Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Description

HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format. link: https://portal.hdfgroup.org/display/HDF5/HDF5

Divided By Zero - DivByZero__H5D_chunk_POC (CVE-2018-15672)

A SIGFPE signal is raised in the function H5D__chunk_init of H5Dchunk.c in the 'hdf5' package 1.10.2 during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. The value of 'dset->shared->layout.u.chunk.dim[u]' becomes zero on the iteration when u=3. This may leads to Denial of Service (application crash).

Affected version - 1.10.2 (compiled from source)

Command ./h5stat -A -T -G -D -S $POC (DivByZero__H5D_chunk_POC)
Debugging
break H5Dchunk.c:1022 if u = 3

Breakpoint 2, H5D__chunk_init (f=0x60700000de60, dxpl_id=0xa00000000000008, dset=0x606000000c20, dapl_id=0xa00000000000007) at H5Dchunk.c:1022
1022 - rdcc->scaled_dims[u] = dset->shared->curr_dims[u] / dset->shared->layout.u.chunk.dim[u];
1: dset->shared->layout.u.chunk.dim[u] = 0x0
2: dset->shared->curr_dims[u] = 0x101
3: u = 0x3
Backtrace
#0  H5D__chunk_init (f=0x60700000de60, dxpl_id=0xa00000000000008, dset=0x606000000c20, dapl_id=0xa00000000000007) at H5Dchunk.c:1022
#1  0x00007ffff6285bef in H5D__layout_oh_read (dataset=0x606000000c20, dxpl_id=0xa00000000000008, dapl_id=0xa00000000000007, plist=0x60400000cfd0) at H5Dlayout.c:653
#2  0x00007ffff62668fa in H5D__open_oid (dataset=0x606000000c20, dapl_id=0xa00000000000007, dxpl_id=0xa00000000000008) at H5Dint.c:1598
#3  0x00007ffff62644e5 in H5D_open (loc=0x7fffffffc3f0, dapl_id=0xa00000000000007, dxpl_id=0xa00000000000008) at H5Dint.c:1390
#4  0x00007ffff62638e5 in H5D__open_name (loc=0x7fffffffc580, name=0x602000009470 "/Dataset1", dapl_id=0xa00000000000007, dxpl_id=0xa00000000000008) at H5Dint.c:1324
#5  0x00007ffff61ea0b0 in H5Dopen2 (loc_id=0x100000000000000, name=0x602000009470 "/Dataset1", dapl_id=0xa00000000000007) at H5D.c:293
#6  0x00000000004063ac in ?? ()
#7  0x0000000000407563 in ?? ()
#8  0x0000000000438833 in ?? ()
#9  0x00007ffff64068e9 in H5G_visit_cb (lnk=0x7fffffffcd20, _udata=0x7fffffffd400) at H5Gint.c:925
#10 0x00007ffff641cc50 in H5G__node_iterate (f=0x60700000de60, dxpl_id=0xa00000000000008, _lt_key=0x61200001e048, addr=0x4e0, _rt_key=0x61200001e050, _udata=0x7fffffffd070) at H5Gnode.c:1004
#11 0x00007ffff61461fa in H5B__iterate_helper (f=0x60700000de60, dxpl_id=0xa00000000000008, type=0x7ffff6deba80 <H5B_SNODE>, addr=0x180, op=0x7ffff641c5eb <H5G__node_iterate>, udata=0x7fffffffd070) at H5B.c:1179
#12 0x00007ffff61465c7 in H5B_iterate (f=0x60700000de60, dxpl_id=0xa00000000000008, type=0x7ffff6deba80 <H5B_SNODE>, addr=0x180, op=0x7ffff641c5eb <H5G__node_iterate>, udata=0x7fffffffd070) at H5B.c:1224
#13 0x00007ffff64336ab in H5G__stab_iterate (oloc=0x606000000e68, dxpl_id=0xa00000000000008, order=H5_ITER_INC, skip=0x0, last_lnk=0x0, op=0x7ffff64061cc <H5G_visit_cb>, op_data=0x7fffffffd400) at H5Gstab.c:563
#14 0x00007ffff6425ac9 in H5G__obj_iterate (grp_oloc=0x606000000e68, idx_type=H5_INDEX_NAME, order=H5_ITER_INC, skip=0x0, last_lnk=0x0, op=0x7ffff64061cc <H5G_visit_cb>, op_data=0x7fffffffd400, dxpl_id=0xa00000000000008) at H5Gobj.c:706
#15 0x00007ffff6408508 in H5G_visit (loc_id=0x100000000000000, group_name=0x442e80 "/", idx_type=H5_INDEX_NAME, order=H5_ITER_INC, op=0x438308, op_data=0x7fffffffd630, lapl_id=0xa00000000000000, dxpl_id=0xa00000000000008) at H5Gint.c:1160
#16 0x00007ffff64e7b04 in H5Lvisit_by_name (loc_id=0x100000000000000, group_name=0x442e80 "/", idx_type=H5_INDEX_NAME, order=H5_ITER_INC, op=0x438308, op_data=0x7fffffffd630, lapl_id=0xa00000000000000) at H5L.c:1381
#17 0x0000000000438dca in ?? ()
#18 0x000000000043c6e4 in ?? ()
#19 0x000000000040c21e in ?? ()
#20 0x00007ffff5ba7830 in __libc_start_main (main=0x40bb52, argc=0x7, argv=0x7fffffffddf8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdde8) at ../csu/libc-start.c:291
#21 0x0000000000404e59 in ?? ()

=============================================================

Divided By Zero - H5D__chunk_set_info_real_div_by_zero (CVE-2018-17237)

A SIGFPE signal is raised in the function H5D__chunk_set_info_real() of H5Dchunk.c in the HDF HDF5 1.10.3 during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero

Affected version - 1.10.3 (latest release)

Command ./h5dump -H $POC (H5D__chunk_set_info_real_div_by_zero)

Source

 layout->chunks[u] = ((curr_dims[u] + layout->dim[u]) - 1) / layout->dim[u];

Debugging

gef➤  p curr_dims[u]
$1 = 0x4
gef➤  p layout->dim[u]
$2 = 0x0
gef➤  p ((curr_dims[u] + layout->dim[u]) - 1) / layout->dim[u]
Division by zero
x/i $pc
=> 0x7ffff700b505 <H5D__chunk_set_info+437>:	div    r14

info registers 
rax            0x3	0x3
rbx            0x555555837ab0	0x555555837ab0
rcx            0x0	0x0
rdx            0x0	0x0
rsi            0x0	0x0
rdi            0x555555837a10	0x555555837a10
rbp            0x555555838678	0x555555838678
rsp            0x7fffffffd350	0x7fffffffd350
r8             0x1	0x1
r9             0x1	0x1
r10            0x11f	0x11f
r11            0x555555838478	0x555555838478
r12            0x1	0x1
r13            0x4	0x4
r14            0x0	0x0
r15            0xffffffffffffffff	0xffffffffffffffff
rip            0x7ffff700b505	0x7ffff700b505 <H5D__chunk_set_info+437>
eflags         0x10217	[ CF PF AF IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0

Backtrace


[#0] 0x7ffff700b505 → Name: H5D__chunk_set_info_real(max_dims=0x555555838678, curr_dims=0x555555838478, ndims=0x1, layout=0x555555837bb0)
[#1] 0x7ffff700b505 → Name: H5D__chunk_set_info(dset=0x555555837a10)
[#2] 0x7ffff700c42c → Name: H5D__chunk_init(f=<optimized out>, dset=0x555555837a10, dapl_id=<optimized out>)
[#3] 0x7ffff7093ec3 → Name: H5D__layout_oh_read(dataset=0x555555837a10, dapl_id=0xa00000000000007, plist=0x555555831d70)
[#4] 0x7ffff70807aa → Name: H5D__open_oid(dapl_id=0xa00000000000007, dataset=0x555555837a10)
[#5] 0x7ffff70807aa → Name: H5D_open(loc=0x7fffffffd530, dapl_id=0xa00000000000007)
[#6] 0x7ffff7082ceb → Name: H5D__open_name(loc=0x7fffffffd5c0, name=0x555555836f30 "/Dataset1", dapl_id=0xa00000000000007)
[#7] 0x7ffff6fe1d98 → Name: H5Dopen2(loc_id=0x100000000000000, name=0x555555836f30 "/Dataset1", dapl_id=<optimized out>)
[#8] 0x5555555d79ca → test rax, rax
[#9] 0x5555555db6e8 → test eax, eax

Fault occurred - SIGFPE

=============================================================

Stack Overflow - stackoverflow_H5P__get_cb (CVE-2018-15671)

Description

A stack-overflow has been detected in the function H5P__get_cb() in H5Pint.c of HDF5 package (1.10.2) during an attempted parse of a crafted HDF file, because of improper handling an exceptional case when the buffer is too large. This cause the program to crash with segmenation fault SIGSEGV.

Affected version - 1.10.2 (compiled from source)

Command: ./h5stat -A -T -G -D -S $POC
registers
$rax   : 0x7ffff5cd49b0      →  <__memmove_avx_unaligned+0> mov rax, rdi
$rbx   : 0x8               
$rcx   : 0x1               
$rdx   : 0x8               
$rsp   : 0x7fffff7fee40    
$rbp   : 0x7fffff7ff6b0      →  0x00007fffff7ff700  →  0x00007fffff7ff760  →  0x00007fffff7ff820  →  0x00007fffff7ff8e0  →  0x00007fffff7ffb10  →  0x00007fffff7ffbe0  →  0x00007fffff7ffcb0
$rsi   : 0x602000009eb0      →  0x0000000000000060 ("`"?)
$rdi   : 0x7fffff7ff880      →  0x00000c04000b1e33  →  0x0000000000000000
$rip   : 0x7ffff6ef662f      →  <__asan_memcpy+111> call rax
$r8    : 0x7fffff7ff7c0      →  0x00007fffff7ff880  →  0x00000c04000b1e33  →  0x0000000000000000
$r9    : 0x65c             
$r10   : 0x62d001b44400      →  0x000000000000864c
$r11   : 0x7fffff7ff5c0      →  0x00007fffff7ff7a0  →  0x0000000041b58ab3
$r12   : 0x7fffff7ff880      →  0x00000c04000b1e33  →  0x0000000000000000
$r13   : 0x7ffff7381744      →  0x0000000000000001
$r14   : 0x7fffff7ff7a0      →  0x0000000041b58ab3
$r15   : 0x602000009eb0      →  0x0000000000000060 ("`"?)

ASAN Output

Filename: /home/woot/Hdf5_crashes/hdf5_hls_results/stack-overflow_POC
ASAN:SIGSEGV
=================================================================
==4432==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd76478fa8 (pc 0x7f79626c662f bp 0x7ffd76479820 sp 0x7ffd76478fb0 T0)
    #0 0x7f79626c662e in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c62e)
    #1 0x7f7961e5a971 in H5P__get_cb /home/woot/hdf5-hdf5-1_10_2/src/H5Pint.c:4329
    #2 0x7f7961e52a3f in H5P__do_prop /home/woot/hdf5-hdf5-1_10_2/src/H5Pint.c:2641
    #3 0x7f7961e5acce in H5P_get /home/woot/hdf5-hdf5-1_10_2/src/H5Pint.c:4383
    #4 0x7f796190046d in H5AC_tag /home/woot/hdf5-hdf5-1_10_2/src/H5AC.c:2784
    #5 0x7f7961bf2099 in H5G__obj_get_linfo /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:323
    #6 0x7f7961bf9df9 in H5G__obj_lookup /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:1137
    #7 0x7f7961c11c8f in H5G_traverse_real /home/woot/hdf5-hdf5-1_10_2/src/H5Gtraverse.c:593
    #8 0x7f7961c1404e in H5G_traverse /home/woot/hdf5-hdf5-1_10_2/src/H5Gtraverse.c:866
    #9 0x7f7961be08d5 in H5G_loc_info /home/woot/hdf5-hdf5-1_10_2/src/H5Gloc.c:744
    #10 0x7f7961cf5ba7 in H5Oget_info_by_name /home/woot/hdf5-hdf5-1_10_2/src/H5O.c:535
    #11 0x43868b  (/home/woot/hdf5-hdf5-1_10_2/hdf5/bin/h5stat+0x43868b)
    #12 0x7f7961bd68e8 in H5G_visit_cb /home/woot/hdf5-hdf5-1_10_2/src/H5Gint.c:925
    #13 0x7f7961becc4f in H5G__node_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gnode.c:1004
    #14 0x7f79619161f9 in H5B__iterate_helper /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1179
    #15 0x7f79619165c6 in H5B_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1224
    #16 0x7f7961c036aa in H5G__stab_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gstab.c:563
    #17 0x7f7961bf5ac8 in H5G__obj_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:706
    #18 0x7f7961bd72cf in H5G_visit_cb /home/woot/hdf5-hdf5-1_10_2/src/H5Gint.c:1009
    #19 0x7f7961becc4f in H5G__node_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gnode.c:1004
    #20 0x7f79619161f9 in H5B__iterate_helper /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1179
    #21 0x7f79619165c6 in H5B_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1224
    #22 0x7f7961c036aa in H5G__stab_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gstab.c:563
    #23 0x7f7961bf5ac8 in H5G__obj_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:706
    #24 0x7f7961bd72cf in H5G_visit_cb /home/woot/hdf5-hdf5-1_10_2/src/H5Gint.c:1009
    #25 0x7f7961becc4f in H5G__node_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gnode.c:1004
    #26 0x7f79619161f9 in H5B__iterate_helper /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1179
    #27 0x7f79619165c6 in H5B_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1224
    #28 0x7f7961c036aa in H5G__stab_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gstab.c:563
    #29 0x7f7961bf5ac8 in H5G__obj_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:706
    #30 0x7f7961bd72cf in H5G_visit_cb /home/woot/hdf5-hdf5-1_10_2/src/H5Gint.c:1009
    #31 0x7f7961becc4f in H5G__node_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gnode.c:1004
    #32 0x7f79619161f9 in H5B__iterate_helper /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1179
    #33 0x7f79619165c6 in H5B_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1224
    #34 0x7f7961c036aa in H5G__stab_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gstab.c:563
    #35 0x7f7961bf5ac8 in H5G__obj_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:706
    .....
    .....
    .....
SUMMARY: AddressSanitizer: stack-overflow ??:0 __asan_memcpy
==4432==ABORTING