hdf5 icon indicating copy to clipboard operation
hdf5 copied to clipboard

Published 20 hours ago verified publisher icon HDFGroup

allocation-size-too-big error in H5MM.c

Open gabe-sherman opened this issue 10 months ago • 1 comments

An allocation-size-too-big error occurs in the h5dump program when provided with a malformed input. This behavior occurs at line 87 in H5MM.c

How to trigger

LD_PRELOAD=path-to/libhdf5.so h5dump poc

POC File

https://github.com/FuturesLab/POC/blob/main/hdf5/poc-03

Test Environment

Ubuntu 22.04, 64bit

Version

Latest: 0394b03f66dc45fe96e2c772b7bce293e4316ad2

Address Sanitizer Output

=================================================================
==1364666==ERROR: AddressSanitizer: requested allocation size 0xffffffffffffff20 (0x720 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x5555565cc886 in __interceptor_realloc (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-03/harness+0x1078886) (BuildId: 94291fc76aea62f5b3a7c090191c03989c9ebc1c)
    #1 0x5555566987aa in H5MM_realloc /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5MM.c:87:21
    #2 0x555556f79dc2 in H5AC_protect /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5AC.c:1276:26

==1364666==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-03/harness+0x1078886) (BuildId: 94291fc76aea62f5b3a7c090191c03989c9ebc1c) in __interceptor_realloc
==1364666==ABORTING

gabe-sherman avatar Apr 21 '24 16:04 gabe-sherman

To add a bit more context, here is the harness that discovered this crash

#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <stdlib.h>
#include <hdf5.h>

int main(int argc, char *argv[])
{
   char *fuzzData = argv[1];

   char H5Gcreate1var0[256];
	sprintf(H5Gcreate1var0, "yhoom");
   char H5Gcreate2var0[256];
	sprintf(H5Gcreate2var0, "7td9h");
   hid_t H5Fopenval1 = H5Fopen(fuzzData, 1, 0);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Fopenval1 < 0){
		fprintf(stderr, "err");
	}
   hid_t H5Gcreate1val1 = H5Gcreate1(H5Fopenval1, H5Gcreate1var0, 1);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Gcreate1val1 < 0){
		fprintf(stderr, "err");
	}
   hid_t H5Gcreate2val1 = H5Gcreate2(H5Gcreate1val1, H5Gcreate2var0, 0, 0, 0);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Gcreate2val1 < 0){
		fprintf(stderr, "err");
	}
   return 0;
}

gabe-sherman avatar Apr 23 '24 21:04 gabe-sherman