Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StackOverflow in vasprintf.c #4432

Closed
gabe-sherman opened this issue Apr 21, 2024 · 1 comment · Fixed by #4862 or #5002
Closed

StackOverflow in vasprintf.c #4432

gabe-sherman opened this issue Apr 21, 2024 · 1 comment · Fixed by #4862 or #5002
Assignees
@bmribler
Labels
Component - C Library Core C library issues (usually in the src directory) Confirmed Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub Type - Security Security issues, including library crashers and memory leaks
Milestone
1.14.5

Comments

@gabe-sherman
Copy link

gabe-sherman commented Apr 21, 2024
edited
Loading

A StackOverflow error occurs in the h5dump program when provided with a malformed input. This behavior occurs at line 45 in vasprintf.c

How to trigger

LD_PRELOAD=path-to/libhdf5.so h5dump poc

POC File

https://github.com/FuturesLab/POC/blob/main/hdf5/poc-05

Test Environment

Ubuntu 22.04, 64bit

Version

Latest: 0394b03

Address Sanitizer Output

==1336339==ERROR: AddressSanitizer: stack-overflow on address 0x7fffff7fefa8 (pc 0x5555565c53fb bp 0x7fffff7ff7d0 sp 0x7fffff7fefa0 T0)
    #0 0x5555565c53fb in __interceptor_malloc (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-05/harness+0x10713fb) (BuildId: c585538aafd3b6d60b37a188e9f6ec836bb74b55)
    #1 0x7ffff7c88060 in __vasprintf_internal libio/./libio/vasprintf.c:45:21
    #2 0x555556564e94 in __interceptor_vasprintf (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-05/harness+0x1010e94) (BuildId: c585538aafd3b6d60b37a188e9f6ec836bb74b55)
    #3 0x5555574f4aee in H5E_printf_stack /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Eint.c:654:9
    #4 0x55555799f4da in H5HL_offset_into /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5HL.c:389:9
    #5 0x5555577e331e in H5G__node_cmp3 /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Gnode.c:414:28
    #6 0x555556f78ce8 in H5B_find /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5B.c:316:20

... same H5B_find message ...

SUMMARY: AddressSanitizer: stack-overflow (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-05/harness+0x10713fb) (BuildId: c585538aafd3b6d60b37a188e9f6ec836bb74b55) in __interceptor_malloc
==1336339==ABORTING
@derobins derobins added Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Component - C Library Core C library issues (usually in the src directory) Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub UNCONFIRMED New issues are unconfirmed until a maintainer can duplicate them labels Apr 22, 2024
@derobins derobins added this to the 1.14.5 milestone Apr 22, 2024
@bmribler bmribler added Confirmed Branch - 1.14 and removed UNCONFIRMED New issues are unconfirmed until a maintainer can duplicate them labels Apr 23, 2024
@derobins derobins added the Type - Security Security issues, including library crashers and memory leaks label Jun 25, 2024
bmribler added a commit to bmribler/hdf5_bmr23 that referenced this issue Sep 20, 2024
@bmribler
Fixes a segfault in h5dump
ffb4dff 
The B-tree node level was corrupted, resulting in a segfault later.
This PR adds a check to detect when the node level is greater than
the number of entries and issue an error instead.

Fixes HDFGroupGH-4432
@bmribler bmribler mentioned this issue Sep 20, 2024
Merged
@lrknox lrknox closed this as completed in ff0839d Sep 23, 2024
qkoziol pushed a commit to qkoziol/hdf5 that referenced this issue Oct 1, 2024
@bmribler @qkoziol
Fixes a segfault in h5dump (HDFGroup#4862)
defb041 
* Fixes a segfault in h5dump

The B-tree node level was corrupted, resulting in a segfault later.
This PR adds a check to detect when the node level is greater than
the number of entries and issue an error instead.

Fixes HDFGroupGH-4432
lrknox pushed a commit to lrknox/hdf5 that referenced this issue Oct 2, 2024
@bmribler @lrknox
Fixes a segfault in h5dump (HDFGroup#4862)
4df3b43 
* Fixes a segfault in h5dump

The B-tree node level was corrupted, resulting in a segfault later.
This PR adds a check to detect when the node level is greater than
the number of entries and issue an error instead.

Fixes HDFGroupGH-4432
lrknox pushed a commit that referenced this issue Oct 2, 2024
@bmribler @lrknox
Fixes a segfault in h5dump (#4862)
997cc0b 
* Fixes a segfault in h5dump

The B-tree node level was corrupted, resulting in a segfault later.
This PR adds a check to detect when the node level is greater than
the number of entries and issue an error instead.

Fixes GH-4432
@bmribler bmribler reopened this Oct 18, 2024
@bmribler
Copy link
Contributor

PR #4862 caused an old test in hpf to fail.

bmribler added a commit to bmribler/hdf5_bmr23 that referenced this issue Oct 24, 2024
@bmribler
Re-do of PR HDFGroup#4862
e375d81 
Added another argument, expected node level, to H5B__iterate_helper to pass down
to H5B__cache_deserialize for checking the decoded node level.  When this expected
level is not known, the new macro H5_UNKNOWN_NODELEVEL (-1) will be used for not
checking the level.

Fixes HDFGroupGH-4432
@bmribler bmribler mentioned this issue Oct 24, 2024
Merged
bmribler added a commit to bmribler/hdf5_bmr23 that referenced this issue Oct 30, 2024
@bmribler
Added entries for HDFGroupGH-4432 and HDFGroupGH-4941
0fd3cb2
brtnfld pushed a commit to brtnfld/hdf5 that referenced this issue Oct 31, 2024
@bmribler @brtnfld
Fix segfault in h5dump caused by corrupted btree node level (HDFGroup…
54eb6a2 
…#5002)

Added another argument, expected node level, to H5B__iterate_helper to pass down
to H5B__cache_deserialize for checking the decoded node level.  When this expected
level is not known, the new macro H5_UNKNOWN_NODELEVEL (-1) will be used for not
checking the level.

Fixes HDFGroupGH-4432
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bmribler bmribler

Labels
Component - C Library Core C library issues (usually in the src directory) Confirmed Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub Type - Security Security issues, including library crashers and memory leaks
Projects
None yet
Milestone
1.14.5
3 participants
@derobins @bmribler @gabe-sherman