out of bounds write in H5FD_s3comms_aws_canonical_request #1168
Assignees
Labels
Component - C Library
Core C library issues (usually in the src directory)
Priority - 2. Medium ⏹
It would be nice to have this in the next release
Type - Bug
Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub
Milestone
Comments
|
On reflection I guess this bug does have a degree of endian dependence: on a little endian system (with the same stack layout) it would result in a NUL being written to the most significant byte of a heap pointer, and that's not going to do anything. Anyway, we applied the following very unsophisticated patch in Ubuntu: --- a/src/H5FDs3comms.c
+++ b/src/H5FDs3comms.c
@@ -1717,8 +1717,10 @@
node = node->next;
} /* end while node is not NULL */
- /* remove trailing ';' from signed headers sequence */
- signed_headers_dest[HDstrlen(signed_headers_dest) - 1] = '\0';
+ if (*signed_headers_dest != '\0') {
+ /* remove trailing ';' from signed headers sequence */
+ signed_headers_dest[HDstrlen(signed_headers_dest) - 1] = '\0';
+ }
/* append signed headers and payload hash
* NOTE: at present, no HTTP body is handled, per the nature of |
derobins
added
Priority - 2. Medium ⏹
derobins
added a commit
to derobins/hdf5
that referenced
this issue
Oct 15, 2023
In the ros3 VFD, passing an empty string parameter to an internal API call could result in accessing the -1th element of a string. This would cause failures on big-endian systems like s390x. This parameter is now checked before writing to the string. Fixes GitHub HDFGroup#1168
lrknox
pushed a commit
that referenced
this issue
Oct 16, 2023
In the ros3 VFD, passing an empty string parameter to an internal API call could result in accessing the -1th element of a string. This would cause failures on big-endian systems like s390x. This parameter is now checked before writing to the string. Fixes GitHub #1168
|
Fixed w/ #3681 |
brtnfld
pushed a commit
to brtnfld/hdf5
that referenced
this issue
Oct 16, 2023
In the ros3 VFD, passing an empty string parameter to an internal API call could result in accessing the -1th element of a string. This would cause failures on big-endian systems like s390x. This parameter is now checked before writing to the string. Fixes GitHub HDFGroup#1168
jhendersonHDF
pushed a commit
to jhendersonHDF/hdf5
that referenced
this issue
Oct 18, 2023
In the ros3 VFD, passing an empty string parameter to an internal API call could result in accessing the -1th element of a string. This would cause failures on big-endian systems like s390x. This parameter is now checked before writing to the string. Fixes GitHub HDFGroup#1168
derobins
added a commit
that referenced
this issue
Oct 18, 2023
* Address nagfor exceptions stoppage. (#3658) * added cmake ieee flag for nagfor * generalized determining the nag compiler * fixing some misc. NAG warnings * Simplify. (#3659) * Address @jhendersonHDF review * Add expedited testing support to t_filters_parallel (#3665) * Remove clang warnings (#3656) * Fixes test failure for gfortran -O2 and -O3, -fdefault-real-16 (#3662) * added cmake ieee flag for nagfor * fixes gfortran -O2 and -O3, -fdefault-real-16 * fixed sync * updated release notes * Fix link error on clang17/gfortran13/macOS-13 (#3666) (#3671) * Correct fortran CMake generator expressions (#3670) * Add AOCC GitHub Action (#3504) (#3657) * Fix uninitialized subfiling test variable (#3675) Picked up by gcc 10 on skybridge. Probably spurious, but no harm in initializing it to a "bad" value. * Add support for AOCC & Flang w/ the Autotools (#3674) * Adds a config/clang-fflags options file to support Flang * Corrects missing "-Wl," from linker options in the libtool wrappers when using Flang, the MPI Fortran compiler wrappers, and building the shared library. This would often result in unrecognized options like -soname. * Enable -nomp w/ Flang to avoid linking to the OpenMPI library. CMake can build the parallel, shared library w/ Fortran using AOCC and Flang, so no changes were needed for that build system. Fixes GitHub issues #3439, #1588, #366, #280 * Fix a strncpy call to use dest size not src (#3677) A strncpy call in a path construction call used the size of the src buffer instead of the dest buffer as the limit n. This was switched to use the dest size and properly terminate the string if truncation occurs. * Remove CANBE_UNUSED() from subfiling VFD (#3678) This macro was an attempt to quiet warnings about release mode unused variables that only appear in asserts. It resolves to a void cast, which doesn't quiet warnings when an assignment has already taken place. * Suppress MPI_Waitall warnings w/ MPICH (#3680) MPICH defines MPI_STATUSES_IGNORE (a pointer) to 1, which raises warnings w/ gcc. This is a known issue that the MPICH devs are not going to fix. See here: pmodels/mpich#5687 This fix suppresses those issues w/ gcc * Fix a possible NULL pointer dereference in tests (#3676) The dtypes test could dereference a NULL pointer if a strdup call failed. * Fix printf warnings in t_mpi (#3679) * Fix printf warnings in t_mpi The type of MPI_Offset varies with implementation. In MPICH, it's long, which raises warnings when we attempt to use long long format specifiers. Casting to long long fixes the warnings. * Fix invalid memory access in S3 comms (#3681) In the ros3 VFD, passing an empty string parameter to an internal API call could result in accessing the -1th element of a string. This would cause failures on big-endian systems like s390x. This parameter is now checked before writing to the string. Fixes GitHub #1168 * Add Doxygen for H5Pset_fapl_sec2() (#3685) * * switch to using time function instead of date function (#3690) * Initialize API context MPI types to MPI_BYTE (#3688) * Add test info output to t_filters_parallel (#3696) * Suppress format string warnings in subfiling test (#3699) * Fix unused variable in tselect.c (#3701) * Fix unused variable warning in H5F_sfile_assert_num (#3700) * Restore floating-point suffixes in tests (#3698) A prior commit removed too many F suffixes. This restores the suffixes for float variables. * Sync with changes from develop --------- Co-authored-by: Scot Breitenfeld <brtnfld@hdfgroup.org> Co-authored-by: H. Joe Lee <hyoklee@hdfgroup.org> Co-authored-by: Allen Byrne <50328838+byrnHDF@users.noreply.github.com> Co-authored-by: Dana Robinson <43805+derobins@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hdf5 was failing to build in ubuntu on s390x, seen here https://launchpad.net/ubuntu/+source/hdf5/1.10.7+repack-4/+build/22296161 and I feared some kind of endianness thing but instead it was a failure in test_aws_canonical_request that turned out to be caused by an out of bounds write in H5FD_s3comms_aws_canonical_request, specifically
when signed_headers_dest is the empty string, which happens for the last of the test cases in the function (this manifested as a scribble over a different local variable's value in test_aws_canonical_request's stack frame so took a bit of figuring out).
I've no idea why this only just started failing for us or why it only fails on s390x but either way it's clearly buggy code.
The text was updated successfully, but these errors were encountered: