Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A heap-use-after-free in in H5AC_unpin_entry #1329

Closed
ZFeiXQ opened this issue Dec 25, 2021 · 2 comments
Closed

A heap-use-after-free in in H5AC_unpin_entry #1329

ZFeiXQ opened this issue Dec 25, 2021 · 2 comments
Assignees
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 25, 2021

Version:

h5format_convert: Version 1.13.1-1

System information

Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

command:

h5format_convert POC1

POC1.zip

Result

Segmentation fault

ASAN

==668178==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000025cc8 at pc 0x00000058121f bp 0x7ffebad749a0 sp 0x7ffebad74998
READ of size 8 at 0x612000025cc8 thread T0
    #0 0x58121e in H5AC_unpin_entry /home/zxq/CVE_testing/project/hdf5/src/H5AC.c:1494:28
    #1 0x78b303 in H5F__dest /home/zxq/CVE_testing/project/hdf5/src/H5Fint.c:1487:21
    #2 0x77d0c7 in H5F_open /home/zxq/CVE_testing/project/hdf5/src/H5Fint.c:2085:13
    #3 0x1046f2a in H5VL__native_file_open /home/zxq/CVE_testing/project/hdf5/src/H5VLnative_file.c:127:29
    #4 0xffdee7 in H5VL__file_open /home/zxq/CVE_testing/project/hdf5/src/H5VLcallback.c:3497:30
    #5 0xffd397 in H5VL_file_open /home/zxq/CVE_testing/project/hdf5/src/H5VLcallback.c:3646:30
    #6 0x7532f7 in H5F__open_api_common /home/zxq/CVE_testing/project/hdf5/src/H5F.c:795:29
    #7 0x752476 in H5Fopen /home/zxq/CVE_testing/project/hdf5/src/H5F.c:836:22
    #8 0x4d019d in h5tools_fopen /home/zxq/CVE_testing/project/hdf5/tools/lib/h5tools.c:932:19
    #9 0x4c4d94 in main /home/zxq/CVE_testing/project/hdf5/tools/src/h5format_convert/h5format_convert.c:409:16
    #10 0x7efe0eeba0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x41c5bd in _start (/home/zxq/CVE_testing/project/hdf5/build/bin/h5format_convert+0x41c5bd)

0x612000025cc8 is located 8 bytes inside of 288-byte region [0x612000025cc0,0x612000025de0)
freed by thread T0 here:
    #0 0x494a7d in free (/home/zxq/CVE_testing/project/hdf5/build/bin/h5format_convert+0x494a7d)
    #1 0x9b1601 in H5MM_xfree /home/zxq/CVE_testing/project/hdf5/src/H5MM.c:557:9
    #2 0x5e0ee3 in H5C_expunge_entry /home/zxq/CVE_testing/project/hdf5/src/H5C.c:1029:9

previously allocated by thread T0 here:
    #0 0x494e72 in calloc (/home/zxq/CVE_testing/project/hdf5/build/bin/h5format_convert+0x494e72)
    #1 0x9b104a in H5MM_calloc /home/zxq/CVE_testing/project/hdf5/src/H5MM.c:356:21
    #2 0x5f65ed in H5C__load_entry /home/zxq/CVE_testing/project/hdf5/src/H5C.c:7292:26
    #3 0x5f65ed in H5C_protect /home/zxq/CVE_testing/project/hdf5/src/H5C.c:2360:30
    #4 0x5807c6 in H5AC_protect /home/zxq/CVE_testing/project/hdf5/src/H5AC.c:1395:26

SUMMARY: AddressSanitizer: heap-use-after-free /home/zxq/CVE_testing/project/hdf5/src/H5AC.c:1494:28 in H5AC_unpin_entry
Shadow bytes around the buggy address:
  0x0c247fffcb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fffcb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fffcb60: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fffcb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fffcb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fffcb90: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
  0x0c247fffcba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffcbb0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c247fffcbc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fffcbd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffcbe0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==668178==ABORTING
@carnil
Copy link

carnil commented Jan 28, 2022

This appears to be CVE-2021-46242.

@derobins derobins added Priority - 1. High 🔼 These are important issues that should be resolved in the next release Component - C Library Core C library issues (usually in the src directory) Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub labels May 4, 2023
@derobins
Copy link
Member

derobins commented May 4, 2023

Fixed in develop. h5format_convert exits with an error code, no segfault, and no memory leaks.

@derobins derobins closed this as completed May 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub
Projects
None yet
Development

No branches or pull requests

4 participants