, causing an
overflow while calculating the offset to the checksum in the buffer.

A check was added so H5F_get_checksums would fail appropriately in all
of its occurrences.

Fix HDFGroupgh-4434
lrknox added a commit that referenced this issue May 7, 2024
@lrknox
Sync develop changes April 22 - May 7 to hdf5_1_14 (#4465)
a354576 
* Split H5Tconv.c into modules by type (#4393)

* Split H5Tconv.c into modules by type

* Add new H5Tconv headers to list of private headers

* Fix broken links in VOL API table (#4438)

* Don't print thread ID when the library isn't multithreaded. (#4428)

Corresponding changes to make error output for regression tests agnostic
to thread setting.

Signed-off-by: Quincey Koziol <[email protected]>

* Start refactoring H5E code to avoid using IDs internally (#4427)

* Add support for builtin_expect compiler hint (#4425)

* Add support for __builtin_expect extension

And H5_LIKELY / H5_UNLIKELY macros to wrap it

Signed-off-by: Quincey Koziol <[email protected]>

* Committing clang-format changes

---------

Signed-off-by: Quincey Koziol <[email protected]>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

* sanitizer flags need set before compiler flags (#4444)

* Add navigate chapters and use release_docs in Learn Basics (#4441)

* Fix for github issue #3790: infinite loop closing library (#4445)

* Fix for github issue #3790: infinite loop closing library
Cause of the problem:
When h5dump tries to open the user provided test file, the metadata cache will
call the "get_final_load_size" callback to find out the actual size of the
the root object header.  The callback function will call
H5O__prefix_deserialize() to allocate space for the object header
data structure (via H5FL_CALLOC) and to deserialize the object header prefix
in order to find the actual size of the object header.
The metadata cache will then check whether the actual size obtained
will exceed the file's EOA.
Since the actual size obtained from the test file exceeds the EOA,
the metadata cache throws an error and return.
However, the oh structure that was allocated in H5O__prefix_deserialize()
was not freed and hence causing the problem described in this issue.
Fix:
1) Deallocate the oh structure after obtaining and saving the needed
information in udata which will be used later on in the "verify_chksum" callback.
2) Deserialize the object header prefix in the "object header's
"deserialize" callback regardless.  The original coding intends to keep the
deserialized prefix so that the object header's "deserialize" callback
does not need to deserialize the prefix again if the object header is coming
through the "get_final_load_size" callback.

* H5R Fortran wrappers and misc. H5R API/DOC updates (#4446)

    - Add Fortran H5R APIs:
      h5rcreate_attr_f, h5rcreate_object_f, h5rcreate_region_f,
      h5ropen_attr_f, h5ropen_object_f, h5ropen_region_f,
      h5rget_file_name_f, h5rget_attr_name_f, h5rget_obj_name_f,
      h5rcopy_f, h5requal_f, h5rdestroy_f, h5rget_type_f

    - Fixed function H5Requal actually to compare the reference pointers

      Fixed an issue with H5Requal always returning true because the
      function was only comparing the ref2_ptr to itself.

* Fix heap-buffer-overflow in H5Fio.c (#4450)

The buffer size for checksum was smaller than H5_SIZEOF_CHKSUM, causing an
overflow while calculating the offset to the checksum in the buffer.

A check was added so H5F_get_checksums would fail appropriately in all
of its occurrences.

Fix gh-4434

* Fix grammar in VOL guide (#4452)

* Fix bug in MPI-IO VFD (#4456)

Corrects incorrect usage of the vector_was_sorted parameter in H5FD__mpio_vector_build_types()

* Bump the github-actions group with 3 updates (#4455)

Bumps the github-actions group with 3 updates: [actions/download-artifact](https://github.com/actions/download-artifact), [peaceiris/actions-gh-pages](https://github.com/peaceiris/actions-gh-pages) and [github/codeql-action](https://github.com/github/codeql-action).

Updates `actions/download-artifact` from 4.1.4 to 4.1.7
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@c850b93...65a9edc)

Updates `peaceiris/actions-gh-pages` from 3.9.3 to 4.0.0
- [Release notes](https://github.com/peaceiris/actions-gh-pages/releases)
- [Changelog](https://github.com/peaceiris/actions-gh-pages/blob/main/CHANGELOG.md)
- [Commits](peaceiris/actions-gh-pages@373f7f2...4f9cc66)

Updates `github/codeql-action` from 3.24.9 to 3.25.3
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@1b1aada...d39d31e)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: peaceiris/actions-gh-pages
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fixed failures with xl compilers. (#4458)

* type cast constant

* fixed return types

* Convert ERR test to use grep (#4451)

* Convert ERR test to use grep
* Eliminate use of .err files in CMake
* Show error output if grep fails
* Turn off cuda in NVHPC CI

* Removed "function/code stack" debugging configure option (#4454)

Easily replaced w/third-party tools, e.g. libbacktrace
(https://github.com/ianlancetaylor/libbacktrace)

* Clean up memory leaks in t_vfd (#4457)

* Fixes and cleanup for ph5diff (#4460)

* Fixes and cleanup for ph5diff

Fixes concurrency issues in ph5diff that can cause interleaved
output

Fixes an issue where output can sometimes be dropped if it ended
up in ph5diff's output overflow file

Fixes an issue where MPI_Init is called after HDF5 has been
initialized, preventing the library from setting up an MPI
attribute to perform cleanup on MPI_Finalize

Fixes an issue in config/cmake/runTest.cmake where the CMake
logic would try to access an invalid list index if the number
of lines in a test's output and reference files don't match

* Add release note

* Remove use of err files in autotools test scripts (#4461)

* Fix typo in H5Rget_obj_type (#4463)

Issue GH-1723

* Use ADD_H5_ERR_TEST to not compare output (#4464)
byrnHDF pushed a commit to byrnHDF/hdf5 that referenced this issue May 14, 2024
@bmribler @byrnHDF
Fix heap-buffer-overflow in H5Fio.c (HDFGroup#4450)
38e454c 
The buffer size for checksum was smaller than H5_SIZEOF_CHKSUM, causing an
overflow while calculating the offset to the checksum in the buffer.

A check was added so H5F_get_checksums would fail appropriately in all
of its occurrences.

Fix HDFGroupgh-4434
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component - C Library Core C library issues (usually in the src directory) Confirmed Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub
Projects
None yet
Milestone
1.14.5
Development

Successfully merging a pull request may close this issue.

Fix heap-buffer-overflow in H5Fio.c bmribler/hdf5_bmr23
3 participants
@derobins @bmribler @gabe-sherman