search

HDFGroup / hdf5

Official HDF5® Library Repository
Other
548 stars 236 forks source link

Heap-buffer-overflow in H5A__read #4351

Open tbeu opened 3 months ago

tbeu commented 3 months ago

Describe the bug

==5605==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000657c at pc 0x00000049ef41 bp 0x7ffd4583ea30 sp 0x7ffd4583e200 READ of size 8 at 0x60200000657c thread T0 SCARINESS: 23 (8-byte-read-heap-buffer-overflow)

0 0x49ef40 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3

    # 1 0x692165 in H5A__read [hdf5/src/H5Aint.c:721](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5Aint.c#L721):17
    # 2 0xf5ef7f in H5VL__native_attr_read [hdf5/src/H5VLnative_attr.c:213](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5VLnative_attr.c#L213):22
    # 3 0xf1fd95 in H5VL__attr_read [hdf5/src/H5VLcallback.c:1204](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5VLcallback.c#L1204):9
    # 4 0xf1fd95 in H5VL_attr_read [hdf5/src/H5VLcallback.c:1235](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5VLcallback.c#L1235):9
    # 5 0x67d103 in H5A__read_api_common [hdf5/src/H5A.c:1006](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5A.c#L1006):9
    # 6 0x67cc33 in H5Aread [hdf5/src/H5A.c:1038](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5A.c#L1038):9

0x60200000657c is located 0 bytes to the right of 12-byte region [0x602000006570,0x60200000657c) allocated by thread T0 here:

0 0x49fbb6 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3

    # 1 0x89e90e in H5FL__malloc [hdf5/src/H5FL.c:231](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5FL.c#L231):30
    # 2 0x89e90e in H5FL_blk_malloc [hdf5/src/H5FL.c:848](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5FL.c#L848):40
    # 3 0x9e2b56 in H5O__attr_decode [hdf5/src/H5Oattr.c:280](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5Oattr.c#L280):43
    # 4 0x9e2b56 in H5O__attr_shared_decode [hdf5/src/H5Oshared.h:73](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5Oshared.h#L73):34
    # 5 0xa6396f in H5O__msg_iterate_real [hdf5/src/H5Omessage.c:1159](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5Omessage.c#L1159):13
    # 6 0x9e9212 in H5O__attr_open_by_name [hdf5/src/H5Oattribute.c:493](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5Oattribute.c#L493):17
    # 7 0x691593 in H5A__open_by_name [hdf5/src/H5Aint.c:629](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5Aint.c#L629):25
    # 8 0xf5ea34 in H5VL__native_attr_open [hdf5/src/H5VLnative_attr.c:169](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5VLnative_attr.c#L169):29
    # 9 0xf1f33f in H5VL__attr_open [hdf5/src/H5VLcallback.c:1104](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5VLcallback.c#L1104):30
    # 10 0xf1f33f in H5VL_attr_open [hdf5/src/H5VLcallback.c:1136](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5VLcallback.c#L1136):30
    # 11 0x68d48a in H5A__open_common [hdf5/src/H5A.c:459](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5A.c#L459):17
    # 12 0x679833 in H5A__open_by_name_api_common [hdf5/src/H5A.c:636](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5A.c#L636):22
    # 13 0x6791f4 in H5Aopen_by_name [hdf5/src/H5A.c:674](https://github.com/HDFGroup/hdf5/blob/c5c4713a9a0c940a6d20daad1152a3fc80b4fec5/src/H5A.c#L674):14

Additional context

Reported for c5c4713a9a0c940a6d20daad1152a3fc80b4fec5.

derobins commented 3 months ago

We monitor oss-fuzz, so there's no need to re-create issues here. Also, these issues are not particularly useful without the poc files.

tbeu commented 3 months ago

Right. The issues are reported for libmatio (with restricted access only) and I dot not know if the same issues are also reported for your setup. It's all due to #272.

tbeu commented 3 months ago

Here comes the testfile.zip

tbeu commented 2 months ago

This is verified as fixed now: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67806