hdf5
hdf5 copied to clipboard
Published
20 hours ago •
HDFGroup
HDFGroup
A memory leak was found while testing h5_extended_fuzzer with libfuzzer
While testing h5_extended_fuzzer with libfuzzer, I found a memory leak
The reason for this vulnerability is: There is a direct leak that occurs when object creation is handled in the HDF5 library. The H5O_create_ohdr function attempted to allocate memory via H5FL_reg_calloc (it is based on H5FL_reg_malloc), but the memory could not be freed before the end of the program. In addition, H5O__chunk_deserialize, H5O__chunk_deserialize, H5O__alloc_msgs three functions also have the same leakage problem.
the following crash information:
=================================================================
==14==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 416 byte(s) in 1 object(s) allocated from:
#0 0x55ab3dea1c5e in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x55ab3e0a3120 in H5FL__malloc /src/hdf5/src/H5FL.c:203:30
#2 0x55ab3e0a3120 in H5FL_reg_malloc /src/hdf5/src/H5FL.c:355:34
#3 0x55ab3e0a3408 in H5FL_reg_calloc /src/hdf5/src/H5FL.c:387:30
#4 0x55ab3e1cc07d in H5O_create_ohdr /src/hdf5/src/H5Oint.c:321:10
#5 0x55ab3e1cbd6f in H5O_create /src/hdf5/src/H5Oint.c:278:10
#6 0x55ab3e0db26e in H5G__obj_create_real /src/hdf5/src/H5Gobj.c:248:9
#7 0x55ab3e0dab38 in H5G__obj_create /src/hdf5/src/H5Gobj.c:137:9
#8 0x55ab3e0e179b in H5G_mkroot /src/hdf5/src/H5Groot.c:173:13
#9 0x55ab3e04b57f in H5F_open /src/hdf5/src/H5Fint.c:2070:13
#10 0x55ab3e66a103 in H5VL__native_file_open /src/hdf5/src/H5VLnative_file.c:127:9
#11 0x55ab3e63dc02 in H5VL__file_open /src/hdf5/src/H5VLcallback.c:3500:30
#12 0x55ab3e63dc02 in H5VL_file_open /src/hdf5/src/H5VLcallback.c:3649:30
#13 0x55ab3e03120a in H5F__open_api_common /src/hdf5/src/H5F.c:786:29
#14 0x55ab3e030a3b in H5Fopen /src/hdf5/src/H5F.c:826:22
#15 0x55ab3dee0e39 in LLVMFuzzerTestOneInput /src/h5_extended_fuzzer.c:29:24
#16 0x55ab3dd936c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#17 0x55ab3dd94bc1 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:807:3
#18 0x55ab3dd951a7 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3
#19 0x55ab3dd837b6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
#20 0x55ab3ddafce2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#21 0x7fd022e04082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
DEDUP_TOKEN: __interceptor_malloc--H5FL__malloc--H5FL_reg_malloc
Indirect leak of 97 byte(s) in 1 object(s) allocated from:
#0 0x55ab3dea1c5e in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x55ab3e0a3d36 in H5FL__malloc /src/hdf5/src/H5FL.c:203:30
#2 0x55ab3e0a3d36 in H5FL_blk_malloc /src/hdf5/src/H5FL.c:765:48
#3 0x55ab3e19af5d in H5O__chunk_deserialize /src/hdf5/src/H5Ocache.c:1205:45
#4 0x55ab3e195cb2 in H5O__cache_deserialize /src/hdf5/src/H5Ocache.c:300:9
#5 0x55ab3df5d8a9 in H5C__load_entry /src/hdf5/src/H5Centry.c:1193:26
#6 0x55ab3df5d8a9 in H5C_protect /src/hdf5/src/H5Centry.c:3101:30
#7 0x55ab3df0dd10 in H5AC_protect /src/hdf5/src/H5AC.c:1276:26
#8 0x55ab3e1d1e0b in H5O_protect /src/hdf5/src/H5Oint.c:988:32
#9 0x55ab3e1efb3a in H5O_msg_exists /src/hdf5/src/H5Omessage.c:787:23
#10 0x55ab3e06567e in H5F__super_read /src/hdf5/src/H5Fsuper.c:693:23
#11 0x55ab3e04b302 in H5F_open /src/hdf5/src/H5Fint.c:2075:13
#12 0x55ab3e66a103 in H5VL__native_file_open /src/hdf5/src/H5VLnative_file.c:127:9
#13 0x55ab3e63dc02 in H5VL__file_open /src/hdf5/src/H5VLcallback.c:3500:30
#14 0x55ab3e63dc02 in H5VL_file_open /src/hdf5/src/H5VLcallback.c:3649:30
#15 0x55ab3e03120a in H5F__open_api_common /src/hdf5/src/H5F.c:786:29
#16 0x55ab3e030a3b in H5Fopen /src/hdf5/src/H5F.c:826:22
#17 0x55ab3dee0e39 in LLVMFuzzerTestOneInput /src/h5_extended_fuzzer.c:29:24
#18 0x55ab3dd936c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#19 0x55ab3dd92ee5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
#20 0x55ab3dd94e72 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:829:7
#21 0x55ab3dd951a7 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3
#22 0x55ab3dd837b6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
#23 0x55ab3ddafce2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#24 0x7fd022e04082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
DEDUP_TOKEN: __interceptor_malloc--H5FL__malloc--H5FL_blk_malloc
Indirect leak of 88 byte(s) in 1 object(s) allocated from:
#0 0x55ab3dea1c5e in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x55ab3e0a3d36 in H5FL__malloc /src/hdf5/src/H5FL.c:203:30
#2 0x55ab3e0a3d36 in H5FL_blk_malloc /src/hdf5/src/H5FL.c:765:48
#3 0x55ab3e19ae00 in H5O__chunk_deserialize /src/hdf5/src/H5Ocache.c:1190:26
#4 0x55ab3e195cb2 in H5O__cache_deserialize /src/hdf5/src/H5Ocache.c:300:9
#5 0x55ab3df5d8a9 in H5C__load_entry /src/hdf5/src/H5Centry.c:1193:26
#6 0x55ab3df5d8a9 in H5C_protect /src/hdf5/src/H5Centry.c:3101:30
#7 0x55ab3df0dd10 in H5AC_protect /src/hdf5/src/H5AC.c:1276:26
#8 0x55ab3e1d1e0b in H5O_protect /src/hdf5/src/H5Oint.c:988:32
#9 0x55ab3e1efb3a in H5O_msg_exists /src/hdf5/src/H5Omessage.c:787:23
#10 0x55ab3e0e27e6 in H5G_mkroot /src/hdf5/src/H5Groot.c:254:49
#11 0x55ab3e04b7d2 in H5F_open /src/hdf5/src/H5Fint.c:2098:13
#12 0x55ab3e66a103 in H5VL__native_file_open /src/hdf5/src/H5VLnative_file.c:127:9
#13 0x55ab3e63dc02 in H5VL__file_open /src/hdf5/src/H5VLcallback.c:3500:30
#14 0x55ab3e63dc02 in H5VL_file_open /src/hdf5/src/H5VLcallback.c:3649:30
#15 0x55ab3e03120a in H5F__open_api_common /src/hdf5/src/H5F.c:786:29
#16 0x55ab3e030a3b in H5Fopen /src/hdf5/src/H5F.c:826:22
#17 0x55ab3dee0e39 in LLVMFuzzerTestOneInput /src/h5_extended_fuzzer.c:29:24
#18 0x55ab3dd936c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#19 0x55ab3dd92ee5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
#20 0x55ab3dd94e72 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:829:7
#21 0x55ab3dd951a7 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3
#22 0x55ab3dd837b6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
#23 0x55ab3ddafce2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#24 0x7fd022e04082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
DEDUP_TOKEN: __interceptor_malloc--H5FL__malloc--H5FL_blk_malloc
Indirect leak of 56 byte(s) in 1 object(s) allocated from:
#0 0x55ab3dea1c5e in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x55ab3e0a3d36 in H5FL__malloc /src/hdf5/src/H5FL.c:203:30
#2 0x55ab3e0a3d36 in H5FL_blk_malloc /src/hdf5/src/H5FL.c:765:48
#3 0x55ab3e7f6ab5 in H5O__alloc_msgs /src/hdf5/src/H5Oalloc.c:435:29
#4 0x55ab3e19bc61 in H5O__chunk_deserialize /src/hdf5/src/H5Ocache.c:1328:21
#5 0x55ab3e195cb2 in H5O__cache_deserialize /src/hdf5/src/H5Ocache.c:300:9
#6 0x55ab3df5d8a9 in H5C__load_entry /src/hdf5/src/H5Centry.c:1193:26
#7 0x55ab3df5d8a9 in H5C_protect /src/hdf5/src/H5Centry.c:3101:30
#8 0x55ab3df0dd10 in H5AC_protect /src/hdf5/src/H5AC.c:1276:26
#9 0x55ab3e1d1e0b in H5O_protect /src/hdf5/src/H5Oint.c:988:32
#10 0x55ab3e1efb3a in H5O_msg_exists /src/hdf5/src/H5Omessage.c:787:23
#11 0x55ab3e0e27e6 in H5G_mkroot /src/hdf5/src/H5Groot.c:254:49
#12 0x55ab3e04b7d2 in H5F_open /src/hdf5/src/H5Fint.c:2098:13
#13 0x55ab3e66a103 in H5VL__native_file_open /src/hdf5/src/H5VLnative_file.c:127:9
#14 0x55ab3e63dc02 in H5VL__file_open /src/hdf5/src/H5VLcallback.c:3500:30
#15 0x55ab3e63dc02 in H5VL_file_open /src/hdf5/src/H5VLcallback.c:3649:30
#16 0x55ab3e03120a in H5F__open_api_common /src/hdf5/src/H5F.c:786:29
#17 0x55ab3e030a3b in H5Fopen /src/hdf5/src/H5F.c:826:22
#18 0x55ab3dee0e39 in LLVMFuzzerTestOneInput /src/h5_extended_fuzzer.c:29:24
#19 0x55ab3dd936c0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
#20 0x55ab3dd92ee5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
#21 0x55ab3dd94e72 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:829:7
#22 0x55ab3dd951a7 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3
#23 0x55ab3dd837b6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
#24 0x55ab3ddafce2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#25 0x7fd022e04082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
DEDUP_TOKEN: __interceptor_malloc--H5FL__malloc--H5FL_blk_malloc
SUMMARY: AddressSanitizer: 657 byte(s) leaked in 4 allocation(s).
The vulnerability trigger sample is attached. leak-f09dd087c9ceb2002b004890a9ef5d1e6532fcc0.zip
