Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allocation-size-too-big error in H5MM.c #4431

Open
gabe-sherman opened this issue Apr 21, 2024 · 1 comment
Open

allocation-size-too-big error in H5MM.c #4431

gabe-sherman opened this issue Apr 21, 2024 · 1 comment
Assignees
@bmribler
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub Type - Security Security issues, including library crashers and memory leaks UNCONFIRMED New issues are unconfirmed until a maintainer can duplicate them
Milestone
1.14.5

Comments

@gabe-sherman
Copy link

gabe-sherman commented Apr 21, 2024
edited
Loading

An allocation-size-too-big error occurs in the h5dump program when provided with a malformed input. This behavior occurs at line 87 in H5MM.c

How to trigger

LD_PRELOAD=path-to/libhdf5.so h5dump poc

POC File

https://github.com/FuturesLab/POC/blob/main/hdf5/poc-03

Test Environment

Ubuntu 22.04, 64bit

Version

Latest: 0394b03

Address Sanitizer Output

=================================================================
==1364666==ERROR: AddressSanitizer: requested allocation size 0xffffffffffffff20 (0x720 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x5555565cc886 in __interceptor_realloc (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-03/harness+0x1078886) (BuildId: 94291fc76aea62f5b3a7c090191c03989c9ebc1c)
    #1 0x5555566987aa in H5MM_realloc /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5MM.c:87:21
    #2 0x555556f79dc2 in H5AC_protect /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5AC.c:1276:26

==1364666==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-03/harness+0x1078886) (BuildId: 94291fc76aea62f5b3a7c090191c03989c9ebc1c) in __interceptor_realloc
==1364666==ABORTING
@derobins derobins added this to the 1.14.5 milestone Apr 22, 2024
@derobins derobins added Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Component - C Library Core C library issues (usually in the src directory) Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub UNCONFIRMED New issues are unconfirmed until a maintainer can duplicate them labels Apr 22, 2024
@gabe-sherman
Copy link
Author

To add a bit more context, here is the harness that discovered this crash

#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <stdlib.h>
#include <hdf5.h>

int main(int argc, char *argv[])
{
   char *fuzzData = argv[1];

   char H5Gcreate1var0[256];
	sprintf(H5Gcreate1var0, "yhoom");
   char H5Gcreate2var0[256];
	sprintf(H5Gcreate2var0, "7td9h");
   hid_t H5Fopenval1 = H5Fopen(fuzzData, 1, 0);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Fopenval1 < 0){
		fprintf(stderr, "err");
	}
   hid_t H5Gcreate1val1 = H5Gcreate1(H5Fopenval1, H5Gcreate1var0, 1);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Gcreate1val1 < 0){
		fprintf(stderr, "err");
	}
   hid_t H5Gcreate2val1 = H5Gcreate2(H5Gcreate1val1, H5Gcreate2var0, 0, 0, 0);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Gcreate2val1 < 0){
		fprintf(stderr, "err");
	}
   return 0;
}

@derobins derobins added the Type - Security Security issues, including library crashers and memory leaks label Jun 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bmribler bmribler

Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug Please report security issues to help@hdfgroup.org instead of creating an issue on GitHub Type - Security Security issues, including library crashers and memory leaks UNCONFIRMED New issues are unconfirmed until a maintainer can duplicate them
Projects
None yet
Milestone
1.14.5
Development

No branches or pull requests
3 participants
@derobins @bmribler @gabe-sherman