A memory leak was found while testing h5_extended_fuzzer with libfuzzer

[MageWeiG]

While testing h5_extended_fuzzer with libfuzzer, I found a memory leak

The reason for this vulnerability is: There is a direct leak that occurs when object creation is handled in the HDF5 library. The H5O_create_ohdr function attempted to allocate memory via H5FL_reg_calloc (it is based on H5FL_reg_malloc), but the memory could not be freed before the end of the program. In addition, H5Ochunk_deserialize, H5O__chunk_deserialize, H5Oalloc_msgs three functions also have the same leakage problem.

the following crash information:

=================================================================
==14==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 416 byte(s) in 1 object(s) allocated from:
    #0 0x55ab3dea1c5e in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55ab3e0a3120 in H5FL__malloc /src/hdf5/src/H5FL.c:203:30
    #2 0x55ab3e0a3120 in H5FL_reg_malloc /src/hdf5/src/H5FL.c:355:34
    #3 0x55ab3e0a3408 in H5FL_reg_calloc /src/hdf5/src/H5FL.c:387:30
    #4 0x55ab3e1cc07d in H5O_create_ohdr /src/hdf5/src/H5Oint.c:321:10
    #5 0x55ab3e1cbd6f in H5O_create /src/hdf5/src/H5Oint.c:278:10
    #6 0x55ab3e0db26e in H5G__obj_create_real /src/hdf5/src/H5Gobj.c:248:9
    #7 0x55ab3e0dab38 in H5G__obj_create /src/hdf5/src/H5Gobj.c:137:9
    #8 0x55ab3e0e179b in H5G_mkroot /src/hdf5/src/H5Groot.c:173:13
    #9 0x55ab3e04b57f in H5F_open /src/hdf5/src/H5Fint.c:2070:13
    #10 0x55ab3e66a103 in H5VL__native_file_open /src/hdf5/src/H5VLnative_file.c:127:9
    #11 0x55ab3e63dc02 in H5VL__file_open /src/hdf5/src/H5VLcallback.c:3500:30
    #12 0x55ab3e63dc02 in H5VL_file_open /src/hdf5/src/H5VLcallback.c:3649:30
    #13 0x55ab3e03120a in H5F__open_api_common /src/hdf5/src/H5F.c:786:29
    #14 0x55ab3e030a3b in H5Fopen /src/hdf5/src/H5F.c:826:22
    #15 0x55ab3dee0e39 in LLVMFuzzerTestOneInput /src/h5_extended_fuzzer.c:29:24
    #16 0x55ab3dd936c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #17 0x55ab3dd94bc1 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:807:3
    #18 0x55ab3dd951a7 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3
    #19 0x55ab3dd837b6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #20 0x55ab3ddafce2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #21 0x7fd022e04082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

DEDUP_TOKEN: __interceptor_malloc--H5FL__malloc--H5FL_reg_malloc
Indirect leak of 97 byte(s) in 1 object(s) allocated from:
    #0 0x55ab3dea1c5e in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55ab3e0a3d36 in H5FL__malloc /src/hdf5/src/H5FL.c:203:30
    #2 0x55ab3e0a3d36 in H5FL_blk_malloc /src/hdf5/src/H5FL.c:765:48
    #3 0x55ab3e19af5d in H5O__chunk_deserialize /src/hdf5/src/H5Ocache.c:1205:45
    #4 0x55ab3e195cb2 in H5O__cache_deserialize /src/hdf5/src/H5Ocache.c:300:9
    #5 0x55ab3df5d8a9 in H5C__load_entry /src/hdf5/src/H5Centry.c:1193:26
    #6 0x55ab3df5d8a9 in H5C_protect /src/hdf5/src/H5Centry.c:3101:30
    #7 0x55ab3df0dd10 in H5AC_protect /src/hdf5/src/H5AC.c:1276:26
    #8 0x55ab3e1d1e0b in H5O_protect /src/hdf5/src/H5Oint.c:988:32
    #9 0x55ab3e1efb3a in H5O_msg_exists /src/hdf5/src/H5Omessage.c:787:23
    #10 0x55ab3e06567e in H5F__super_read /src/hdf5/src/H5Fsuper.c:693:23
    #11 0x55ab3e04b302 in H5F_open /src/hdf5/src/H5Fint.c:2075:13
    #12 0x55ab3e66a103 in H5VL__native_file_open /src/hdf5/src/H5VLnative_file.c:127:9
    #13 0x55ab3e63dc02 in H5VL__file_open /src/hdf5/src/H5VLcallback.c:3500:30
    #14 0x55ab3e63dc02 in H5VL_file_open /src/hdf5/src/H5VLcallback.c:3649:30
    #15 0x55ab3e03120a in H5F__open_api_common /src/hdf5/src/H5F.c:786:29
    #16 0x55ab3e030a3b in H5Fopen /src/hdf5/src/H5F.c:826:22
    #17 0x55ab3dee0e39 in LLVMFuzzerTestOneInput /src/h5_extended_fuzzer.c:29:24
    #18 0x55ab3dd936c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #19 0x55ab3dd92ee5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
    #20 0x55ab3dd94e72 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:829:7
    #21 0x55ab3dd951a7 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3
    #22 0x55ab3dd837b6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #23 0x55ab3ddafce2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #24 0x7fd022e04082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

DEDUP_TOKEN: __interceptor_malloc--H5FL__malloc--H5FL_blk_malloc
Indirect leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x55ab3dea1c5e in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55ab3e0a3d36 in H5FL__malloc /src/hdf5/src/H5FL.c:203:30
    #2 0x55ab3e0a3d36 in H5FL_blk_malloc /src/hdf5/src/H5FL.c:765:48
    #3 0x55ab3e19ae00 in H5O__chunk_deserialize /src/hdf5/src/H5Ocache.c:1190:26
    #4 0x55ab3e195cb2 in H5O__cache_deserialize /src/hdf5/src/H5Ocache.c:300:9
    #5 0x55ab3df5d8a9 in H5C__load_entry /src/hdf5/src/H5Centry.c:1193:26
    #6 0x55ab3df5d8a9 in H5C_protect /src/hdf5/src/H5Centry.c:3101:30
    #7 0x55ab3df0dd10 in H5AC_protect /src/hdf5/src/H5AC.c:1276:26
    #8 0x55ab3e1d1e0b in H5O_protect /src/hdf5/src/H5Oint.c:988:32
    #9 0x55ab3e1efb3a in H5O_msg_exists /src/hdf5/src/H5Omessage.c:787:23
    #10 0x55ab3e0e27e6 in H5G_mkroot /src/hdf5/src/H5Groot.c:254:49
    #11 0x55ab3e04b7d2 in H5F_open /src/hdf5/src/H5Fint.c:2098:13
    #12 0x55ab3e66a103 in H5VL__native_file_open /src/hdf5/src/H5VLnative_file.c:127:9
    #13 0x55ab3e63dc02 in H5VL__file_open /src/hdf5/src/H5VLcallback.c:3500:30
    #14 0x55ab3e63dc02 in H5VL_file_open /src/hdf5/src/H5VLcallback.c:3649:30
    #15 0x55ab3e03120a in H5F__open_api_common /src/hdf5/src/H5F.c:786:29
    #16 0x55ab3e030a3b in H5Fopen /src/hdf5/src/H5F.c:826:22
    #17 0x55ab3dee0e39 in LLVMFuzzerTestOneInput /src/h5_extended_fuzzer.c:29:24
    #18 0x55ab3dd936c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #19 0x55ab3dd92ee5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
    #20 0x55ab3dd94e72 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:829:7
    #21 0x55ab3dd951a7 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3
    #22 0x55ab3dd837b6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #23 0x55ab3ddafce2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #24 0x7fd022e04082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

DEDUP_TOKEN: __interceptor_malloc--H5FL__malloc--H5FL_blk_malloc
Indirect leak of 56 byte(s) in 1 object(s) allocated from:
    #0 0x55ab3dea1c5e in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55ab3e0a3d36 in H5FL__malloc /src/hdf5/src/H5FL.c:203:30
    #2 0x55ab3e0a3d36 in H5FL_blk_malloc /src/hdf5/src/H5FL.c:765:48
    #3 0x55ab3e7f6ab5 in H5O__alloc_msgs /src/hdf5/src/H5Oalloc.c:435:29
    #4 0x55ab3e19bc61 in H5O__chunk_deserialize /src/hdf5/src/H5Ocache.c:1328:21
    #5 0x55ab3e195cb2 in H5O__cache_deserialize /src/hdf5/src/H5Ocache.c:300:9
    #6 0x55ab3df5d8a9 in H5C__load_entry /src/hdf5/src/H5Centry.c:1193:26
    #7 0x55ab3df5d8a9 in H5C_protect /src/hdf5/src/H5Centry.c:3101:30
    #8 0x55ab3df0dd10 in H5AC_protect /src/hdf5/src/H5AC.c:1276:26
    #9 0x55ab3e1d1e0b in H5O_protect /src/hdf5/src/H5Oint.c:988:32
    #10 0x55ab3e1efb3a in H5O_msg_exists /src/hdf5/src/H5Omessage.c:787:23
    #11 0x55ab3e0e27e6 in H5G_mkroot /src/hdf5/src/H5Groot.c:254:49
    #12 0x55ab3e04b7d2 in H5F_open /src/hdf5/src/H5Fint.c:2098:13
    #13 0x55ab3e66a103 in H5VL__native_file_open /src/hdf5/src/H5VLnative_file.c:127:9
    #14 0x55ab3e63dc02 in H5VL__file_open /src/hdf5/src/H5VLcallback.c:3500:30
    #15 0x55ab3e63dc02 in H5VL_file_open /src/hdf5/src/H5VLcallback.c:3649:30
    #16 0x55ab3e03120a in H5F__open_api_common /src/hdf5/src/H5F.c:786:29
    #17 0x55ab3e030a3b in H5Fopen /src/hdf5/src/H5F.c:826:22
    #18 0x55ab3dee0e39 in LLVMFuzzerTestOneInput /src/h5_extended_fuzzer.c:29:24
    #19 0x55ab3dd936c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #20 0x55ab3dd92ee5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
    #21 0x55ab3dd94e72 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:829:7
    #22 0x55ab3dd951a7 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3
    #23 0x55ab3dd837b6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #24 0x55ab3ddafce2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #25 0x7fd022e04082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

DEDUP_TOKEN: __interceptor_malloc--H5FL__malloc--H5FL_blk_malloc
SUMMARY: AddressSanitizer: 657 byte(s) leaked in 4 allocation(s).

The vulnerability trigger sample is attached. leak-f09dd087c9ceb2002b004890a9ef5d1e6532fcc0.zip

[derobins]

Which version of the library is this, how are you configuring and building the library, and how are you exercising the code? I don't see this problem via valgrind w/ gcc 13.2.0 when I run the file through the HDF5 command-line tools.

[MageWeiG]

This vulnerability was discovered while testing h5_extended_fuzzer using ossfuzz. According to Dockerfile (https://github.com/google/oss-fuzz/blob/master/projects/hdf5/Dockerfile), using the latest code. Because in the build. Sh (https://github.com/google/oss-fuzz/blob/master/projects/hdf5/build.sh) file is not found in the compiler, so I run into the Docker environment to see, The default compilation environment is 'CXX=clang++','CC=clang'. The harness file used is located https://github.com/google/oss-fuzz/blob/master/projects/hdf5/h5_extended_fuzzer.c . Just replicated it using fuzzer and found it triggers. Do you need any more information?