Fix vuln OSV-2024-381

[aled-ua]

[Warning] This PR is generated by AI

1. PR Title: Fix Heap-Buffer-Overflow Vulnerability in HDF5 - OSV-2024-381

2. PR Description:

   • Bug Type: Heap-buffer-overflow
   • Summary: A vulnerability was identified in the HDF5 library, where the program attempted to access memory beyond the allocated heap buffer. Specifically, in certain scenarios, the calculations for buffer sizes (overlap_size and new_accum_size) exceeded the allocated buffer size (alloc_size), leading to a heap-buffer-overflow. This occurred due to the lack of bounds checking on these calculated values.
   • Fix Summary: The patch introduces bounds checking to ensure that the calculated buffer sizes do not exceed the allocated size. If an overflow is detected, an error is logged, and the operation is aborted, preventing the overflow from occurring. This fix enhances the security and stability of the HDF5 program by eliminating the potential for memory corruption and undefined behavior caused by out-of-bounds memory access.

3. Sanitizer Report Summary:
   The sanitizer detected a heap-buffer-overflow when the program attempted to read 361 bytes from an offset -41 into a 520-byte heap buffer. The overflow occurred due to an incorrect calculation and lack of bounds checking in the H5F__accum_free function at /src/H5Faccum.c:885:17. This issue propagated through multiple function calls, ultimately leading to a memory access violation.

4. Full Sanitizer Report:

   ==15010==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x516000000c57 at pc 0x55f9731d2407 bp 0x7ffd22de46e0 sp 0x7ffd22de3ea0
   READ of size 361 at 0x516000000c57 thread T0
       #0 0x55f9731d2406 in __asan_memmove (/root/out/h5_extended_fuzzer+0x23b406)
       #1 0x55f97416544f in H5F__accum_free /root/src/H5Faccum.c:885:17
       #2 0x55f9736aaa5f in H5MF_xfree /root/src/H5MF.c:1093:13
       #3 0x55f9736c020a in H5MF__aggr_reset /root/src/H5MFaggr.c:725:21
       #4 0x55f9736bfcb2 in H5MF_free_aggrs /root/src/H5MFaggr.c:789:13
       #5 0x55f9736afd56 in H5MF__close_aggrfs /root/src/H5MF.c:1725:9
       #6 0x55f9736ae5b9 in H5MF_close /root/src/H5MF.c:1512:26
       #7 0x55f97347ec54 in H5F__dest /root/src/H5Fint.c:1488:21
       #8 0x55f973483ab3 in H5F_try_close /root/src/H5Fint.c:2680:9
       #9 0x55f9734827d8 in H5F__close /root/src/H5Fint.c:2482:9
       #10 0x55f973ff0dc0 in H5VL__native_file_close /root/src/H5VLnative_file.c:777:13
       #11 0x55f973f9fa69 in H5VL__file_close /root/src/H5VLcallback.c:4326:25
       #12 0x55f973f9f4ca in H5VL_file_close /root/src/H5VLcallback.c:4360:9
       #13 0x55f97348d876 in H5F__close_cb /root/src/H5Fint.c:249:9
       #14 0x55f97369168c in H5I__dec_ref /root/src/H5Iint.c:1076:30
       #15 0x55f973691d10 in H5I__dec_app_ref /root/src/H5Iint.c:1156:22
       #16 0x55f973691b8f in H5I_dec_app_ref /root/src/H5Iint.c:1201:22
       #17 0x55f97344ad85 in H5Fclose /root/src/H5F.c:1040:9
       #18 0x55f973214bd8 in LLVMFuzzerTestOneInput /root/src/h5_extended_fuzzer.c:39:7
       #19 0x55f97311ff04 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) 
       #20 0x55f973109036 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) 
       #21 0x55f97310eaea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) 
       #22 0x55f9731392a6 in main 
       #23 0x7fec9be9c1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
       #24 0x7fec9be9c28a in __libc_start_main csu/../csu/libc-start.c:360:3
       #25 0x55f973103c04 in _start (/root/out/h5_extended_fuzzer+0x16cc04)
   
   0x516000000c57 is located 41 bytes before 520-byte region [0x516000000c80,0x516000000e88)
   allocated by thread T0 here:
       #0 0x55f9731d4033 in malloc (/root/out/h5_extended_fuzzer+0x23d033)
       #1 0x55f973561bd9 in H5FL__malloc /root/src/H5FL.c:211:30
       #2 0x55f973562b03 in H5FL_blk_malloc /root/src/H5FL.c:773:48
       #3 0x55f9735647b4 in H5FL_blk_realloc /root/src/H5FL.c:947:21
       #4 0x55f9741626b4 in H5F__accum_write /root/src/H5Faccum.c:700:47
   

5. Files Modified:

   • src/H5Faccum.c

   --- a/src/H5Faccum.c
   +++ b/src/H5Faccum.c
   @@ -880,6 +880,13 @@
                   H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t);
                   new_accum_size = accum->size - overlap_size;
   
   +                /* Ensure overlap_size and new_accum_size are within bounds */
   +                if (overlap_size > accum->alloc_size || new_accum_size > accum->alloc_size) {
   +                    HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, FAIL, "calculated sizes exceed allocated buffer size");
   +                }
   +
                   /* Move the accumulator buffer information to eliminate the freed block */
                   memmove(accum->buf, accum->buf + overlap_size, new_accum_size);

6. Patch Validation:
   The patch has been validated using the provided PoC. It successfully resolves the heap-buffer-overflow issue identified in the sanitizer report. The program no longer exhibits the memory violation, and no new issues were introduced.

7. Links:

   • Original Vulnerability Report
   • PoC Download

[jhendersonHDF]

This fixes the specific vulnerability, but a more complete fix may be needed here. Consider the case where both overlap_size and new_accum_size end up slightly below accum->alloc_size. It may make more sense to calculate a pointer to the last valid byte in accum->buf and then make use of the H5_IS_BUFFER_OVERFLOW macro from H5private.h.

[aled-ua]

This fixes the specific vulnerability, but a more complete fix may be needed here. Consider the case where both overlap_size and new_accum_size end up slightly below accum->alloc_size. It may make more sense to calculate a pointer to the last valid byte in accum->buf and then make use of the H5_IS_BUFFER_OVERFLOW macro from H5private.h.

You are right. The current fix does not fully resolve the overflow

[jhendersonHDF]

Should be accum->buf + accum->alloc_size - 1 here

[jhendersonHDF]

Just another small fix needed for this PR

[qkoziol]

This seems more like a fix for a symptom rather than the cause of the error. Why is the overlap wrong?

I'll investigate today and see if I can make a suggestion for a different change.

[qkoziol]

I've investigated this issue and it looks to be addressed in current versions of the library:

HDF5-DIAG: Error detected in HDF5 (2.0.0) thread 1:
#000: ../../hdf5/src/H5VLnative_file.c line 129 in H5VL__native_file_open(): unable to open file
major: File accessibility
minor: Unable to open file
#1: ../../hdf5/src/H5Fint.c line 2112 in H5F_open(): unable to read superblock
major: File accessibility
minor: Read failed
#2: ../../hdf5/src/H5Fsuper.c line 671 in H5F__super_read(): unable to read object header
major: File accessibility
minor: Object already exists
#3: ../../hdf5/src/H5Omessage.c line 788 in H5O_msg_exists(): unable to protect object header
major: Object header
minor: Unable to protect metadata
#4: ../../hdf5/src/H5Oint.c line 1092 in H5O_protect(): corrupt object header - incorrect # of messages
major: Object header
minor: Unable to load metadata into cache
cannot open file

The original OSS-fuzz report is from last April, and it looks like the root cause (correctly detecting the corruption in the object header) has been fixed since then.

[qkoziol]

So, unless this corrupted file is still causing problems, I'd recommend closing the issue as "already fixed".

[aled-ua]

@qkoziol
I tried to rebuild on the lastest commit and run the testcase.

+ FUZZER=h5_extended_fuzzer
+ shift
+ '[' '!' -v TESTCASE ']'
+ TESTCASE=/testcase
+ '[' '!' -f /testcase ']'
+ export RUN_FUZZER_MODE=interactive
+ RUN_FUZZER_MODE=interactive
+ export FUZZING_ENGINE=libfuzzer
+ FUZZING_ENGINE=libfuzzer
+ export SKIP_SEED_CORPUS=1
+ SKIP_SEED_CORPUS=1
+ run_fuzzer h5_extended_fuzzer -runs=100 /testcase
vm.mmap_rnd_bits = 28
/out/h5_extended_fuzzer -rss_limit_mb=2560 -timeout=25 -runs=100 /testcase < /dev/null
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 4186138008
INFO: Loaded 1 modules   (120419 inline 8-bit counters): 120419 [0x562d4812a280, 0x562d481478e3),
INFO: Loaded 1 PC tables (120419 PCs): 120419 [0x562d481478e8,0x562d4831df18),
/out/h5_extended_fuzzer: Running 1 inputs 100 time(s) each.
Running: /testcase
HDF5-DIAG: Error detected in HDF5 (2.0.0):
  #000: /src/hdf5/src/H5D.c line 401 in H5Dopen2(): unable to synchronously open dataset
    major: Dataset
    minor: Can't open object
  #001: /src/hdf5/src/H5D.c line 363 in H5D__open_api_common(): unable to open dataset
    major: Dataset
    minor: Can't open object
  #002: /src/hdf5/src/H5VLcallback.c line 2090 in H5VL_dataset_open(): dataset open failed
    major: Virtual Object Layer
    minor: Can't open object
  #003: /src/hdf5/src/H5VLcallback.c line 2057 in H5VL__dataset_open(): dataset open failed
    major: Virtual Object Layer
    minor: Can't open object
  #004: /src/hdf5/src/H5VLnative_dataset.c line 332 in H5VL__native_dataset_open(): unable to open dataset
    major: Dataset
    minor: Can't open object
  #005: /src/hdf5/src/H5Dint.c line 1472 in H5D__open_name(): not found
    major: Dataset
    minor: Object not found
  #006: /src/hdf5/src/H5Gloc.c line 424 in H5G_loc_find(): can't find object
    major: Symbol table
    minor: Object not found
  #007: /src/hdf5/src/H5Gtraverse.c line 846 in H5G_traverse(): internal path traversal failed
    major: Symbol table
    minor: Object not found
  #008: /src/hdf5/src/H5Gtraverse.c line 573 in H5G__traverse_real(): can't look up component
    major: Symbol table
    minor: Object not found
  #009: /src/hdf5/src/H5Gobj.c line 1070 in H5G__obj_lookup(): can't check for link info message
    major: Symbol table
    minor: Can't get value
  #010: /src/hdf5/src/H5Gobj.c line 310 in H5G__obj_get_linfo(): unable to read object header
    major: Symbol table
    minor: Can't get value
  #011: /src/hdf5/src/H5Omessage.c line 788 in H5O_msg_exists(): unable to protect object header
    major: Object header
    minor: Unable to protect metadata
  #012: /src/hdf5/src/H5Oint.c line 1015 in H5O_protect(): unable to load object header
    major: Object header
    minor: Unable to protect metadata
  #013: /src/hdf5/src/H5AC.c line 1303 in H5AC_protect(): H5C_protect() failed
    major: Object cache
    minor: Unable to protect metadata
  #014: /src/hdf5/src/H5Centry.c line 3106 in H5C_protect(): can't load entry
    major: Object cache
    minor: Unable to load metadata into cache
  #015: /src/hdf5/src/H5Centry.c line 1180 in H5C__load_entry(): incorrect metadata checksum after all read attempts
    major: Object cache
    minor: Read failed
  #016: /src/hdf5/src/H5Ocache.c line 185 in H5O__cache_get_final_load_size(): can't deserialize object header prefix
    major: Object header
    minor: Unable to decode value
  #017: /src/hdf5/src/H5Ocache.c line 1100 in H5O__prefix_deserialize(): bad object header version number
    major: Object header
    minor: Wrong version number
=================================================================
==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x516000000c57 at pc 0x562d472806e3 bp 0x7ffd3c1404b0 sp 0x7ffd3c13fc70
READ of size 361 at 0x516000000c57 thread T0
SCARINESS: 36 (multi-byte-read-heap-buffer-overflow-far-from-bounds)
    #0 0x562d472806e2 in __asan_memmove /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:71:3
    #1 0x562d47e44859 in H5F__accum_free /src/hdf5/src/H5Faccum.c:885:17
    #2 0x562d475e6ae4 in H5MF_xfree /src/hdf5/src/H5MF.c:1093:13
    #3 0x562d475f93dc in H5MF__aggr_reset /src/hdf5/src/H5MFaggr.c:725:21
    #4 0x562d475f93dc in H5MF_free_aggrs /src/hdf5/src/H5MFaggr.c:789:13
    #5 0x562d475e98d1 in H5MF__close_aggrfs /src/hdf5/src/H5MF.c:1725:9
    #6 0x562d475e98d1 in H5MF_close /src/hdf5/src/H5MF.c:1512:26
    #7 0x562d47460188 in H5F__dest /src/hdf5/src/H5Fint.c:1488:21
    #8 0x562d47463582 in H5F_try_close /src/hdf5/src/H5Fint.c:2680:9
    #9 0x562d47462c7c in H5F__close /src/hdf5/src/H5Fint.c:2482:9
    #10 0x562d47d1b6cc in H5VL__native_file_close /src/hdf5/src/H5VLnative_file.c:777:13
    #11 0x562d47cdf708 in H5VL__file_close /src/hdf5/src/H5VLcallback.c:4326:25
    #12 0x562d47cdf0fe in H5VL_file_close /src/hdf5/src/H5VLcallback.c:4360:9
    #13 0x562d4746b44f in H5F__close_cb /src/hdf5/src/H5Fint.c:249:9
    #14 0x562d475d23ef in H5I__dec_ref /src/hdf5/src/H5Iint.c:1076:30
    #15 0x562d475d2a21 in H5I__dec_app_ref /src/hdf5/src/H5Iint.c:1156:22
    #16 0x562d475d2887 in H5I_dec_app_ref /src/hdf5/src/H5Iint.c:1201:22
    #17 0x562d4743c784 in H5Fclose /src/hdf5/src/H5F.c:1040:9
    #18 0x562d472c1b88 in LLVMFuzzerTestOneInput /src/h5_extended_fuzzer.c:39:7
    #19 0x562d47176500 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #20 0x562d47161775 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #21 0x562d4716720f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #22 0x562d471924b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #23 0x7fb2e0286082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #24 0x562d4715995d in _start (/out/h5_extended_fuzzer+0x43795d)

DEDUP_TOKEN: __asan_memmove--H5F__accum_free--H5MF_xfree
0x516000000c57 is located 41 bytes before 520-byte region [0x516000000c80,0x516000000e88)
allocated by thread T0 here:
    #0 0x562d472822cf in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x562d47501be6 in H5FL__malloc /src/hdf5/src/H5FL.c:211:30
    #2 0x562d47501be6 in H5FL_blk_malloc /src/hdf5/src/H5FL.c:773:48
    #3 0x562d47e41ab6 in H5F__accum_write /src/hdf5/src/H5Faccum.c:700:47
    #4 0x562d47742258 in H5PB_write /src/hdf5/src/H5PB.c:1003:13
    #5 0x562d4746d2c4 in H5F_block_write /src/hdf5/src/H5Fio.c:218:9
    #6 0x562d4733d4e7 in H5C__flush_single_entry /src/hdf5/src/H5Centry.c:597:21
    #7 0x562d4736c1b2 in H5C__flush_ring /src/hdf5/src/H5Cint.c:1748:25
    #8 0x562d47335211 in H5C_flush_cache /src/hdf5/src/H5C.c:710:17
    #9 0x562d473848df in H5C_flush_tagged_entries /src/hdf5/src/H5Ctag.c:654:9
    #10 0x562d472f68f4 in H5AC_flush_tagged_metadata /src/hdf5/src/H5AC.c:2208:9
    #11 0x562d4746e5b0 in H5F_flush_tagged_metadata /src/hdf5/src/H5Fio.c:421:9
    #12 0x562d4745aae8 in H5F_open /src/hdf5/src/H5Fint.c:2211:17
    #13 0x562d47d17d8c in H5VL__native_file_open /src/hdf5/src/H5VLnative_file.c:127:9
    #14 0x562d47cdb317 in H5VL__file_open /src/hdf5/src/H5VLcallback.c:3714:25
    #15 0x562d47cdaae5 in H5VL_file_open /src/hdf5/src/H5VLcallback.c:3832:30
    #16 0x562d4743a302 in H5F__open_api_common /src/hdf5/src/H5F.c:780:29
    #17 0x562d47439953 in H5Fopen /src/hdf5/src/H5F.c:820:22
    #18 0x562d472c1ae2 in LLVMFuzzerTestOneInput /src/h5_extended_fuzzer.c:29:24
    #19 0x562d47176500 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #20 0x562d47161775 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #21 0x562d4716720f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #22 0x562d471924b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #23 0x7fb2e0286082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

DEDUP_TOKEN: __interceptor_malloc--H5FL__malloc--H5FL_blk_malloc
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/hdf5/src/H5Faccum.c:885:17 in H5F__accum_free
Shadow bytes around the buggy address:
  0x516000000980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x516000000a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x516000000a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x516000000b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x516000000b80: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
=>0x516000000c00: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
  0x516000000c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x516000000d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x516000000d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x516000000e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x516000000e80: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14==ABORTING

[qkoziol]

Thank you for persisting and re-testing - I see that I was wrong in assuming that the library detecting the problem meant that it was fully fixed.

I'll take another look at this.