Headline
CVE-2021-45829: segmentation fault in h5stat · Issue #1317 · HDFGroup/hdf5
HDF5 1.13.1-1 is affected by: segmentation fault, which causes a Denial of Service.
Version:
System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
command:
POC8.zip
result
ASAN information
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__GI___libc_free (mem=0x61626c6c6163206c) at malloc.c:3102
3102 malloc.c: No such file or directory.
gdb-peda$ bt
#0 __GI___libc_free (mem=0x61626c6c6163206c) at malloc.c:3102
#1 0x000055555566ff52 in H5MM_xfree (mem=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5MM.c:557
#2 0x0000555555693fb1 in H5O__link_reset (_mesg=0x55555594d4b0) at /home/zxq/CVE_testing/source/hdf5/src/H5Olink.c:564
#3 0x0000555555695d8d in H5O__msg_reset_real (type=<optimized out>, type=<optimized out>, native=<optimized out>)
at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:589
#4 H5O_msg_reset (type_id=type_id@entry=0x6, native=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:556
#5 0x0000555555631d78 in H5G__link_release_table (ltable=ltable@entry=0x7fffffffd990) at /home/zxq/CVE_testing/source/hdf5/src/H5Glink.c:517
#6 0x0000555555802355 in H5G__compact_iterate (oloc=oloc@entry=0x55555594d3d8, linfo=<optimized out>, idx_type=idx_type@entry=H5_INDEX_NAME,
order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=0x55555562f110 <H5G__visit_cb>, op_data=0x7fffffffdb30)
at /home/zxq/CVE_testing/source/hdf5/src/H5Gcompact.c:412
#7 0x000055555563887f in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x55555594d3d8, idx_type=H5_INDEX_NAME, order=order@entry=H5_ITER_INC,
skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x55555562f110 <H5G__visit_cb>, op_data=0x7fffffffdb30)
at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:661
#8 0x0000555555630b64 in H5G_visit (loc=loc@entry=0x7fffffffdbc0, group_name=<optimized out>, idx_type=<optimized out>, order=H5_ITER_INC,
op=<optimized out>, op_data=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1243
#9 0x00005555557ae1f5 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffdc40, args=0x7fffffffdc70, dxpl_id=<optimized out>,
req=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:374
#10 0x000055555579d200 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffdc70, loc_params=0x7fffffffdc40,
obj=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
#11 H5VL_link_specific (vol_obj=vol_obj@entry=0x55555594b890, loc_params=loc_params@entry=0x7fffffffdc40, args=args@entry=0x7fffffffdc70,
dxpl_id=0xb00000000000008, req=req@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
#12 0x0000555555664b41 in H5Lvisit_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x5555558166e4 "/",
idx_type=H5_INDEX_NAME, order=H5_ITER_INC, op=op@entry=0x55555557eda0 <traverse_cb>, op_data=op_data@entry=0x7fffffffdd40, lapl_id=<optimized out>)
at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1984
#13 0x000055555558040e in traverse (fields=0x1f, visitor=0x7fffffffdd00, recurse=0x1, visit_start=<optimized out>, grp_name=0x5555558166e4 "/",
file_id=0x100000000000000) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:288
#14 h5trav_visit (fid=0x100000000000000, grp_name=0x5555558166e4 "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>,
visit_lnk=<optimized out>, udata=0x7fffffffde80, fields=0x1f) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
#15 0x0000555555563727 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe308) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5stat/h5stat.c:1795
#16 0x00007ffff7c930b3 in __libc_start_main (main=0x555555562f20 <main>, argc=0x2, argv=0x7fffffffe308, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8) at ../csu/libc-start.c:308
#17 0x0000555555563a3e in _start ()