Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Divide By Zero in H5T__complete_copy () at /hdf5/src/H5T.c:3613 #1327

Closed
ZFeiXQ opened this issue Dec 25, 2021 · 2 comments
Closed

Divide By Zero in H5T__complete_copy () at /hdf5/src/H5T.c:3613 #1327

ZFeiXQ opened this issue Dec 25, 2021 · 2 comments
Assignees
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 25, 2021

Version:

h5format_convert: Version 1.13.1-1

System information

Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

command:

h5format_convert POC

POC.zip

Result

Arithmetic exception

bt

program received signal SIGFPE, Arithmetic exception.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x555555949fa0 --> 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
RCX: 0x21000004 
RDX: 0x0 
RSI: 0x0 
RDI: 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
RBP: 0x55555594a250 --> 0x0 
RSP: 0x7fffffffd290 --> 0x21000004 
RIP: 0x55555570bb5f (<H5T__complete_copy+543>:	div    rsi)
R8 : 0x55555570ea80 (<H5T__copy_all>:	endbr64)
R9 : 0x7ffff7e55c50 --> 0x7ffff7e55c40 --> 0x7ffff7e55c30 --> 0x7ffff7e55c20 --> 0x7ffff7e55c10 --> 0x7ffff7e55c00 (--> ...)
R10: 0x5555558fc010 --> 0x2000000010000 
R11: 0x7ffff7e55be0 --> 0x55555594ff50 --> 0x0 
R12: 0x1 
R13: 0x55555594e740 --> 0x555555949930 --> 0x0 
R14: 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555570bb54 <H5T__complete_copy+532>:	imul   rax,rcx
   0x55555570bb58 <H5T__complete_copy+536>:	sub    rcx,rsi
   0x55555570bb5b <H5T__complete_copy+539>:	add    QWORD PTR [rsp],rcx
=> 0x55555570bb5f <H5T__complete_copy+543>:	div    rsi
   0x55555570bb62 <H5T__complete_copy+546>:	mov    QWORD PTR [rbx+0x10],rax
   0x55555570bb66 <H5T__complete_copy+550>:	mov    rax,QWORD PTR [rsp+0x28]
   0x55555570bb6b <H5T__complete_copy+555>:	add    r12d,0x1
   0x55555570bb6f <H5T__complete_copy+559>:	cmp    DWORD PTR [rax+0x34],r12d
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd290 --> 0x21000004 
0008| 0x7fffffffd298 --> 0x55555570ea80 (<H5T__copy_all>:	endbr64)
0016| 0x7fffffffd2a0 --> 0x555555949f80 --> 0x55555594a050 --> 0x7ffff7e55b00 --> 0x0 
0024| 0x7fffffffd2a8 --> 0x55555593f2d0 --> 0x0 
0032| 0x7fffffffd2b0 --> 0x555555922020 --> 0x0 
0040| 0x7fffffffd2b8 --> 0x55555593f340 --> 0x0 
0048| 0x7fffffffd2c0 --> 0x55555594e740 --> 0x555555949930 --> 0x0 
0056| 0x7fffffffd2c8 --> 0x555555949fa0 --> 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGFPE
0x000055555570bb5f in H5T__complete_copy (new_dt=new_dt@entry=0x55555593f2d0, old_dt=old_dt@entry=0x555555922020, reopened_fo=reopened_fo@entry=0x0, set_memory_type=set_memory_type@entry=0x0, 
    copyfn=0x55555570ea80 <H5T__copy_all>) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3613
3613	                        new_dt->shared->u.compnd.memb[i].size =
gdb-peda$ bt
#0  0x000055555570bb5f in H5T__complete_copy (new_dt=new_dt@entry=0x55555593f2d0, old_dt=old_dt@entry=0x555555922020, reopened_fo=reopened_fo@entry=0x0, set_memory_type=set_memory_type@entry=0x0, 
    copyfn=0x55555570ea80 <H5T__copy_all>) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3613
#1  0x000055555570c1f6 in H5T_copy (old_dt=0x555555922020, method=method@entry=H5T_COPY_ALL) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3774
#2  0x0000555555680aa8 in H5O__dtype_copy (_src=<optimized out>, _dst=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:1215
#3  0x000055555568fe89 in H5O_msg_read_oh (f=0x555555941400, oh=oh@entry=0x55555594e470, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:521
#4  0x0000555555690129 in H5O_msg_read (loc=loc@entry=0x555555947d60, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:455
#5  0x00005555555cb237 in H5D__open_oid (dapl_id=0xb00000000000007, dataset=0x555555947d60) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1707
#6  H5D_open (loc=loc@entry=0x7fffffffd520, dapl_id=dapl_id@entry=0xb00000000000007) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1512
#7  0x00005555555cbfe8 in H5D__open_name (loc=loc@entry=0x7fffffffd5a0, name=name@entry=0x55555594e230 "/BAG_root/tracking_list", dapl_id=dapl_id@entry=0xb00000000000007)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1447
#8  0x00005555557a09e2 in H5VL__native_dataset_open (obj=<optimized out>, loc_params=<optimized out>, name=0x55555594e230 "/BAG_root/tracking_list", dapl_id=0xb00000000000007, dxpl_id=<optimized out>, 
    req=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_dataset.c:251
#9  0x000055555578c488 in H5VL__dataset_open (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, dapl_id=0xb00000000000007, name=0x55555594e230 "/BAG_root/tracking_list", loc_params=0x7fffffffd630, 
    obj=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:1944
#10 H5VL_dataset_open (vol_obj=0x555555944740, loc_params=loc_params@entry=0x7fffffffd630, name=name@entry=0x55555594e230 "/BAG_root/tracking_list", dapl_id=0xb00000000000007, dxpl_id=0xb00000000000008, 
    req=req@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:1976
#11 0x00005555555bb5e2 in H5D__open_api_common (_vol_obj_ptr=0x0, token_ptr=0x0, dapl_id=<optimized out>, name=0x55555594e230 "/BAG_root/tracking_list", loc_id=0x100000000000000)
    at /home/zxq/CVE_testing/source/hdf5/src/H5D.c:356
#12 H5Dopen2 (loc_id=0x100000000000000, name=0x55555594e230 "/BAG_root/tracking_list", dapl_id=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5D.c:396
#13 0x0000555555563784 in convert (fid=<optimized out>, dname=0x55555594e230 "/BAG_root/tracking_list") at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:213
#14 0x0000555555563d88 in convert_dsets_cb (path=0x55555594e230 "/BAG_root/tracking_list", oi=<optimized out>, already_visited=<optimized out>, _fid=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:363
#15 0x000055555557c8ca in traverse_cb (loc_id=<optimized out>, path=<optimized out>, linfo=<optimized out>, _udata=0x7fffffffe150) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:218
#16 0x00005555556296a6 in H5G__visit_cb (lnk=0x7fffffffd8f0, _udata=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1016
#17 0x000055555563036e in H5G__node_iterate (f=f@entry=0x555555941400, _lt_key=<optimized out>, addr=0x8a0, _rt_key=<optimized out>, _udata=_udata@entry=0x7fffffffda30)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
#18 0x00005555557cfe40 in H5B__iterate_helper (f=0x555555941400, type=0x5555558f3f20 <H5B_SNODE>, addr=0x348, op=0x555555630280 <H5G__node_iterate>, udata=udata@entry=0x7fffffffda30)
    at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
#19 0x00005555557d131b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffda30) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
#20 0x0000555555635146 in H5G__stab_iterate (oloc=oloc@entry=0x7fffffffdbb0, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x5555556295f0 <H5G__visit_cb>, 
    op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
#21 0x0000555555632cc5 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x7fffffffdbb0, idx_type=H5_INDEX_NAME, order=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, 
    op=op@entry=0x5555556295f0 <H5G__visit_cb>, op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
#22 0x00005555556299e6 in H5G__visit_cb (lnk=<optimized out>, _udata=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1101
#23 0x000055555563036e in H5G__node_iterate (f=f@entry=0x555555941400, _lt_key=<optimized out>, addr=0x5e0, _rt_key=<optimized out>, _udata=_udata@entry=0x7fffffffddc0)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
#24 0x00005555557cfe40 in H5B__iterate_helper (f=0x555555941400, type=0x5555558f3f20 <H5B_SNODE>, addr=0x88, op=0x555555630280 <H5G__node_iterate>, udata=udata@entry=0x7fffffffddc0)
    at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
#25 0x00005555557d131b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffddc0) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
#26 0x0000555555635146 in H5G__stab_iterate (oloc=oloc@entry=0x555555944ac8, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x5555556295f0 <H5G__visit_cb>, 
    op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
#27 0x0000555555632cc5 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x555555944ac8, idx_type=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, 
    op=op@entry=0x5555556295f0 <H5G__visit_cb>, op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
#28 0x000055555562b044 in H5G_visit (loc=loc@entry=0x7fffffffdfd0, group_name=<optimized out>, idx_type=<optimized out>, order=H5_ITER_INC, op=<optimized out>, op_data=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1243
#29 0x00005555557a53b5 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffe050, args=0x7fffffffe080, dxpl_id=<optimized out>, req=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:374
#30 0x00005555557943c0 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffe080, loc_params=0x7fffffffe050, obj=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
#31 H5VL_link_specific (vol_obj=vol_obj@entry=0x555555944740, loc_params=loc_params@entry=0x7fffffffe050, args=args@entry=0x7fffffffe080, dxpl_id=0xb00000000000008, req=req@entry=0x0)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
#32 0x000055555565f021 in H5Lvisit_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x555555810903 "/", idx_type=H5_INDEX_NAME, order=H5_ITER_INC, 
    op=op@entry=0x55555557c710 <traverse_cb>, op_data=op_data@entry=0x7fffffffe150, lapl_id=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1984
#33 0x000055555557dd7e in traverse (fields=0x1, visitor=0x7fffffffe110, recurse=0x1, visit_start=<optimized out>, grp_name=0x555555810903 "/", file_id=0x100000000000000)
    at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:288
#34 h5trav_visit (fid=0x100000000000000, grp_name=0x555555810903 "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>, visit_lnk=<optimized out>, udata=0x7fffffffe220, 
    fields=0x1) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
#35 0x000055555556324d in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe338) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:426
#36 0x00007ffff7c910b3 in __libc_start_main (main=0x555555562f20 <main>, argc=0x2, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe328)
    at ../csu/libc-start.c:308
#37 0x00005555555633ee in _start () at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:166

@carnil
Copy link

carnil commented Jan 28, 2022

This appears to have CVE-2021-46244 assigned.

@derobins derobins added Priority - 1. High 🔼 These are important issues that should be resolved in the next release Component - C Library Core C library issues (usually in the src directory) Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub labels May 4, 2023
@derobins
Copy link
Member

derobins commented May 4, 2023

Fixed in develop. h5format_convert exits with an error code, no segfault, and no memory leaks.

@derobins derobins closed this as completed May 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub
Projects
None yet
Development

No branches or pull requests

4 participants