Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-37501 #3220

Closed
bmribler opened this issue Jul 2, 2023 · 1 comment
Closed

CVE-2021-37501 #3220

bmribler opened this issue Jul 2, 2023 · 1 comment
Assignees
@lrknox
Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub

Comments

@bmribler
Copy link
Contributor

bmribler commented Jul 2, 2023
edited
Loading

This crash is a heap buffer overflow in the function h5tools_str_sprint
located in /hdf5/tools/lib/h5tools_str.c

HDF5 version: 1.12.0 and 1.13.0
system info: Ubuntu 20.04 gcc 9.3.0
target: h5dump

command: /path/to/h5dump poc

ASAN info:

HDF5 "id:000033,sig:11,src:000000,op:flip1,pos:1975" {
GROUP "/" {
ATTRIBUTE "backend" {
DATATYPE H5T_STRING {
STRSIZE H5T_VARIABLE;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
}
DATASPACE SCALAR
DATA {
(0nknownu): "tensorflow"
}
}
ATTRIBUTE "keras_version" {
DATATYPE H5T_STRING {
STRSIZE H5T_VARIABLE;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
}
DATASPACE SCALAR
DATA {
(0nknownu): "2.0.8"
}
}
ATTRIBUTE "layer_names" {
DATATYPE H5T_STRING {
STRSIZE 14;
STRPAD H5T_STR_NULLPAD;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
}
DATASPACE SIMPLE { ( 8nknownu ) / ( 8nknownu ) }
DATA {
(0nknownu): "input_1\000\000\000\000\000\000\000",
(1nknownu): "block1_conv1\000\000", "block1_pool1\000\000",
(3nknownu): "block2_conv1\000\000", "block2_pool1\000\000",
(5nknownu): "flatten\000\000\000\000\000\000\000", "before_softmax",
(7nknownu): "predictions\000\000\000"
}
}
GROUP "before_softmax" {
ATTRIBUTE "weight_names" {
DATATYPE H5T_STRING {
STRSIZE 23;
STRPAD H5T_STR_NULLPAD;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
}
DATASPACE SIMPLE { ( 2nknownu ) / ( 2nknownu ) }
DATA {
(0nknownu): "before_softmax/kernel:0",
(1nknownu): "before_softmax/bias:0\000\000"
}
}
GROUP "before_softmax" {
DATASET "bias:0" {
DATATYPE H5T_IEEE_F32LE
DATASPACE SIMPLE { ( 10nknownu ) / ( 10nknownu ) }
DATA {
(0nknownu): -0.00829703, -0.00118377, 0.00275684, -0.00274523,
(4nknownu): -0.0190003, 0.0456237, -0.0324748, -0.0142213,
(8nknownu): 0.00443192, 0.00534396
}
}
DATASET "kernel:0" {
DATATYPE H5T_IEEE_F32LE
DATASPACE SIMPLE { ( 588nknownu, 10nknownu ) / ( 588nknownu,
10nknownu ) }
DATA {
(0nknownu,0nknownu): -0.00366769, -0.0335514, 0.0580021,
(0nknownu,3nknownu): -0.057316, -0.0169165, -0.0424381,

<removed part of the message because of its length, see attachment1.txt for full message>

(4nknownu,3nknownu,0=================================================================
==75016==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000450 at pc 0x561d3df5f5bc bp 0x7ffe1a458100 sp 0x7ffe1a4580f0
READ of size 8 at 0x602000000450 thread T0
#0 0x561d3df5f5bb in h5tools_str_sprint
/home/wh4lter/Workspace/hdf5/tools/lib/h5tools_str.c:706
#1 0x561d3df15ebb in h5tools_dump_simple_data
/home/wh4lter/Workspace/hdf5/tools/lib/h5tools_dump.c:306
#2 0x561d3df23eaf in h5tools_dump_simple_mem
/home/wh4lter/Workspace/hdf5/tools/lib/h5tools_dump.c:1872
#3 0x561d3df23eaf in h5tools_dump_mem
/home/wh4lter/Workspace/hdf5/tools/lib/h5tools_dump.c:2032
#4 0x561d3df4bb80 in h5tools_dump_data
/home/wh4lter/Workspace/hdf5/tools/lib/h5tools_dump.c:4435
#5 0x561d3df4fa33 in h5tools_dump_attribute
/home/wh4lter/Workspace/hdf5/tools/lib/h5tools_dump.c:3872
#6 0x561d3deb3f6a in dump_attr_cb
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:132
#7 0x7f7686db85a6 in H5A__attr_iterate_table
/home/wh4lter/Workspace/hdf5/src/H5Aint.c:1958
#8 0x7f76877b8bcd in H5O_attr_iterate_real
/home/wh4lter/Workspace/hdf5/src/H5Oattribute.c:1270
#9 0x7f76877bb216 in H5O__attr_iterate
/home/wh4lter/Workspace/hdf5/src/H5Oattribute.c:1314
#10 0x7f7686dc90f8 in H5A__iterate_common
/home/wh4lter/Workspace/hdf5/src/H5Aint.c:2710
#11 0x7f7686dc90f8 in H5A__iterate
/home/wh4lter/Workspace/hdf5/src/H5Aint.c:2768
#12 0x7f76881e440d in H5VL__native_attr_specific
/home/wh4lter/Workspace/hdf5/src/H5VLnative_attr.c:493
#13 0x7f768813ac0b in H5VL__attr_specific
/home/wh4lter/Workspace/hdf5/src/H5VLcallback.c:1499
#14 0x7f7688153b5f in H5VL_attr_specific
/home/wh4lter/Workspace/hdf5/src/H5VLcallback.c:1533
#15 0x7f7686d719b3 in H5Aiterate2
/home/wh4lter/Workspace/hdf5/src/H5A.c:1928
#16 0x561d3deb50e9 in attr_iteration
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:589
#17 0x561d3deb88a4 in dump_group
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:885
#18 0x561d3decb885 in dump_all_cb
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:229
#19 0x7f76874a997b in H5G__iterate_cb
/home/wh4lter/Workspace/hdf5/src/H5Gint.c:920
#20 0x7f76874e26ed in H5G__node_iterate
/home/wh4lter/Workspace/hdf5/src/H5Gnode.c:967
#21 0x7f7686df7cbe in H5B__iterate_helper
/home/wh4lter/Workspace/hdf5/src/H5B.c:1155
#22 0x7f7686e00752 in H5B_iterate
/home/wh4lter/Workspace/hdf5/src/H5B.c:1197
#23 0x7f768750af20 in H5G__stab_iterate
/home/wh4lter/Workspace/hdf5/src/H5Gstab.c:536
#24 0x7f76874f4771 in H5G__obj_iterate
/home/wh4lter/Workspace/hdf5/src/H5Gobj.c:672
#25 0x7f76874b4bec in H5G_iterate
/home/wh4lter/Workspace/hdf5/src/H5Gint.c:976
#26 0x7f76876e7bba in H5L_iterate
/home/wh4lter/Workspace/hdf5/src/H5Lint.c:2276
#27 0x7f76882094c3 in H5VL__native_link_specific
/home/wh4lter/Workspace/hdf5/src/H5VLnative_link.c:366
#28 0x7f768814151b in H5VL__link_specific
/home/wh4lter/Workspace/hdf5/src/H5VLcallback.c:5288
#29 0x7f768818b1cf in H5VL_link_specific
/home/wh4lter/Workspace/hdf5/src/H5VLcallback.c:5322
#30 0x7f7687699f8a in H5L__iterate_api_common
/home/wh4lter/Workspace/hdf5/src/H5L.c:1659
#31 0x7f76876b2f1a in H5Literate2
/home/wh4lter/Workspace/hdf5/src/H5L.c:1695
#32 0x561d3deb835a in link_iteration
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:614
#33 0x561d3deb835a in dump_group
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:886
#34 0x561d3dea46d7 in main
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump.c:1628
#35 0x7f76867e10b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#36 0x561d3deacc2d in _start (/usr/local/hdf5/bin/h5dump+0x2cc2d)

0x602000000451 is located 0 bytes to the right of 1-byte region
[0x602000000450,0x602000000451)
allocated by thread T0 here:
#0 0x7f7688949bc8 in malloc
(/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x561d3df2396a in h5tools_dump_simple_mem
/home/wh4lter/Workspace/hdf5/tools/lib/h5tools_dump.c:1866
#2 0x561d3df2396a in h5tools_dump_mem
/home/wh4lter/Workspace/hdf5/tools/lib/h5tools_dump.c:2032
#3 0x561d3df4bb80 in h5tools_dump_data
/home/wh4lter/Workspace/hdf5/tools/lib/h5tools_dump.c:4435
#4 0x561d3df4fa33 in h5tools_dump_attribute
/home/wh4lter/Workspace/hdf5/tools/lib/h5tools_dump.c:3872
#5 0x561d3deb3f6a in dump_attr_cb
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:132
#6 0x7f7686db85a6 in H5A__attr_iterate_table
/home/wh4lter/Workspace/hdf5/src/H5Aint.c:1958
#7 0x7f76877b8bcd in H5O_attr_iterate_real
/home/wh4lter/Workspace/hdf5/src/H5Oattribute.c:1270
#8 0x7f76877bb216 in H5O__attr_iterate
/home/wh4lter/Workspace/hdf5/src/H5Oattribute.c:1314
#9 0x7f7686dc90f8 in H5A__iterate_common
/home/wh4lter/Workspace/hdf5/src/H5Aint.c:2710
#10 0x7f7686dc90f8 in H5A__iterate
/home/wh4lter/Workspace/hdf5/src/H5Aint.c:2768
#11 0x7f76881e440d in H5VL__native_attr_specific
/home/wh4lter/Workspace/hdf5/src/H5VLnative_attr.c:493
#12 0x7f768813ac0b in H5VL__attr_specific
/home/wh4lter/Workspace/hdf5/src/H5VLcallback.c:1499
#13 0x7f7688153b5f in H5VL_attr_specific
/home/wh4lter/Workspace/hdf5/src/H5VLcallback.c:1533
#14 0x7f7686d719b3 in H5Aiterate2
/home/wh4lter/Workspace/hdf5/src/H5A.c:1928
#15 0x561d3deb50e9 in attr_iteration
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:589
#16 0x561d3deb88a4 in dump_group
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:885
#17 0x561d3decb885 in dump_all_cb
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:229
#18 0x7f76874a997b in H5G__iterate_cb
/home/wh4lter/Workspace/hdf5/src/H5Gint.c:920
#19 0x7f76874e26ed in H5G__node_iterate
/home/wh4lter/Workspace/hdf5/src/H5Gnode.c:967
#20 0x7f7686df7cbe in H5B__iterate_helper
/home/wh4lter/Workspace/hdf5/src/H5B.c:1155
#21 0x7f7686e00752 in H5B_iterate
/home/wh4lter/Workspace/hdf5/src/H5B.c:1197
#22 0x7f768750af20 in H5G__stab_iterate
/home/wh4lter/Workspace/hdf5/src/H5Gstab.c:536
#23 0x7f76874f4771 in H5G__obj_iterate
/home/wh4lter/Workspace/hdf5/src/H5Gobj.c:672
#24 0x7f76874b4bec in H5G_iterate
/home/wh4lter/Workspace/hdf5/src/H5Gint.c:976
#25 0x7f76876e7bba in H5L_iterate
/home/wh4lter/Workspace/hdf5/src/H5Lint.c:2276
#26 0x7f76882094c3 in H5VL__native_link_specific
/home/wh4lter/Workspace/hdf5/src/H5VLnative_link.c:366
#27 0x7f768814151b in H5VL__link_specific
/home/wh4lter/Workspace/hdf5/src/H5VLcallback.c:5288
#28 0x7f768818b1cf in H5VL_link_specific
/home/wh4lter/Workspace/hdf5/src/H5VLcallback.c:5322
#29 0x7f7687699f8a in H5L__iterate_api_common
/home/wh4lter/Workspace/hdf5/src/H5L.c:1659
#30 0x7f76876b2f1a in H5Literate2
/home/wh4lter/Workspace/hdf5/src/H5L.c:1695
#31 0x561d3deb835a in link_iteration
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:614
#32 0x561d3deb835a in dump_group
/home/wh4lter/Workspace/hdf5/tools/src/h5dump/h5dump_ddl.c:886

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/wh4lter/Workspace/hdf5/tools/lib/h5tools_str.c:706 in
h5tools_str_sprint
Shadow bytes around the buggy address:
0x0c047fff8030: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff8040: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff8050: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff8060: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff8070: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
=>0x0c047fff8080: fa fa 00 01 fa fa 01 fa fa fa[01]fa fa fa fa fa
0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==75016==ABORTING

poc: cve-2021-37501.h5
attachment1.txt
@mattjala mattjala added Merge - To 1.12 Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Component - C Library Core C library issues (usually in the src directory) Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub labels Jul 3, 2023
@bmribler
Copy link
Contributor Author

bmribler commented Jul 3, 2023

Already an established issue #2458

@bmribler bmribler closed this as completed Jul 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lrknox lrknox

Labels
Component - C Library Core C library issues (usually in the src directory) Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lrknox @bmribler @mattjala