Bug: Heap-based Buffer Overflow in H5SM_delete

[sae-as-me]

Affected Projects

hdf5 v1.14.6 (https://github.com/HDFGroup/hdf5)

Problem Type

CWE-122: Heap-based Buffer Overflow

Description

Summary

A heap-buffer-overflow vulnerability was discovered in the H5SM_delete function within the HDF5 Library. This issue occurs when processing certain .h5 files, leading to an out-of-bounds read and potential application crash.

Details

The vulnerability arises in the H5SM_delete function defined in H5SM.c at line 1542. The function fails to properly check the buffer boundaries, resulting in a read operation beyond the allocated memory.

PoC

Steps to reproduce:

1. Clone the hdf5 repository and build it using the following commands :

export CC='clang'
export CFLAGS='-fsanitize=address,fuzzer-no-link -O1 -g'
export CXX='clang++'
export CXXFLAGS='-fsanitize=address,fuzzer -O1 -g'

export LDFLAGS="${CFLAGS}"
export CMAKE_C_FLAGS="${CC} ${CFLAGS}"
export CMAKE_CXX_FLAGS="${CXX} ${CXXFLAGS}"

mkdir build-dir
cd build-dir
cmake -G "Unix Makefiles" \
    -DCMAKE_BUILD_TYPE:STRING=Release \
    -DBUILD_SHARED_LIBS:BOOL=OFF \
    -DBUILD_TESTING:BOOL=OFF \
    -DCMAKE_VERBOSE_MAKEFILES:BOOL=ON \
    -DHDF5_BUILD_EXAMPLES:BOOL=OFF \
    -DHDF5_BUILD_TOOLS:BOOL=OFF \
    -DHDF5_ENABLE_SANITIZERS:BOOL=ON \
    -DHDF5_ENABLE_Z_LIB_SUPPORT:BOOL=ON \
    ..

cmake --build . --verbose --config Release -j$(nproc)

2. Compile the fuzzer:

$CC $CFLAGS  -std=c99 -c \
  -I$SRC/hdf5/src -I$SRC/hdf5/build-dir/src -I./src/H5FDsubfiling/ \
  $SRC/h5_extended_fuzzer.c
$CXX $CXXFLAGS h5_extended_fuzzer.o ./build-dir/bin/libhdf5.a -lz -o $OUT/h5_extended_fuzzer

3. Run the fuzzer to trigger the segmentation fault:
   crash file

./h5_extended_fuzzer h5_extended_crash.h5

The invalid read access will cause AddressSanitizer to report a segmentation fault during the execution of the post-processing logic.

Report

=================================================================
==19366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000003600 at pc 0x594e12c33276 bp 0x7ffcd25f1e70 sp 0x7ffcd25f1e68
READ of size 4 at 0x602000003600 thread T0
    #0 0x594e12c33275 in H5SM_delete /fuzz/hdf5/hdf5/src/H5SM.c:1542:24
    #1 0x594e12a74d76 in H5O__msg_write_real /fuzz/hdf5/hdf5/src/H5Omessage.c:364:13
    #2 0x594e12a74507 in H5O_msg_write /fuzz/hdf5/hdf5/src/H5Omessage.c:246:9
    #3 0x594e1293f0c1 in H5G__stab_valid /fuzz/hdf5/hdf5/src/H5Gstab.c:1016:13
    #4 0x594e12937d92 in H5G_mkroot /fuzz/hdf5/hdf5/src/H5Groot.c:235:21
    #5 0x594e1283c0c4 in H5F_open /fuzz/hdf5/hdf5/src/H5Fint.c:2134:13
    #6 0x594e1315aee4 in H5VL__native_file_open /fuzz/hdf5/hdf5/src/H5VLnative_file.c:127:9
    #7 0x594e1311ceb8 in H5VL__file_open /fuzz/hdf5/hdf5/src/H5VLcallback.c:3714:25
    #8 0x594e1311c5e4 in H5VL_file_open /fuzz/hdf5/hdf5/src/H5VLcallback.c:3832:30
    #9 0x594e1281a3bd in H5F__open_api_common /fuzz/hdf5/hdf5/src/H5F.c:780:29
    #10 0x594e128199a9 in H5Fopen /fuzz/hdf5/hdf5/src/H5F.c:820:22
    #11 0x594e1268d114 in LLVMFuzzerTestOneInput /fuzz/hdf5/h5_extended_fuzzer.c:29:24
    #12 0x594e125b35a3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzz/fuzzers/h5_extended_fuzzer+0x4ed5a3) (BuildId: 94dbfd103a0487b9d966258fd62fd95c8746440a)
    #13 0x594e1259d31f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzz/fuzzers/h5_extended_fuzzer+0x4d731f) (BuildId: 94dbfd103a0487b9d966258fd62fd95c8746440a)
    #14 0x594e125a3076 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzz/fuzzers/h5_extended_fuzzer+0x4dd076) (BuildId: 94dbfd103a0487b9d966258fd62fd95c8746440a)
    #15 0x594e125cce92 in main (/fuzz/fuzzers/h5_extended_fuzzer+0x506e92) (BuildId: 94dbfd103a0487b9d966258fd62fd95c8746440a)
    #16 0x75ebbcb84d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x75ebbcb84e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #18 0x594e12597be4 in _start (/fuzz/fuzzers/h5_extended_fuzzer+0x4d1be4) (BuildId: 94dbfd103a0487b9d966258fd62fd95c8746440a)

0x602000003600 is located 0 bytes to the right of 16-byte region [0x6020000035f0,0x602000003600)
allocated by thread T0 here:
    #0 0x594e1264fc1e in malloc (/fuzz/fuzzers/h5_extended_fuzzer+0x589c1e) (BuildId: 94dbfd103a0487b9d966258fd62fd95c8746440a)
    #1 0x594e128e8bcb in H5FL__malloc /fuzz/hdf5/hdf5/src/H5FL.c:211:30
    #2 0x594e128e8bcb in H5FL_reg_malloc /fuzz/hdf5/hdf5/src/H5FL.c:363:34
    #3 0x594e128e8f3f in H5FL_reg_calloc /fuzz/hdf5/hdf5/src/H5FL.c:395:30
    #4 0x594e12a92958 in H5O__stab_decode /fuzz/hdf5/hdf5/src/H5Ostab.c:97:25
    #5 0x594e12a761c0 in H5O_msg_read_oh /fuzz/hdf5/hdf5/src/H5Omessage.c:486:5
    #6 0x594e12a7589e in H5O_msg_read /fuzz/hdf5/hdf5/src/H5Omessage.c:430:30
    #7 0x594e1293ee15 in H5G__stab_valid /fuzz/hdf5/hdf5/src/H5Gstab.c:973:17
    #8 0x594e12937d92 in H5G_mkroot /fuzz/hdf5/hdf5/src/H5Groot.c:235:21
    #9 0x594e1283c0c4 in H5F_open /fuzz/hdf5/hdf5/src/H5Fint.c:2134:13
    #10 0x594e1315aee4 in H5VL__native_file_open /fuzz/hdf5/hdf5/src/H5VLnative_file.c:127:9
    #11 0x594e1311ceb8 in H5VL__file_open /fuzz/hdf5/hdf5/src/H5VLcallback.c:3714:25
    #12 0x594e1311c5e4 in H5VL_file_open /fuzz/hdf5/hdf5/src/H5VLcallback.c:3832:30
    #13 0x594e1281a3bd in H5F__open_api_common /fuzz/hdf5/hdf5/src/H5F.c:780:29
    #14 0x594e128199a9 in H5Fopen /fuzz/hdf5/hdf5/src/H5F.c:820:22
    #15 0x594e1268d114 in LLVMFuzzerTestOneInput /fuzz/hdf5/h5_extended_fuzzer.c:29:24
    #16 0x594e125b35a3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzz/fuzzers/h5_extended_fuzzer+0x4ed5a3) (BuildId: 94dbfd103a0487b9d966258fd62fd95c8746440a)
    #17 0x594e1259d31f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/fuzz/fuzzers/h5_extended_fuzzer+0x4d731f) (BuildId: 94dbfd103a0487b9d966258fd62fd95c8746440a)
    #18 0x594e125a3076 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzz/fuzzers/h5_extended_fuzzer+0x4dd076) (BuildId: 94dbfd103a0487b9d966258fd62fd95c8746440a)
    #19 0x594e125cce92 in main (/fuzz/fuzzers/h5_extended_fuzzer+0x506e92) (BuildId: 94dbfd103a0487b9d966258fd62fd95c8746440a)
    #20 0x75ebbcb84d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /fuzz/hdf5/hdf5/src/H5SM.c:1542:24 in H5SM_delete
Shadow bytes around the buggy address:
  0x0c047fff8670: fa fa 04 fa fa fa 01 fa fa fa 01 fa fa fa 04 fa
  0x0c047fff8680: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x0c047fff8690: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff86a0: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x0c047fff86b0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff86c0:[fa]fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff86d0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff86f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19366==ABORTING