Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46244: Divide By Zero in H5T__complete_copy () at /hdf5/src/H5T.c:3613 · Issue #1327 · HDFGroup/hdf5

A Divide By Zero vulnerability exists in HDF5 v1.13.1-1 vis the function H5T__complete_copy () at /hdf5/src/H5T.c. This vulnerability causes an aritmetic exception, leading to a Denial of Service (DoS).

CVE
#vulnerability#ubuntu#dos

Version:

h5format_convert: Version 1.13.1-1

System information

Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

command:

POC.zip

Result

bt

program received signal SIGFPE, Arithmetic exception.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x555555949fa0 --> 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
RCX: 0x21000004 
RDX: 0x0 
RSI: 0x0 
RDI: 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
RBP: 0x55555594a250 --> 0x0 
RSP: 0x7fffffffd290 --> 0x21000004 
RIP: 0x55555570bb5f (<H5T__complete_copy+543>:  div    rsi)
R8 : 0x55555570ea80 (<H5T__copy_all>:   endbr64)
R9 : 0x7ffff7e55c50 --> 0x7ffff7e55c40 --> 0x7ffff7e55c30 --> 0x7ffff7e55c20 --> 0x7ffff7e55c10 --> 0x7ffff7e55c00 (--> ...)
R10: 0x5555558fc010 --> 0x2000000010000 
R11: 0x7ffff7e55be0 --> 0x55555594ff50 --> 0x0 
R12: 0x1 
R13: 0x55555594e740 --> 0x555555949930 --> 0x0 
R14: 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555570bb54 <H5T__complete_copy+532>: imul   rax,rcx
   0x55555570bb58 <H5T__complete_copy+536>: sub    rcx,rsi
   0x55555570bb5b <H5T__complete_copy+539>: add    QWORD PTR [rsp],rcx
=> 0x55555570bb5f <H5T__complete_copy+543>: div    rsi
   0x55555570bb62 <H5T__complete_copy+546>: mov    QWORD PTR [rbx+0x10],rax
   0x55555570bb66 <H5T__complete_copy+550>: mov    rax,QWORD PTR [rsp+0x28]
   0x55555570bb6b <H5T__complete_copy+555>: add    r12d,0x1
   0x55555570bb6f <H5T__complete_copy+559>: cmp    DWORD PTR [rax+0x34],r12d
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd290 --> 0x21000004 
0008| 0x7fffffffd298 --> 0x55555570ea80 (<H5T__copy_all>:   endbr64)
0016| 0x7fffffffd2a0 --> 0x555555949f80 --> 0x55555594a050 --> 0x7ffff7e55b00 --> 0x0 
0024| 0x7fffffffd2a8 --> 0x55555593f2d0 --> 0x0 
0032| 0x7fffffffd2b0 --> 0x555555922020 --> 0x0 
0040| 0x7fffffffd2b8 --> 0x55555593f340 --> 0x0 
0048| 0x7fffffffd2c0 --> 0x55555594e740 --> 0x555555949930 --> 0x0 
0056| 0x7fffffffd2c8 --> 0x555555949fa0 --> 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGFPE
0x000055555570bb5f in H5T__complete_copy (new_dt=new_dt@entry=0x55555593f2d0, old_dt=old_dt@entry=0x555555922020, reopened_fo=reopened_fo@entry=0x0, set_memory_type=set_memory_type@entry=0x0, 
    copyfn=0x55555570ea80 <H5T__copy_all>) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3613
3613                            new_dt->shared->u.compnd.memb[i].size =
gdb-peda$ bt
#0  0x000055555570bb5f in H5T__complete_copy (new_dt=new_dt@entry=0x55555593f2d0, old_dt=old_dt@entry=0x555555922020, reopened_fo=reopened_fo@entry=0x0, set_memory_type=set_memory_type@entry=0x0, 
    copyfn=0x55555570ea80 <H5T__copy_all>) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3613
#1  0x000055555570c1f6 in H5T_copy (old_dt=0x555555922020, method=method@entry=H5T_COPY_ALL) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3774
#2  0x0000555555680aa8 in H5O__dtype_copy (_src=<optimized out>, _dst=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:1215
#3  0x000055555568fe89 in H5O_msg_read_oh (f=0x555555941400, oh=oh@entry=0x55555594e470, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:521
#4  0x0000555555690129 in H5O_msg_read (loc=loc@entry=0x555555947d60, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:455
#5  0x00005555555cb237 in H5D__open_oid (dapl_id=0xb00000000000007, dataset=0x555555947d60) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1707
#6  H5D_open (loc=loc@entry=0x7fffffffd520, dapl_id=dapl_id@entry=0xb00000000000007) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1512
#7  0x00005555555cbfe8 in H5D__open_name (loc=loc@entry=0x7fffffffd5a0, name=name@entry=0x55555594e230 "/BAG_root/tracking_list", dapl_id=dapl_id@entry=0xb00000000000007)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1447
#8  0x00005555557a09e2 in H5VL__native_dataset_open (obj=<optimized out>, loc_params=<optimized out>, name=0x55555594e230 "/BAG_root/tracking_list", dapl_id=0xb00000000000007, dxpl_id=<optimized out>, 
    req=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_dataset.c:251
#9  0x000055555578c488 in H5VL__dataset_open (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, dapl_id=0xb00000000000007, name=0x55555594e230 "/BAG_root/tracking_list", loc_params=0x7fffffffd630, 
    obj=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:1944
#10 H5VL_dataset_open (vol_obj=0x555555944740, loc_params=loc_params@entry=0x7fffffffd630, name=name@entry=0x55555594e230 "/BAG_root/tracking_list", dapl_id=0xb00000000000007, dxpl_id=0xb00000000000008, 
    req=req@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:1976
#11 0x00005555555bb5e2 in H5D__open_api_common (_vol_obj_ptr=0x0, token_ptr=0x0, dapl_id=<optimized out>, name=0x55555594e230 "/BAG_root/tracking_list", loc_id=0x100000000000000)
    at /home/zxq/CVE_testing/source/hdf5/src/H5D.c:356
#12 H5Dopen2 (loc_id=0x100000000000000, name=0x55555594e230 "/BAG_root/tracking_list", dapl_id=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5D.c:396
#13 0x0000555555563784 in convert (fid=<optimized out>, dname=0x55555594e230 "/BAG_root/tracking_list") at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:213
#14 0x0000555555563d88 in convert_dsets_cb (path=0x55555594e230 "/BAG_root/tracking_list", oi=<optimized out>, already_visited=<optimized out>, _fid=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:363
#15 0x000055555557c8ca in traverse_cb (loc_id=<optimized out>, path=<optimized out>, linfo=<optimized out>, _udata=0x7fffffffe150) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:218
#16 0x00005555556296a6 in H5G__visit_cb (lnk=0x7fffffffd8f0, _udata=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1016
#17 0x000055555563036e in H5G__node_iterate (f=f@entry=0x555555941400, _lt_key=<optimized out>, addr=0x8a0, _rt_key=<optimized out>, _udata=_udata@entry=0x7fffffffda30)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
#18 0x00005555557cfe40 in H5B__iterate_helper (f=0x555555941400, type=0x5555558f3f20 <H5B_SNODE>, addr=0x348, op=0x555555630280 <H5G__node_iterate>, udata=udata@entry=0x7fffffffda30)
    at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
#19 0x00005555557d131b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffda30) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
#20 0x0000555555635146 in H5G__stab_iterate (oloc=oloc@entry=0x7fffffffdbb0, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x5555556295f0 <H5G__visit_cb>, 
    op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
#21 0x0000555555632cc5 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x7fffffffdbb0, idx_type=H5_INDEX_NAME, order=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, 
    op=op@entry=0x5555556295f0 <H5G__visit_cb>, op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
#22 0x00005555556299e6 in H5G__visit_cb (lnk=<optimized out>, _udata=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1101
#23 0x000055555563036e in H5G__node_iterate (f=f@entry=0x555555941400, _lt_key=<optimized out>, addr=0x5e0, _rt_key=<optimized out>, _udata=_udata@entry=0x7fffffffddc0)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
#24 0x00005555557cfe40 in H5B__iterate_helper (f=0x555555941400, type=0x5555558f3f20 <H5B_SNODE>, addr=0x88, op=0x555555630280 <H5G__node_iterate>, udata=udata@entry=0x7fffffffddc0)
    at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
#25 0x00005555557d131b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffddc0) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
#26 0x0000555555635146 in H5G__stab_iterate (oloc=oloc@entry=0x555555944ac8, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x5555556295f0 <H5G__visit_cb>, 
    op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
#27 0x0000555555632cc5 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x555555944ac8, idx_type=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, 
    op=op@entry=0x5555556295f0 <H5G__visit_cb>, op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
#28 0x000055555562b044 in H5G_visit (loc=loc@entry=0x7fffffffdfd0, group_name=<optimized out>, idx_type=<optimized out>, order=H5_ITER_INC, op=<optimized out>, op_data=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1243
#29 0x00005555557a53b5 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffe050, args=0x7fffffffe080, dxpl_id=<optimized out>, req=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:374
#30 0x00005555557943c0 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffe080, loc_params=0x7fffffffe050, obj=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
#31 H5VL_link_specific (vol_obj=vol_obj@entry=0x555555944740, loc_params=loc_params@entry=0x7fffffffe050, args=args@entry=0x7fffffffe080, dxpl_id=0xb00000000000008, req=req@entry=0x0)
    at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
#32 0x000055555565f021 in H5Lvisit_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x555555810903 "/", idx_type=H5_INDEX_NAME, order=H5_ITER_INC, 
    op=op@entry=0x55555557c710 <traverse_cb>, op_data=op_data@entry=0x7fffffffe150, lapl_id=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1984
#33 0x000055555557dd7e in traverse (fields=0x1, visitor=0x7fffffffe110, recurse=0x1, visit_start=<optimized out>, grp_name=0x555555810903 "/", file_id=0x100000000000000)
    at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:288
#34 h5trav_visit (fid=0x100000000000000, grp_name=0x555555810903 "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>, visit_lnk=<optimized out>, udata=0x7fffffffe220, 
    fields=0x1) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
#35 0x000055555556324d in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe338) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:426
#36 0x00007ffff7c910b3 in __libc_start_main (main=0x555555562f20 <main>, argc=0x2, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe328)
    at ../csu/libc-start.c:308
#37 0x00005555555633ee in _start () at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:166

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907