CVE-2017-17507 is unfixed w/ static library

[derobins]

Describe the bug
When built with --disable-shared, the CVE-2017-17507 regression test fails with a segfault.

This test simply runs h5dump over the proof-of-vulnerability file (can be found in the CVE repository).

derobins@MainScreenTurnOn:~/hdf5_devel/cve_hdf5/cvefiles$ ../../build/hdf5/bin/h5dump cve-2017-17507.h5
HDF5 "cve-2017-17507.h5" {
GROUP "/" {
DATASET "CharSets" {
DATATYPE H5T_COMPOUND {
H5T_STRING {
STRSIZE H5T_VARIABLE;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
} "ascii";
H5T_STRING {
STRSIZE H5T_VARIABLE;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_UTF8;
CTYPE H5T_C_S1;
} "utf8";
}
DATASPACE SIMPLE { ( 1 ) / ( 1 ) }
Segmentation fault (core dumped)

Expected behavior
The test should pass (i.e., parsing the file should produce a normal HDF5 error).

Platform (please complete the following information)

• develop branch
• Ubuntu 22.04
• gcc 11.4
• Autotools
• --disable-shared --disable-tools

Basically a debug (normal) build of the library on Ubuntu LTS w/ gcc. First noticed on the GitHub action runners, I can reproduce it on a local Ubuntu VM. The normal (shared) build of the library does not exhibit this bug.

Additional context

Stack trace:

(gdb) bt
#0 0x0000555555674897 in H5F_addr_decode_len (addr_len=8, pp=0x7fffffffa518, addr_p=0x7fffffffa520) at ../../hdf5/src/H5Fint.c:2898
#1 0x0000555555674913 in H5F_addr_decode (f=f@entry=0x555555af2240, pp=pp@entry=0x7fffffffa518, addr_p=addr_p@entry=0x7fffffffa520) at ../../hdf5/src/H5Fint.c:2947
#2 0x000055555591ea46 in H5VL__native_blob_specific (obj=0x555555af2240, blob_id=0x7ffff827c02c, args=0x7fffffffa5d0) at ../../hdf5/src/H5VLnative_blob.c:156
#3 0x00005555558ff1c4 in H5VL__blob_specific (obj=0x555555af2240, cls=0x555555ab93e0, blob_id=blob_id@entry=0x7ffff827c02c, args=args@entry=0x7fffffffa5d0) at ../../hdf5/src/H5VLcallback.c:7460
#4 0x00005555559131b2 in H5VL_blob_specific (vol_obj=vol_obj@entry=0x555555af4da0, blob_id=blob_id@entry=0x7ffff827c02c, args=args@entry=0x7fffffffa5d0) at ../../hdf5/src/H5VLcallback.c:7489
#5 0x00005555558f3d62 in H5T__vlen_disk_isnull (file=0x555555af4da0, _vl=0x7ffff827c028, isnull=0x7fffffffa6cf) at ../../hdf5/src/H5Tvlen.c:758
#6 0x0000555555864668 in H5T__conv_vlen (src_id=, dst_id=, cdata=, nelmts=1, buf_stride=, bkg_stride=, buf=0x7ffff827c028,
bkg=0x7ffff797b020) at ../../hdf5/src/H5Tconv.c:3277
#7 0x0000555555846582 in H5T_convert (tpath=0x555555b06db0, src_id=216172782113784141, dst_id=216172782113784142, nelmts=nelmts@entry=1, buf_stride=buf_stride@entry=32,
bkg_stride=bkg_stride@entry=16, buf=0x7ffff827c028, bkg=0x7ffff797b020) at ../../hdf5/src/H5T.c:5299
#8 0x0000555555862793 in H5T__conv_struct_opt (src_id=, dst_id=, cdata=, nelmts=1, buf_stride=32, bkg_stride=16, _buf=0x7ffff7a7c018,
_bkg=0x7ffff797b018) at ../../hdf5/src/H5Tconv.c:2578
#9 0x0000555555846582 in H5T_convert (tpath=0x555555b03d20, src_id=216172782113784126, dst_id=216172782113784136, nelmts=nelmts@entry=1, buf_stride=buf_stride@entry=0,
bkg_stride=bkg_stride@entry=0, buf=0x7ffff7a7c018, bkg=0x7ffff797b018) at ../../hdf5/src/H5T.c:5299
#10 0x000055555562f7bc in H5D__scatgath_read (io_info=0x7fffffffaae0, dset_info=0x7fffffffac30) at ../../hdf5/src/H5Dscatgath.c:579
#11 0x0000555555971282 in H5D__contig_read (io_info=0x7fffffffaae0, dinfo=0x7fffffffac30) at ../../hdf5/src/H5Dcontig.c:839
#12 0x00005555556298dc in H5D__read (count=count@entry=1, dset_info=dset_info@entry=0x7fffffffac30) at ../../hdf5/src/H5Dio.c:382
#13 0x000055555591fa11 in H5VL__native_dataset_read (count=1, obj=0x7fffffffaf20, mem_type_id=0x7fffffffafb0, mem_space_id=0x7fffffffafa8, file_space_id=0x7fffffffafa0, dxpl_id=792633534417207304,
buf=0x7fffffffaf98, req=0x0) at ../../hdf5/src/H5VLnative_dataset.c:362
#14 0x00005555558fb697 in H5VL__dataset_read (count=count@entry=1, obj=obj@entry=0x7fffffffaf20, cls=0x555555ab93e0, mem_type_id=mem_type_id@entry=0x7fffffffafb0,
mem_space_id=mem_space_id@entry=0x7fffffffafa8, file_space_id=file_space_id@entry=0x7fffffffafa0, dxpl_id=792633534417207304, buf=0x7fffffffaf98, req=0x0) at ../../hdf5/src/H5VLcallback.c:2047
#15 0x0000555555904a8c in H5VL_dataset_read_direct (count=count@entry=1, obj=obj@entry=0x7fffffffaf20, connector=connector@entry=0x555555af5b90, mem_type_id=mem_type_id@entry=0x7fffffffafb0,
mem_space_id=mem_space_id@entry=0x7fffffffafa8, file_space_id=file_space_id@entry=0x7fffffffafa0, dxpl_id=792633534417207304, buf=0x7fffffffaf98, req=0x0) at ../../hdf5/src/H5VLcallback.c:2090
#16 0x000055555560a21a in H5D__read_api_common (count=count@entry=1, dset_id=dset_id@entry=0x7fffffffafb8, mem_type_id=mem_type_id@entry=0x7fffffffafb0,
mem_space_id=mem_space_id@entry=0x7fffffffafa8, file_space_id=file_space_id@entry=0x7fffffffafa0, dxpl_id=792633534417207304, dxpl_id@entry=0, buf=0x7fffffffaf98, token_ptr=0x0, _vol_obj_ptr=0x0)
at ../../hdf5/src/H5D.c:1006
#17 0x000055555560e08a in H5Dread (dset_id=, dset_id@entry=360287970189639681, mem_type_id=, mem_type_id@entry=216172782113784136, mem_space_id=,
mem_space_id@entry=288230376151711751, file_space_id=, file_space_id@entry=288230376151711750, dxpl_id=dxpl_id@entry=0, buf=, buf@entry=0x555555aff9f0)
at ../../hdf5/src/H5D.c:1059
#18 0x000055555557fb61 in h5tools_dump_simple_dset (stream=0x7ffff7e1a780 <IO_2_1_stdout>, info=info@entry=0x7fffffffb720, ctx=ctx@entry=0x7fffffffbb80, dset=dset@entry=360287970189639681,
p_type=p_type@entry=216172782113784136) at ../../../hdf5/tools/lib/h5tools_dump.c:1741
#19 0x000055555558179f in h5tools_dump_dset (stream=, stream@entry=0x7ffff7e1a780 <IO_2_1_stdout>, info=info@entry=0x7fffffffb720, ctx=ctx@entry=0x7fffffffbb80,
dset=dset@entry=360287970189639681) at ../../../hdf5/tools/lib/h5tools_dump.c:1942
#20 0x0000555555589855 in h5tools_dump_data (stream=0x7ffff7e1a780 <IO_2_1_stdout>, info=0x7fffffffb720, info@entry=0x7fffffffc070, ctx=ctx@entry=0x7fffffffc220,
obj_id=obj_id@entry=360287970189639681, obj_data=obj_data@entry=1) at ../../../hdf5/tools/lib/h5tools_dump.c:4440
#21 0x0000555555568a12 in dump_dataset (did=360287970189639681, name=, sset=) at ../../../../hdf5/tools/src/h5dump/h5dump_ddl.c:1042
#22 0x000055555556b82d in dump_all_cb (group=, name=0x555555af9330 "CharSets", linfo=, op_data=) at ../../../../hdf5/tools/src/h5dump/h5dump_ddl.c:349
#23 0x00005555556d3ea3 in H5G__iterate_cb (lnk=0x7fffffffce50, _udata=0x7fffffffd0d0) at ../../hdf5/src/H5Gint.c:815
#24 0x00005555556de3e2 in H5G__node_iterate (f=f@entry=0x555555af2240, _lt_key=, addr=1072, _rt_key=, _udata=_udata@entry=0x7fffffffcfa0) at ../../hdf5/src/H5Gnode.c:928
#25 0x000055555594da14 in H5B__iterate_helper (f=0x555555af2240, type=0x555555aa3380 <H5B_SNODE>, addr=136, op=0x5555556de1f7 <H5G__node_iterate>, udata=udata@entry=0x7fffffffcfa0)
at ../../hdf5/src/H5B.c:1131
#26 0x000055555594fa9c in H5B_iterate (f=, type=, addr=, op=, udata=udata@entry=0x7fffffffcfa0) at ../../hdf5/src/H5B.c:1170
#27 0x00005555556e56a5 in H5G__stab_iterate (oloc=oloc@entry=0x555555af97b8, order=order@entry=H5_ITER_INC, skip=skip@entry=0, last_lnk=last_lnk@entry=0x7fffffffd158,
op=op@entry=0x5555556d3e0a <H5G__iterate_cb>, op_data=op_data@entry=0x7fffffffd0d0) at ../../hdf5/src/H5Gstab.c:506
#28 0x00005555556e20bf in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x555555af97b8, idx_type=idx_type@entry=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, skip=skip@entry=0,
--Type for more, q to quit, c to continue without paging--
last_lnk=last_lnk@entry=0x7fffffffd158, op=op@entry=0x5555556d3e0a <H5G__iterate_cb>, op_data=0x7fffffffd0d0) at ../../hdf5/src/H5Gobj.c:648
#29 0x00005555556d5cfd in H5G_iterate (loc=, group_name=, idx_type=H5_INDEX_NAME, order=H5_ITER_INC, skip=0, last_lnk=last_lnk@entry=0x7fffffffd158,
lnk_op=0x7fffffffd160, op_data=0x0) at ../../hdf5/src/H5Gint.c:868
#30 0x0000555555732648 in H5L_iterate (loc=loc@entry=0x7fffffffd1b0, group_name=group_name@entry=0x5555559b17d8 ".", idx_type=, order=, idx_p=0x0, op=,
op_data=0x0) at ../../hdf5/src/H5Lint.c:2145
#31 0x00005555559255c2 in H5VL__native_link_specific (obj=0x555555af5ab0, loc_params=0x7fffffffd2c0, args=0x7fffffffd2f0, dxpl_id=, req=)
at ../../hdf5/src/H5VLnative_link.c:366
#32 0x00005555558fd998 in H5VL__link_specific (obj=0x555555af5ab0, loc_params=loc_params@entry=0x7fffffffd2c0, cls=0x555555ab93e0, args=args@entry=0x7fffffffd2f0,
dxpl_id=dxpl_id@entry=792633534417207304, req=req@entry=0x0) at ../../hdf5/src/H5VLcallback.c:5482
#33 0x000055555590dfd6 in H5VL_link_specific (vol_obj=0x555555af5bb0, loc_params=loc_params@entry=0x7fffffffd2c0, args=args@entry=0x7fffffffd2f0, dxpl_id=792633534417207304, req=req@entry=0x0)
at ../../hdf5/src/H5VLcallback.c:5516
#34 0x000055555572575f in H5L__iterate_api_common (group_id=group_id@entry=144115188075855873, idx_type=idx_type@entry=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, idx_p=idx_p@entry=0x0,
op=op@entry=0x55555556b334 <dump_all_cb>, op_data=op_data@entry=0x0, token_ptr=0x0, _vol_obj_ptr=0x0) at ../../hdf5/src/H5L.c:1610
#35 0x000055555572bbd4 in H5Literate2 (group_id=144115188075855873, idx_type=idx_type@entry=H5_INDEX_NAME, order=H5_ITER_INC, idx_p=idx_p@entry=0x0, op=op@entry=0x55555556b334 <dump_all_cb>,
op_data=op_data@entry=0x0) at ../../hdf5/src/H5L.c:1646
#36 0x0000555555567b09 in link_iteration (gid=gid@entry=144115188075855873, crt_order_flags=) at ../../../../hdf5/tools/src/h5dump/h5dump_ddl.c:613
#37 0x0000555555568516 in dump_group (gid=144115188075855873, name=) at ../../../../hdf5/tools/src/h5dump/h5dump_ddl.c:877
#38 0x0000555555567043 in main (argc=2, argv=0x7fffffffe098) at ../../../../hdf5/tools/src/h5dump/h5dump.c:1518

It's a little easier to see the chain via valgrind:

derobins@MainScreenTurnOn:~/hdf5_devel/cve_hdf5/cvefiles$ valgrind --leak-check=full --num-callers=50 ../../build/hdf5/bin/h5dump cve-2017-17507.h5
==1371331== Memcheck, a memory error detector
==1371331== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1371331== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==1371331== Command: ../../build/hdf5/bin/h5dump cve-2017-17507.h5
==1371331==
HDF5 "cve-2017-17507.h5" {
GROUP "/" {
DATASET "CharSets" {
DATATYPE H5T_COMPOUND {
H5T_STRING {
STRSIZE H5T_VARIABLE;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
} "ascii";
H5T_STRING {
STRSIZE H5T_VARIABLE;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_UTF8;
CTYPE H5T_C_S1;
} "utf8";
}
DATASPACE SIMPLE { ( 1 ) / ( 1 ) }
==1371331== Invalid read of size 1
==1371331== at 0x228897: H5F_addr_decode_len (H5Fint.c:2898)
==1371331== by 0x228912: H5F_addr_decode (H5Fint.c:2947)
==1371331== by 0x4D2A45: H5VL__native_blob_specific (H5VLnative_blob.c:156)
==1371331== by 0x4B31C3: H5VL__blob_specific (H5VLcallback.c:7460)
==1371331== by 0x4C71B1: H5VL_blob_specific (H5VLcallback.c:7489)
==1371331== by 0x4A7D61: H5T__vlen_disk_isnull (H5Tvlen.c:758)
==1371331== by 0x418667: H5T__conv_vlen (H5Tconv.c:3277)
==1371331== by 0x3FA581: H5T_convert (H5T.c:5299)
==1371331== by 0x416792: H5T__conv_struct_opt (H5Tconv.c:2578)
==1371331== by 0x3FA581: H5T_convert (H5T.c:5299)
==1371331== by 0x1E37BB: H5D__scatgath_read (H5Dscatgath.c:579)
==1371331== by 0x525281: H5D__contig_read (H5Dcontig.c:839)
==1371331== by 0x1DD8DB: H5D__read (H5Dio.c:382)
==1371331== by 0x4D3A10: H5VL__native_dataset_read (H5VLnative_dataset.c:362)
==1371331== by 0x4AF696: H5VL__dataset_read (H5VLcallback.c:2047)
==1371331== by 0x4B8A8B: H5VL_dataset_read_direct (H5VLcallback.c:2090)
==1371331== by 0x1BE219: H5D__read_api_common (H5D.c:1006)
==1371331== by 0x1C2089: H5Dread (H5D.c:1059)
==1371331== by 0x133B60: h5tools_dump_simple_dset (h5tools_dump.c:1741)
==1371331== by 0x13579E: h5tools_dump_dset (h5tools_dump.c:1942)
==1371331== by 0x13D854: h5tools_dump_data (h5tools_dump.c:4440)
==1371331== by 0x11CA11: dump_dataset (h5dump_ddl.c:1042)
==1371331== by 0x11F82C: dump_all_cb (h5dump_ddl.c:349)
==1371331== by 0x287EA2: H5G__iterate_cb (H5Gint.c:815)
==1371331== by 0x2923E1: H5G__node_iterate (H5Gnode.c:928)
==1371331== by 0x501A13: H5B__iterate_helper (H5B.c:1131)
==1371331== by 0x503A9B: H5B_iterate (H5B.c:1170)
==1371331== by 0x2996A4: H5G__stab_iterate (H5Gstab.c:506)
==1371331== by 0x2960BE: H5G__obj_iterate (H5Gobj.c:648)
==1371331== by 0x289CFC: H5G_iterate (H5Gint.c:868)
==1371331== by 0x2E6647: H5L_iterate (H5Lint.c:2145)
==1371331== by 0x4D95C1: H5VL__native_link_specific (H5VLnative_link.c:366)
==1371331== by 0x4B1997: H5VL__link_specific (H5VLcallback.c:5482)
==1371331== by 0x4C1FD5: H5VL_link_specific (H5VLcallback.c:5516)
==1371331== by 0x2D975E: H5L__iterate_api_common (H5L.c:1610)
==1371331== by 0x2DFBD3: H5Literate2 (H5L.c:1646)
==1371331== by 0x11BB08: link_iteration (h5dump_ddl.c:613)
==1371331== by 0x11C515: dump_group (h5dump_ddl.c:877)
==1371331== by 0x11B042: main (h5dump.c:1518)
==1371331== Address 0x54de96c is not stack'd, malloc'd or (recently) free'd
==1371331==
==1371331==
==1371331== Process terminating with default action of signal 11 (SIGSEGV)
==1371331== Access not within mapped region at address 0x54DE96C
==1371331== at 0x228897: H5F_addr_decode_len (H5Fint.c:2898)
==1371331== by 0x228912: H5F_addr_decode (H5Fint.c:2947)
==1371331== by 0x4D2A45: H5VL__native_blob_specific (H5VLnative_blob.c:156)
==1371331== by 0x4B31C3: H5VL__blob_specific (H5VLcallback.c:7460)
==1371331== by 0x4C71B1: H5VL_blob_specific (H5VLcallback.c:7489)
==1371331== by 0x4A7D61: H5T__vlen_disk_isnull (H5Tvlen.c:758)
==1371331== by 0x418667: H5T__conv_vlen (H5Tconv.c:3277)
==1371331== by 0x3FA581: H5T_convert (H5T.c:5299)
==1371331== by 0x416792: H5T__conv_struct_opt (H5Tconv.c:2578)
==1371331== by 0x3FA581: H5T_convert (H5T.c:5299)
==1371331== by 0x1E37BB: H5D__scatgath_read (H5Dscatgath.c:579)
==1371331== by 0x525281: H5D__contig_read (H5Dcontig.c:839)
==1371331== by 0x1DD8DB: H5D__read (H5Dio.c:382)
==1371331== by 0x4D3A10: H5VL__native_dataset_read (H5VLnative_dataset.c:362)
==1371331== by 0x4AF696: H5VL__dataset_read (H5VLcallback.c:2047)
==1371331== by 0x4B8A8B: H5VL_dataset_read_direct (H5VLcallback.c:2090)
==1371331== by 0x1BE219: H5D__read_api_common (H5D.c:1006)
==1371331== by 0x1C2089: H5Dread (H5D.c:1059)
==1371331== by 0x133B60: h5tools_dump_simple_dset (h5tools_dump.c:1741)
==1371331== by 0x13579E: h5tools_dump_dset (h5tools_dump.c:1942)
==1371331== by 0x13D854: h5tools_dump_data (h5tools_dump.c:4440)
==1371331== by 0x11CA11: dump_dataset (h5dump_ddl.c:1042)
==1371331== by 0x11F82C: dump_all_cb (h5dump_ddl.c:349)
==1371331== by 0x287EA2: H5G__iterate_cb (H5Gint.c:815)
==1371331== by 0x2923E1: H5G__node_iterate (H5Gnode.c:928)
==1371331== by 0x501A13: H5B__iterate_helper (H5B.c:1131)
==1371331== by 0x503A9B: H5B_iterate (H5B.c:1170)
==1371331== by 0x2996A4: H5G__stab_iterate (H5Gstab.c:506)
==1371331== by 0x2960BE: H5G__obj_iterate (H5Gobj.c:648)
==1371331== by 0x289CFC: H5G_iterate (H5Gint.c:868)
==1371331== by 0x2E6647: H5L_iterate (H5Lint.c:2145)
==1371331== by 0x4D95C1: H5VL__native_link_specific (H5VLnative_link.c:366)
==1371331== by 0x4B1997: H5VL__link_specific (H5VLcallback.c:5482)
==1371331== by 0x4C1FD5: H5VL_link_specific (H5VLcallback.c:5516)
==1371331== by 0x2D975E: H5L__iterate_api_common (H5L.c:1610)
==1371331== by 0x2DFBD3: H5Literate2 (H5L.c:1646)
==1371331== by 0x11BB08: link_iteration (h5dump_ddl.c:613)
==1371331== by 0x11C515: dump_group (h5dump_ddl.c:877)
==1371331== by 0x11B042: main (h5dump.c:1518)
==1371331== If you believe this happened as a result of a stack
==1371331== overflow in your program's main thread (unlikely but
==1371331== possible), you can try to increase the size of the
==1371331== main thread stack using the --main-stacksize= flag.
==1371331== The main thread stack size used in this run was 8388608.
==1371331==
==1371331== HEAP SUMMARY:
==1371331== in use at exit: 3,018,214 bytes in 2,989 blocks
==1371331== total heap usage: 3,129 allocs, 140 frees, 3,193,115 bytes allocated
==1371331==
==1371331== LEAK SUMMARY:
==1371331== definitely lost: 0 bytes in 0 blocks
==1371331== indirectly lost: 0 bytes in 0 blocks
==1371331== possibly lost: 0 bytes in 0 blocks
==1371331== still reachable: 3,018,214 bytes in 2,989 blocks
==1371331== of which reachable via heuristic:
==1371331== length64 : 2,111,280 bytes in 21 blocks
==1371331== newarray : 208 bytes in 13 blocks
==1371331== suppressed: 0 bytes in 0 blocks
==1371331== Reachable blocks (those to which a pointer was found) are not shown.
==1371331== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==1371331==
==1371331== For lists of detected and suppressed errors, rerun with: -s
==1371331== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

[derobins]

Fixed in 1.14.4