Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Untrusted Pointer Dereference in H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c:499 #1326

Closed
ZFeiXQ opened this issue Dec 25, 2021 · 4 comments
Assignees
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 25, 2021

Untrusted Pointer Dereference in H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c:499
Version

h5ls: Version 1.13.1-1

command:

h5ls POC

POC.zip

Result

Segmentation fault.

bt

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffec4695010 --> 0x0 
RBX: 0x2 
RCX: 0x5555559305d0 --> 0x0 
RDX: 0x133350000 
RSI: 0x5555559552ce --> 0x0 
RDI: 0x7ffec4695010 --> 0x0 
RBP: 0x555555930560 --> 0x0 
RSP: 0x7fffffffc378 --> 0x55555568861f (<H5O__dtype_decode_helper+3375>:	mov    rax,QWORD PTR [rbp+0x28])
RIP: 0x7ffff7df8898 (<__memmove_avx_unaligned_erms+552>:	vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20])
R8 : 0x55555595abd0 --> 0x0 
R9 : 0x7ffec4695010 --> 0x0 
R10: 0x22 ('"')
R11: 0x7ffff7e55be0 --> 0x55555595abe0 --> 0x0 
R12: 0xf5 
R13: 0x5555559552c6 --> 0x0 
R14: 0x7fffffffc680 --> 0x5555559552ce --> 0x0 
R15: 0x0
EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7df8889 <__memmove_avx_unaligned_erms+537>:	vmovdqu ymm5,YMMWORD PTR [rsi+0x20]
   0x7ffff7df888e <__memmove_avx_unaligned_erms+542>:	vmovdqu ymm6,YMMWORD PTR [rsi+0x40]
   0x7ffff7df8893 <__memmove_avx_unaligned_erms+547>:	vmovdqu ymm7,YMMWORD PTR [rsi+0x60]
=> 0x7ffff7df8898 <__memmove_avx_unaligned_erms+552>:	vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20]
   0x7ffff7df889e <__memmove_avx_unaligned_erms+558>:	lea    r11,[rdi+rdx*1-0x20]
   0x7ffff7df88a3 <__memmove_avx_unaligned_erms+563>:	lea    rcx,[rsi+rdx*1-0x20]
   0x7ffff7df88a8 <__memmove_avx_unaligned_erms+568>:	mov    r9,r11
   0x7ffff7df88ab <__memmove_avx_unaligned_erms+571>:	mov    r8,r11
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc378 --> 0x55555568861f (<H5O__dtype_decode_helper+3375>:	mov    rax,QWORD PTR [rbp+0x28])
0008| 0x7fffffffc380 --> 0x1ffff0 
0016| 0x7fffffffc388 --> 0x7ffff7d04af9 (<sysmalloc+1913>:	cmp    rax,0xffffffffffffffff)
0024| 0x7fffffffc390 --> 0x0 
0032| 0x7fffffffc398 --> 0x0 
0040| 0x7fffffffc3a0 --> 0x0 
0048| 0x7fffffffc3a8 --> 0x0 
0056| 0x7fffffffc3b0 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
440	../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
gdb-peda$ bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
#1  0x000055555568861f in H5O__dtype_decode_helper (ioflags=ioflags@entry=0x7fffffffc6c4, pp=pp@entry=0x7fffffffc680, dt=dt@entry=0x555555930560) at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:499
#2  0x00005555556881a4 in H5O__dtype_decode_helper (ioflags=ioflags@entry=0x7fffffffc6c4, pp=pp@entry=0x7fffffffc680, dt=dt@entry=0x5555559303a0) at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:330
#3  0x0000555555689497 in H5O__dtype_decode (f=<optimized out>, open_oh=<optimized out>, mesg_flags=<optimized out>, p_size=<optimized out>, p=<optimized out>, ioflags=0x7fffffffc6c4)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:1137
#4  H5O__dtype_shared_decode (f=<optimized out>, open_oh=<optimized out>, mesg_flags=<optimized out>, ioflags=0x7fffffffc6c4, p_size=<optimized out>, p=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Oshared.h:81
#5  0x00005555556987bb in H5O_msg_read_oh (f=0x55555594f480, oh=oh@entry=0x555555954880, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:514
#6  0x00005555556989d9 in H5O_msg_read (loc=loc@entry=0x555555955e70, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:455
#7  0x00005555555d0657 in H5D__open_oid (dapl_id=0xb00000000000007, dataset=0x555555955e70) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1707
#8  H5D_open (loc=loc@entry=0x7fffffffc8b0, dapl_id=dapl_id@entry=0xb00000000000007) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1512
#9  0x00005555557f84fa in H5O__dset_open (obj_loc=0x7fffffffc8b0, opened_type=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Doh.c:246
#10 0x0000555555690728 in H5O_open_by_loc (obj_loc=0x7fffffffc8b0, opened_type=0x7fffffffc9b4) at /home/zxq/CVE_testing/source/hdf5/src/H5Oint.c:758
#11 0x0000555555690823 in H5O_open_name (loc=loc@entry=0x7fffffffc940, name=0x555555954390 "/dset1", opened_type=opened_type@entry=0x7fffffffc9b4) at /home/zxq/CVE_testing/source/hdf5/src/H5Oint.c:625
#12 0x00005555557afd3f in H5VL__native_object_open (obj=<optimized out>, loc_params=0x7fffffffc9c0, opened_type=0x7fffffffc9b4, dxpl_id=<optimized out>, req=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_object.c:88
#13 0x000055555579f0cc in H5VL__object_open (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, opened_type=0x7fffffffc9b4, params=0x7fffffffc9c0, obj=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5569
#14 H5VL_object_open (vol_obj=0x555555951b40, params=params@entry=0x7fffffffc9c0, opened_type=opened_type@entry=0x7fffffffc9b4, dxpl_id=0xb00000000000008, req=req@entry=0x0)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5601
#15 0x0000555555673145 in H5O__open_api_common (_vol_obj_ptr=0x0, token_ptr=0x0, lapl_id=0x0, name=0x555555954390 "/dset1", loc_id=0x100000000000000) at /home/zxq/CVE_testing/source/hdf5/src/H5O.c:119
#16 H5Oopen (loc_id=0x100000000000000, name=0x555555954390 "/dset1", lapl_id=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5O.c:163
#17 0x0000555555567295 in list_obj (name=0x555555954390 "/dset1", oinfo=0x7fffffffd060, first_seen=0x0, _iter=0x7fffffffdd00) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5ls/h5ls.c:2226
#18 0x000055555558262a in traverse_cb (loc_id=<optimized out>, path=<optimized out>, linfo=<optimized out>, _udata=0x7fffffffd610) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:218
#19 0x000055555563244d in H5G__iterate_cb (_udata=0x7fffffffd3c0, lnk=0x7fffffffd150) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:866
#20 H5G__iterate_cb (lnk=0x7fffffffd150, _udata=0x7fffffffd3c0) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:839
#21 0x0000555555638c1e in H5G__node_iterate (f=f@entry=0x55555594f480, _lt_key=<optimized out>, addr=0x430, _rt_key=<optimized out>, _udata=_udata@entry=0x7fffffffd290)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
#22 0x00005555557daac0 in H5B__iterate_helper (f=0x55555594f480, type=0x555555902060 <H5B_SNODE>, addr=0x88, op=0x555555638b30 <H5G__node_iterate>, udata=udata@entry=0x7fffffffd290)
    at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
#23 0x00005555557dbf9b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffd290) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
#24 0x000055555563d9f6 in H5G__stab_iterate (oloc=oloc@entry=0x5555559532b8, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x7fffffffd448, 
    op=op@entry=0x5555556323f0 <H5G__iterate_cb>, op_data=0x7fffffffd3c0) at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
#25 0x000055555563b575 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x5555559532b8, idx_type=idx_type@entry=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, 
    last_lnk=last_lnk@entry=0x7fffffffd448, op=op@entry=0x5555556323f0 <H5G__iterate_cb>, op_data=0x7fffffffd3c0) at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
#26 0x0000555555633558 in H5G_iterate (loc=<optimized out>, group_name=<optimized out>, idx_type=H5_INDEX_NAME, order=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x7fffffffd448, 
    lnk_op=0x7fffffffd450, op_data=0x7fffffffd610) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:921
#27 0x000055555566b93a in H5L_iterate (loc=loc@entry=0x7fffffffd490, group_name=<optimized out>, idx_type=<optimized out>, order=<optimized out>, idx_p=<optimized out>, op=<optimized out>, 
    op_data=0x7fffffffd610) at /home/zxq/CVE_testing/source/hdf5/src/H5Lint.c:2243
#28 0x00005555557af715 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffd510, args=0x7fffffffd540, dxpl_id=<optimized out>, req=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:381
#29 0x000055555579e570 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffd540, loc_params=0x7fffffffd510, obj=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
#30 H5VL_link_specific (vol_obj=vol_obj@entry=0x555555951b40, loc_params=loc_params@entry=0x7fffffffd510, args=args@entry=0x7fffffffd540, dxpl_id=0xb00000000000008, req=req@entry=0x0)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
#31 0x000055555566722d in H5Literate_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x555555900010 <root_name> "/", idx_type=H5_INDEX_NAME, order=H5_ITER_INC, 
    idx_p=idx_p@entry=0x0, op=op@entry=0x555555582470 <traverse_cb>, op_data=0x7fffffffd610, lapl_id=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1823
#32 0x0000555555583b7d in traverse (fields=0x3, visitor=0x7fffffffd5d0, recurse=0x0, visit_start=<optimized out>, grp_name=0x555555900010 <root_name> "/", file_id=0x100000000000000)
    at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:294
#33 h5trav_visit (fid=0x100000000000000, grp_name=0x555555900010 <root_name> "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>, visit_lnk=<optimized out>, 
    udata=0x7fffffffdd00, fields=0x3) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
#34 0x0000555555567464 in visit_obj (file=0x100000000000000, oname=0x555555900010 <root_name> "/", iter=0x7fffffffdd00) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5ls/h5ls.c:2499
#35 0x000055555556363a in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe338) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5ls/h5ls.c:3105
#36 0x00007ffff7c910b3 in __libc_start_main (main=0x555555562f50 <main>, argc=0x2, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe328)
    at ../csu/libc-start.c:308
#37 0x000055555556419e in _start () at /usr/include/x86_64-linux-gnu/bits/stdio2.h:100
@carnil
Copy link

carnil commented Jan 28, 2022

This appears to be CVE-2021-46243.

@derobins derobins added Priority - 1. High 🔼 These are important issues that should be resolved in the next release Component - C Library Core C library issues (usually in the src directory) Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub labels May 4, 2023
@derobins
Copy link
Member

derobins commented May 4, 2023

Fixed in develop. h5dump and h5ls both exit with error codes vs. segfault, and don't leak memory.

@derobins derobins closed this as completed May 4, 2023
@opoplawski
Copy link
Contributor

If possible, it would be very helpful to know what commit(s) fixes these CVE issues. Due to HDf5's unfortunate runtime version # check it's necessary to backport any fixes to previous versions.

@carnil
Copy link

carnil commented May 6, 2023

Is this fixed along with 0b4e9cf ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub
Projects
None yet
Development

No branches or pull requests

5 participants