Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allocation-size-too-big error in H5Centry.c #4435

Open
gabe-sherman opened this issue Apr 21, 2024 · 1 comment
Open

allocation-size-too-big error in H5Centry.c #4435

gabe-sherman opened this issue Apr 21, 2024 · 1 comment
Assignees
@bmribler
Labels
Component - C Library Core C library issues (usually in the src directory) Confirmed Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub Type - Security Security issues, including library crashers and memory leaks
Milestone
2.0.0

Comments

@gabe-sherman
Copy link

gabe-sherman commented Apr 21, 2024
edited
Loading

An allocation-size-too-big error occurs in the h5dump program when provided with a malformed input. This behavior occurs at line 1015 in H5Centry.c.

How to trigger

LD_PRELOAD=path-to/libhdf5.so h5dump poc

POC File

https://github.com/FuturesLab/POC/blob/main/hdf5/poc-10

Test Environment

Ubuntu 22.04, 64bit

Version

Latest: 0394b03

Address Sanitizer Output

=================================================================
==1440597==ERROR: AddressSanitizer: requested allocation size 0x101010101010158 (0x101010101011158 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x5555565cc45e in __interceptor_malloc (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-10/harness+0x107845e) (BuildId: 18a7c9ab4a9a69531af3cb99c442f42c242e1103)
    #1 0x55555711b265 in H5C__load_entry /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Centry.c:1017:37
    #2 0x55555711b265 in H5C_protect /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5Centry.c:3101:30
    #3 0x555556f79dc2 in H5AC_protect /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5AC.c:1276:26

==1440597==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-10/harness+0x107845e) (BuildId: 18a7c9ab4a9a69531af3cb99c442f42c242e1103) in __interceptor_malloc
==1440597==ABORTING
@derobins derobins added this to the 1.14.5 milestone Apr 22, 2024
@derobins derobins added Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Component - C Library Core C library issues (usually in the src directory) Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub UNCONFIRMED New issues are unconfirmed until a maintainer can duplicate them labels Apr 22, 2024
@gabe-sherman
Copy link
Author

This is the harness that this crash was discovered with:

#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <stdlib.h>
#include <hdf5.h>

int main(int argc, char *argv[])
{
   char *fuzzData = argv[1];

   char H5Gcreate1var0[256];
	sprintf(H5Gcreate1var0, "yhoom");
   char H5Gcreate2var0[256];
	sprintf(H5Gcreate2var0, "7td9h");
   hid_t H5Fopenval1 = H5Fopen(fuzzData, 1, 0);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Fopenval1 < 0){
		fprintf(stderr, "err");
	}
   hid_t H5Gcreate1val1 = H5Gcreate1(H5Fopenval1, H5Gcreate1var0, 1);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Gcreate1val1 < 0){
		fprintf(stderr, "err");
	}
   hid_t H5Gcreate2val1 = H5Gcreate2(H5Gcreate1val1, H5Gcreate2var0, 0, 0, 0);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Gcreate2val1 < 0){
		fprintf(stderr, "err");
	}
   return 0;
}

@bmribler bmribler added Confirmed and removed UNCONFIRMED New issues are unconfirmed until a maintainer can duplicate them labels Jun 6, 2024
@derobins derobins added the Type - Security Security issues, including library crashers and memory leaks label Jun 25, 2024
bmribler added a commit to bmribler/hdf5_bmr23 that referenced this issue Sep 18, 2024
@bmribler
Fix security issue from malformed data
b3329e3 
This PR
- fixes an abort of the user's program (issue HDFGroupGH-4435) because the
  malformed data caused a very large size of memory to be allocated.
- removes memory leaks causing the free-list code to abort in addition
  to the reported issue.

NF provided helpful code to the fix.
This was referenced Sep 18, 2024
Closed
Open
@derobins derobins modified the milestones: 1.14.5, 2.0.0 Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bmribler bmribler

Labels
Component - C Library Core C library issues (usually in the src directory) Confirmed Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub Type - Security Security issues, including library crashers and memory leaks
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
3 participants
@derobins @bmribler @gabe-sherman