hdf5
hdf5 copied to clipboard
Published
20 hours ago •
HDFGroup
HDFGroup
segmentation fault at H5VM_memcpyvv() /hdf5/src/H5VM.c:1525
Version:
h5dump: Version 1.13.1-1
System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
command:
h5dump-shared POC4
Result
segmentation fault
GDB information
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff769f068 --> 0x0
RBX: 0xa0
RCX: 0x5555555d4278 --> 0x0
RDX: 0x50 ('P')
RSI: 0x5555595df040
RDI: 0x7ffff769f068 --> 0x0
RBP: 0x50 ('P')
RSP: 0x7fffffffa498 --> 0x7ffff7e71f55 (<H5VM_memcpyvv+245>: add r15,0x8)
RIP: 0x7ffff7b067a3 (<__memmove_avx_unaligned_erms+307>: vmovdqu ymm0,YMMWORD PTR [rsi])
R8 : 0x50 ('P')
R9 : 0x5555555d4278 --> 0x0
R10: 0x0
R11: 0x7ffff7e71e60 (<H5VM_memcpyvv>: endbr64)
R12: 0x5555555d2250 --> 0x50 ('P')
R13: 0x5a0
R14: 0x7ffff769f068 --> 0x0
R15: 0x5555555d4280 --> 0x4000050
EFLAGS: 0x10283 (CARRY parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7b06799 <__memmove_avx_unaligned_erms+297>: vmovdqu YMMWORD PTR [rdi+rdx*1-0x80],ymm7
0x7ffff7b0679f <__memmove_avx_unaligned_erms+303>: vzeroupper
0x7ffff7b067a2 <__memmove_avx_unaligned_erms+306>: ret
=> 0x7ffff7b067a3 <__memmove_avx_unaligned_erms+307>: vmovdqu ymm0,YMMWORD PTR [rsi]
0x7ffff7b067a7 <__memmove_avx_unaligned_erms+311>: vmovdqu ymm1,YMMWORD PTR [rsi+0x20]
0x7ffff7b067ac <__memmove_avx_unaligned_erms+316>: vmovdqu ymm2,YMMWORD PTR [rsi+rdx*1-0x20]
0x7ffff7b067b2 <__memmove_avx_unaligned_erms+322>: vmovdqu ymm3,YMMWORD PTR [rsi+rdx*1-0x40]
0x7ffff7b067b8 <__memmove_avx_unaligned_erms+328>: vmovdqu YMMWORD PTR [rdi],ymm0
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa498 --> 0x7ffff7e71f55 (<H5VM_memcpyvv+245>: add r15,0x8)
0008| 0x7fffffffa4a0 --> 0x0
0016| 0x7fffffffa4a8 --> 0x5555555d4318 --> 0x0
0024| 0x7fffffffa4b0 --> 0x5555555deff0 --> 0x100000000000000
0032| 0x7fffffffa4b8 --> 0x7fffffffa630 --> 0x0
0040| 0x7fffffffa4c0 --> 0x7ffff769f018 --> 0x100000000000000
0048| 0x7fffffffa4c8 --> 0x0
0056| 0x7fffffffa4d0 --> 0x7fffffffa630 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:365
365 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
gdb-peda$ bt
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:365
#1 0x00007ffff7e71f55 in H5VM_memcpyvv (_dst=0x7ffff769f018, dst_max_nseq=dst_max_nseq@entry=0x1, dst_curr_seq=dst_curr_seq@entry=0x7fffffffa630,
dst_len_arr=dst_len_arr@entry=0x7fffffffa640, dst_off_arr=dst_off_arr@entry=0x7fffffffa628, _src=0x5555555deff0, src_max_nseq=0x14,
src_curr_seq=0x7fffffffa638, src_len_arr=0x5555555d2248, src_off_arr=0x5555555d4278) at /home/zxq/CVE_testing/source/hdf5/src/H5VM.c:1525
#2 0x00007ffff7c426a7 in H5D__compact_readvv (io_info=0x7fffffffa660, dset_max_nseq=0x14, dset_curr_seq=0x7fffffffa638, dset_size_arr=0x5555555d2248,
dset_offset_arr=0x5555555d4278, mem_max_nseq=0x1, mem_curr_seq=0x7fffffffa630, mem_size_arr=0x7fffffffa640, mem_offset_arr=0x7fffffffa628)
at /home/zxq/CVE_testing/source/hdf5/src/H5Dcompact.c:350
#3 0x00007ffff7c5a589 in H5D__gather_file (_io_info=_io_info@entry=0x7fffffffaa60, iter=iter@entry=0x5555555e02a0, nelmts=nelmts@entry=0x190,
_buf=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Dscatgath.c:237
#4 0x00007ffff7c5aed4 in H5D__scatgath_read (io_info=0x7fffffffaa60, type_info=<optimized out>, nelmts=0x190, file_space=<optimized out>,
mem_space=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Dscatgath.c:503
#5 0x00007ffff7c3aa0f in H5D__chunk_read (io_info=0x7fffffffac20, type_info=0x7fffffffaba0, nelmts=<optimized out>, file_space=<optimized out>,
mem_space=<optimized out>, fm=0x5555555cb9e0) at /home/zxq/CVE_testing/source/hdf5/src/H5Dchunk.c:2595
#6 0x00007ffff7c574e2 in H5D__read (dataset=dataset@entry=0x5555555bda90, mem_type_id=mem_type_id@entry=0x300000000000140, mem_space=<optimized out>,
mem_space@entry=0x5555555c5230, file_space=file_space@entry=0x5555555c4ff0, buf=<optimized out>, buf@entry=0x5555555c8420)
at /home/zxq/CVE_testing/source/hdf5/src/H5Dio.c:261
#7 0x00007ffff7e67d41 in H5VL__native_dataset_read (obj=0x5555555bda90, mem_type_id=0x300000000000140, mem_space_id=<optimized out>,
file_space_id=0x400000000000006, dxpl_id=0xb00000000000008, buf=0x5555555c8420, req=0x0)
at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_dataset.c:293
#8 0x00007ffff7e539b0 in H5VL__dataset_read (cls=<optimized out>, req=0x0, buf=0x5555555c8420, dxpl_id=0xb00000000000008,
file_space_id=0x400000000000006, mem_space_id=0x400000000000007, mem_type_id=0x300000000000140, obj=<optimized out>)
at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:2045
#9 H5VL_dataset_read (vol_obj=vol_obj@entry=0x5555555bf9d0, mem_type_id=mem_type_id@entry=0x300000000000140,
mem_space_id=mem_space_id@entry=0x400000000000007, file_space_id=file_space_id@entry=0x400000000000006, dxpl_id=dxpl_id@entry=0xb00000000000008,
buf=buf@entry=0x5555555c8420, req=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:2077
#10 0x00007ffff7c2bb9f in H5D__read_api_common (_vol_obj_ptr=0x0, token_ptr=0x0, buf=0x5555555c8420, dxpl_id=0xb00000000000008,
file_space_id=0x400000000000006, mem_space_id=0x400000000000007, mem_type_id=0x300000000000140, dset_id=0x5555555b00c0)
at /home/zxq/CVE_testing/source/hdf5/src/H5D.c:968
#11 H5Dread (dset_id=dset_id@entry=0x500000000000001, mem_type_id=mem_type_id@entry=0x300000000000140, mem_space_id=mem_space_id@entry=0x400000000000007,
file_space_id=file_space_id@entry=0x400000000000006, dxpl_id=dxpl_id@entry=0x0, buf=buf@entry=0x5555555c8420)
at /home/zxq/CVE_testing/source/hdf5/src/H5D.c:1020
#12 0x00007ffff7fa6a79 in h5tools_dump_simple_dset (p_type=0x300000000000140, dset=0x500000000000001, ctx=0x7fffffffbea0, info=0x7fffffffba40,
stream=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5tools_dump.c:1755
#13 h5tools_dump_dset (stream=stream@entry=0x7ffff7b646a0 <_IO_2_1_stdout_>, info=info@entry=0x7fffffffba40, ctx=ctx@entry=0x7fffffffbea0,
dset=dset@entry=0x500000000000001) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5tools_dump.c:1956
#14 0x00007ffff7fb050a in h5tools_dump_data (stream=0x7ffff7b646a0 <_IO_2_1_stdout_>, info=<optimized out>, info@entry=0x7fffffffc3a0,
ctx=ctx@entry=0x7fffffffc550, obj_id=obj_id@entry=0x500000000000001, obj_data=obj_data@entry=0x1)
at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5tools_dump.c:4425
#15 0x000055555555db8a in dump_dataset (did=0x500000000000001, name=<optimized out>, sset=<optimized out>)
at /home/zxq/CVE_testing/source/hdf5/tools/src/h5dump/h5dump_ddl.c:1046
#16 0x0000555555560d19 in dump_all_cb (group=0x200000000000003, name=0x5555555bcfe0 "Compressed_Data", linfo=<optimized out>, op_data=<optimized out>)
at /home/zxq/CVE_testing/source/hdf5/tools/src/h5dump/h5dump_ddl.c:350
#17 0x00007ffff7cce5fd in H5G__iterate_cb (_udata=0x7fffffffd400, lnk=0x7fffffffd190) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:866
#18 H5G__iterate_cb (lnk=0x7fffffffd190, _udata=0x7fffffffd400) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:839
#19 0x00007ffff7cd4dce in H5G__node_iterate (f=f@entry=0x5555555b84c0, _lt_key=<optimized out>, addr=0x430, _rt_key=<optimized out>,
_udata=_udata@entry=0x7fffffffd2d0) at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
#20 0x00007ffff7bfb0b0 in H5B__iterate_helper (f=0x5555555b84c0, type=0x7ffff7f79220 <H5B_SNODE>, addr=0x88, op=0x7ffff7cd4ce0 <H5G__node_iterate>,
udata=udata@entry=0x7fffffffd2d0) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
#21 0x00007ffff7bfc58b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffd2d0)
at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
#22 0x00007ffff7cda506 in H5G__stab_iterate (oloc=oloc@entry=0x5555555bf838, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0,
last_lnk=last_lnk@entry=0x7fffffffd488, op=op@entry=0x7ffff7cce5a0 <H5G__iterate_cb>, op_data=0x7fffffffd400)
at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
#23 0x00007ffff7cd7725 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x5555555bf838, idx_type=idx_type@entry=H5_INDEX_NAME, order=order@entry=H5_ITER_INC,
skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x7fffffffd488, op=op@entry=0x7ffff7cce5a0 <H5G__iterate_cb>, op_data=0x7fffffffd400)
at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
#24 0x00007ffff7ccf708 in H5G_iterate (loc=<optimized out>, group_name=<optimized out>, idx_type=H5_INDEX_NAME, order=H5_ITER_INC, skip=skip@entry=0x0,
last_lnk=last_lnk@entry=0x7fffffffd488, lnk_op=0x7fffffffd490, op_data=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:921
#25 0x00007ffff7d1091a in H5L_iterate (loc=loc@entry=0x7fffffffd4d0, group_name=group_name@entry=0x7ffff7e8b07c ".", idx_type=<optimized out>,
order=<optimized out>, idx_p=<optimized out>, op=<optimized out>, op_data=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Lint.c:2243
#26 0x00007ffff7e6c694 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffd560, args=0x7fffffffd590, dxpl_id=<optimized out>,
req=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:366
#27 0x00007ffff7e5b540 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffd590, loc_params=0x7fffffffd560,
obj=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
#28 H5VL_link_specific (vol_obj=0x5555555bbca0, loc_params=loc_params@entry=0x7fffffffd560, args=args@entry=0x7fffffffd590, dxpl_id=0xb00000000000008,
req=req@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
#29 0x00007ffff7d0940a in H5L__iterate_api_common (_vol_obj_ptr=0x0, token_ptr=0x0, op_data=0x0, op=0x555555560270 <dump_all_cb>, idx_p=0x0,
order=H5_ITER_INC, idx_type=H5_INDEX_NAME, group_id=0x200000000000001) at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1659
#30 H5Literate2 (group_id=group_id@entry=0x200000000000001, idx_type=idx_type@entry=H5_INDEX_NAME, order=H5_ITER_INC, idx_p=0x0,
op=0x555555560270 <dump_all_cb>, op_data=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1695
#31 0x000055555555d76c in link_iteration (crt_order_flags=<optimized out>, gid=0x200000000000001)
at /home/zxq/CVE_testing/source/hdf5/tools/src/h5dump/h5dump_ddl.c:614
#32 dump_group (gid=0x200000000000001, name=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5dump/h5dump_ddl.c:886
#33 0x00005555555599cc in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe2d8) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5dump/h5dump.c:1547
#34 0x00007ffff799f0b3 in __libc_start_main (main=0x555555559420 <main>, argc=0x2, argv=0x7fffffffe2d8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe2c8) at ../csu/libc-start.c:308
#35 0x000055555555aeae in _start ()
Fixed in develop. h5dump exits with an error code, no segfault, and no memory leaks.
