[CVE-2021-45830] Heap Buffer Overflow in H5F_addr_decode_len() #2228

e4t · 2022-11-07T13:26:19Z

Description
CVE-2021-45830 provides a reproducer that causes a heap buffer overflow in H5F_addr_decode_len(). The issue is still seen in hdf5 version 1.13.3.
The cause of this is an incomplete bounds checking in the caller H5O__fsinfo_decode() as a buffer size verification is only done when decoding the file space address.
The heap overflow on read itself appears to be harmless from a security perspective. This may not be true for later memory accesses (possibly writes) based on inconsistent/invalid data read.
The overflow can be seen both with valgrind and the gcc address sanitizer (make CFLAGS="-g -fsanitize=address" CXXFLAGS="-g -fsanitize=address" FCFLAGS="-g -fsanitize=address")

Expected behavior
Detect invalid hdf5 data properly and trigger the appropriate error handler.
Handle buffer overflow condition properly to avoid possible vulnerabilities thru manipulated hdf5 data files brought in circulation by bad actors.

Platform

HDF5 version 1.13.3
openSUSE Leap 15.4 / SLE 15.4 / openSUSE Tumbleweed
gcc 7 / gcc 11
autotools
configure --enable-fortran --enable-unsupported --enable-hl --enable-shared --enable-threadsafe --enable-build-mode=production --enable-cxx --with-pthread

Malformed hdf5 files may have trunkated content which does not match the expected size. This function attempts to decode these it will read past the end of the allocated space which may lead to a crash. Make sure each element is within bounds before reading. This fixes CVE-2021-45830 / Bug HDFGroup#2228. Signed-off-by: Egbert Eich <eich@suse.com> Additions

When decoding a file space info message in H5O__fsinfo_decode() make sure each element to be decoded is still within the message. Malformed hdf5 files may have trunkated content which does not match the expected size. Checking this will prevent attempting to decode unrelated data and heap overflows. So far, only free space manager address data was checked before decoding. This fixes CVE-2021-45830 / Bug HDFGroup#2228. Signed-off-by: Egbert Eich <eich@suse.com> Additions

When decoding a file space info message in H5O__fsinfo_decode() make sure each element to be decoded is still within the message. Malformed hdf5 files may have trunkated content which does not match the expected size. Checking this will prevent attempting to decode unrelated data and heap overflows. So far, only free space manager address data was checked before decoding. This fixes CVE-2021-45830 / Bug #2228. Signed-off-by: Egbert Eich <eich@suse.com> Additions Co-authored-by: Larry Knox <lrknox@hdfgroup.org>

byrnHDF · 2023-06-13T21:24:17Z

See #1314

e4t added the bug label Nov 7, 2022

e4t changed the title ~~[BUG, CVE-2021-45830]~~ [BUG, CVE-2021-45830] Heap Buffer Overflow in H5F_addr_decode_len() Nov 7, 2022

e4t mentioned this issue Nov 7, 2022

H5O_fsinfo_decode() Make more resilient to out-of-bounds read #2229

Merged

derobins removed the bug label Mar 3, 2023

derobins assigned byrnHDF May 4, 2023

derobins changed the title ~~[BUG, CVE-2021-45830] Heap Buffer Overflow in H5F_addr_decode_len()~~ [CVE-2021-45830] Heap Buffer Overflow in H5F_addr_decode_len() May 4, 2023

byrnHDF closed this as completed Jun 13, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CVE-2021-45830] Heap Buffer Overflow in H5F_addr_decode_len() #2228

[CVE-2021-45830] Heap Buffer Overflow in H5F_addr_decode_len() #2228

e4t commented Nov 7, 2022

byrnHDF commented Jun 13, 2023

[CVE-2021-45830] Heap Buffer Overflow in H5F_addr_decode_len() #2228

[CVE-2021-45830] Heap Buffer Overflow in H5F_addr_decode_len() #2228

Comments

e4t commented Nov 7, 2022

byrnHDF commented Jun 13, 2023