Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow in H5A__read #4351

Open
tbeu opened this issue Apr 8, 2024 · 4 comments
Open

Heap-buffer-overflow in H5A__read #4351

tbeu opened this issue Apr 8, 2024 · 4 comments
Assignees
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub Type - Security Security issues, including library crashers and memory leaks
Milestone

Comments

@tbeu
Copy link
Contributor

tbeu commented Apr 8, 2024

Describe the bug

==5605==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000657c at pc 0x00000049ef41 bp 0x7ffd4583ea30 sp 0x7ffd4583e200
READ of size 8 at 0x60200000657c thread T0
SCARINESS: 23 (8-byte-read-heap-buffer-overflow)
# 0 0x49ef40 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
# 1 0x692165 in H5A__read hdf5/src/H5Aint.c:721:17
# 2 0xf5ef7f in H5VL__native_attr_read hdf5/src/H5VLnative_attr.c:213:22
# 3 0xf1fd95 in H5VL__attr_read hdf5/src/H5VLcallback.c:1204:9
# 4 0xf1fd95 in H5VL_attr_read hdf5/src/H5VLcallback.c:1235:9
# 5 0x67d103 in H5A__read_api_common hdf5/src/H5A.c:1006:9
# 6 0x67cc33 in H5Aread hdf5/src/H5A.c:1038:9

0x60200000657c is located 0 bytes to the right of 12-byte region [0x602000006570,0x60200000657c)
allocated by thread T0 here:
# 0 0x49fbb6 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
# 1 0x89e90e in H5FL__malloc hdf5/src/H5FL.c:231:30
# 2 0x89e90e in H5FL_blk_malloc hdf5/src/H5FL.c:848:40
# 3 0x9e2b56 in H5O__attr_decode hdf5/src/H5Oattr.c:280:43
# 4 0x9e2b56 in H5O__attr_shared_decode hdf5/src/H5Oshared.h:73:34
# 5 0xa6396f in H5O__msg_iterate_real hdf5/src/H5Omessage.c:1159:13
# 6 0x9e9212 in H5O__attr_open_by_name hdf5/src/H5Oattribute.c:493:17
# 7 0x691593 in H5A__open_by_name hdf5/src/H5Aint.c:629:25
# 8 0xf5ea34 in H5VL__native_attr_open hdf5/src/H5VLnative_attr.c:169:29
# 9 0xf1f33f in H5VL__attr_open hdf5/src/H5VLcallback.c:1104:30
# 10 0xf1f33f in H5VL_attr_open hdf5/src/H5VLcallback.c:1136:30
# 11 0x68d48a in H5A__open_common hdf5/src/H5A.c:459:17
# 12 0x679833 in H5A__open_by_name_api_common hdf5/src/H5A.c:636:22
# 13 0x6791f4 in H5Aopen_by_name hdf5/src/H5A.c:674:14

Additional context

Reported for c5c4713.

@mattjala mattjala added Priority - 1. High 🔼 These are important issues that should be resolved in the next release Component - C Library Core C library issues (usually in the src directory) Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub labels Apr 8, 2024
@derobins
Copy link
Member

derobins commented Apr 9, 2024

We monitor oss-fuzz, so there's no need to re-create issues here. Also, these issues are not particularly useful without the poc files.

@tbeu
Copy link
Contributor Author

tbeu commented Apr 9, 2024

Right. The issues are reported for libmatio (with restricted access only) and I dot not know if the same issues are also reported for your setup. It's all due to #272.

@tbeu
Copy link
Contributor Author

tbeu commented Apr 9, 2024

Here comes the testfile.zip

@tbeu
Copy link
Contributor Author

tbeu commented May 2, 2024

This is verified as fixed now: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67806

@derobins derobins added the Type - Security Security issues, including library crashers and memory leaks label Jun 25, 2024
@derobins derobins added this to the 2.0.0 milestone Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 1. High 🔼 These are important issues that should be resolved in the next release Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub Type - Security Security issues, including library crashers and memory leaks
Projects
None yet
Development

No branches or pull requests

5 participants