hdf5 icon indicating copy to clipboard operation
hdf5 copied to clipboard

Published 20 hours ago verified publisher icon HDFGroup

Heap-buffer-overflow in H5A__read

Open tbeu opened this issue 10 months ago • 4 comments

Describe the bug

==5605==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000657c at pc 0x00000049ef41 bp 0x7ffd4583ea30 sp 0x7ffd4583e200 READ of size 8 at 0x60200000657c thread T0 SCARINESS: 23 (8-byte-read-heap-buffer-overflow) # 0 0x49ef40 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 # 1 0x692165 in H5A__read hdf5/src/H5Aint.c:721:17 # 2 0xf5ef7f in H5VL__native_attr_read hdf5/src/H5VLnative_attr.c:213:22 # 3 0xf1fd95 in H5VL__attr_read hdf5/src/H5VLcallback.c:1204:9 # 4 0xf1fd95 in H5VL_attr_read hdf5/src/H5VLcallback.c:1235:9 # 5 0x67d103 in H5A__read_api_common hdf5/src/H5A.c:1006:9 # 6 0x67cc33 in H5Aread hdf5/src/H5A.c:1038:9

0x60200000657c is located 0 bytes to the right of 12-byte region [0x602000006570,0x60200000657c) allocated by thread T0 here: # 0 0x49fbb6 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 # 1 0x89e90e in H5FL__malloc hdf5/src/H5FL.c:231:30 # 2 0x89e90e in H5FL_blk_malloc hdf5/src/H5FL.c:848:40 # 3 0x9e2b56 in H5O__attr_decode hdf5/src/H5Oattr.c:280:43 # 4 0x9e2b56 in H5O__attr_shared_decode hdf5/src/H5Oshared.h:73:34 # 5 0xa6396f in H5O__msg_iterate_real hdf5/src/H5Omessage.c:1159:13 # 6 0x9e9212 in H5O__attr_open_by_name hdf5/src/H5Oattribute.c:493:17 # 7 0x691593 in H5A__open_by_name hdf5/src/H5Aint.c:629:25 # 8 0xf5ea34 in H5VL__native_attr_open hdf5/src/H5VLnative_attr.c:169:29 # 9 0xf1f33f in H5VL__attr_open hdf5/src/H5VLcallback.c:1104:30 # 10 0xf1f33f in H5VL_attr_open hdf5/src/H5VLcallback.c:1136:30 # 11 0x68d48a in H5A__open_common hdf5/src/H5A.c:459:17 # 12 0x679833 in H5A__open_by_name_api_common hdf5/src/H5A.c:636:22 # 13 0x6791f4 in H5Aopen_by_name hdf5/src/H5A.c:674:14

Additional context

Reported for c5c4713a9a0c940a6d20daad1152a3fc80b4fec5.

tbeu avatar Apr 08 '24 15:04 tbeu

We monitor oss-fuzz, so there's no need to re-create issues here. Also, these issues are not particularly useful without the poc files.

derobins avatar Apr 09 '24 15:04 derobins

Right. The issues are reported for libmatio (with restricted access only) and I dot not know if the same issues are also reported for your setup. It's all due to #272.

tbeu avatar Apr 09 '24 16:04 tbeu

Here comes the testfile.zip

tbeu avatar Apr 09 '24 16:04 tbeu

This is verified as fixed now: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67806

tbeu avatar May 02 '24 20:05 tbeu