Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-45833: stack-buffer-overflow at H5D__create_chunk_file_map_hyper /hdf5/src/H5Dchunk.c:1927 · Issue #1313 · HDFGroup/hdf5

A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 via the H5D__create_chunk_file_map_hyper function in /hdf5/src/H5Dchunk.c, which causes a Denial of Service (context-dependent).

CVE
Open in Source
#vulnerability#ubuntu#linux#dos

Version:

System information

Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

command:

POC3.zip

ASAN information

================================================================
==3192859==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc401ba928 at pc 0x5582bd69885b bp 0x7ffc401b8720 sp 0x7ffc401b8710
READ of size 8 at 0x7ffc401ba928 thread T0
    #0 0x5582bd69885a in H5D__create_chunk_file_map_hyper /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dchunk.c:1927
    #1 0x5582bd69885a in H5D__chunk_io_init_selections /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dchunk.c:1250
    #2 0x5582bd69885a in H5D__chunk_io_init /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dchunk.c:1129
    #3 0x5582bd14a71e in H5D__read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dio.c:250
    #4 0x5582bd60459a in H5VL__native_dataset_read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLnative_dataset.c:293
    #5 0x5582bd5d6442 in H5VL__dataset_read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:2045
    #6 0x5582bd5d6442 in H5VL_dataset_read /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:2077
    #7 0x5582bd11da4d in H5D__read_api_common /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5D.c:968
    #8 0x5582bd11da4d in H5Dread /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5D.c:1020
    #9 0x5582bd04b454 in h5tools_dump_simple_dset /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/lib/h5tools_dump.c:1755
    #10 0x5582bd04b454 in h5tools_dump_dset /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/lib/h5tools_dump.c:1956
    #11 0x5582bd05fa5f in h5tools_dump_data /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/lib/h5tools_dump.c:4425
    #12 0x5582bd01bb3c in dump_dataset /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5dump/h5dump_ddl.c:1046
    #13 0x5582bd0245c1 in dump_all_cb /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5dump/h5dump_ddl.c:350
    #14 0x5582bd23d995 in H5G__iterate_cb /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gint.c:866
    #15 0x5582bd23d995 in H5G__iterate_cb /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gint.c:839
    #16 0x5582bd24e3ec in H5G__node_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gnode.c:967
    #17 0x5582bd67e5a3 in H5B__iterate_helper /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5B.c:1152
    #18 0x5582bd681cca in H5B_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5B.c:1194
    #19 0x5582bd25b699 in H5G__stab_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gstab.c:536
    #20 0x5582bd255216 in H5G__obj_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gobj.c:672
    #21 0x5582bd24061c in H5G_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Gint.c:922
    #22 0x5582bd2dc94f in H5L_iterate /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Lint.c:2243
    #23 0x5582bd610f3e in H5VL__native_link_specific /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLnative_link.c:366
    #24 0x5582bd5e75fe in H5VL__link_specific /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:5305
    #25 0x5582bd5e75fe in H5VL_link_specific /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5VLcallback.c:5339
    #26 0x5582bd2cec7f in H5L__iterate_api_common /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5L.c:1659
    #27 0x5582bd2cec7f in H5Literate2 /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5L.c:1695
    #28 0x5582bd01acc1 in link_iteration /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5dump/h5dump_ddl.c:614
    #29 0x5582bd01acc1 in dump_group /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5dump/h5dump_ddl.c:886
    #30 0x5582bd00f1e0 in main /home/zxq/CVE_testing/source/hdf5-add/hdf5/tools/src/h5dump/h5dump.c:1547
    #31 0x7ff7f59ae0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #32 0x5582bd01520d in _start (/home/zxq/CVE_testing/source/hdf5-add/hdf5/build/bin/h5dump+0x17c20d)

Address 0x7ffc401ba928 is located in stack of thread T0 at offset 8472 in frame
    #0 0x5582bd691fbf in H5D__chunk_io_init /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dchunk.c:1071

  This frame has 35 object(s):
    [32, 33) 'bogus' (line 1166)
    [48, 56) 'udata' (line 1256)
    [80, 88) 'tmp_fchunk' (line 1809)
    [112, 120) 'chunk_points' (line 2151)
    [144, 152) 'tmp_count' (line 2152)
    [176, 200) 'iter_op' (line 1255)
    [240, 264) 'iter_op' (line 1297)
    [304, 336) 'is_partial_dim' (line 1615)
    [368, 624) 'file_dims' (line 1605)
    [688, 944) 'zeros' (line 1607)
    [1008, 1264) 'coords' (line 1609)
    [1328, 1584) 'end' (line 1610)
    [1648, 1904) 'scaled' (line 1611)
    [1968, 2224) 'curr_partial_clip' (line 1613)
    [2288, 2544) 'partial_dim_size' (line 1614)
    [2608, 2864) 'start_scaled' (line 1817)
    [2928, 3184) 'scaled' (line 1818)
    [3248, 3504) 'file_sel_start' (line 1987)
    [3568, 3824) 'file_sel_end' (line 1988)
    [3888, 4144) 'mem_sel_start' (line 1989)
    [4208, 4464) 'mem_sel_end' (line 1990)
    [4528, 4784) 'adjust' (line 1991)
    [4848, 5104) 'coords' (line 2036)
    [5168, 5424) 'chunk_adjust' (line 2037)
    [5488, 5744) 'mem_sel_start' (line 2140)
    [5808, 6064) 'mem_sel_end' (line 2141)
    [6128, 6392) 'old_offset' (line 1073)
    [6464, 6728) 'coords' (line 1520)
    [6800, 7064) 'sel_start' (line 1521)
    [7136, 7400) 'sel_end' (line 1522)
    [7472, 7736) 'sel_start' (line 1810)
    [7808, 8072) 'sel_end' (line 1811)
    [8144, 8408) 'start_coords' (line 1813)
    [8480, 8744) 'coords' (line 1814) <== Memory access at offset 8472 underflows this variable
    [8816, 9080) 'end' (line 1815)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/zxq/CVE_testing/source/hdf5-add/hdf5/src/H5Dchunk.c:1927 in H5D__create_chunk_file_map_hyper
Shadow bytes around the buggy address:
  0x10000802f4d0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000802f4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000802f4f0: 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
  0x10000802f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000802f510: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2
=>0x10000802f520: f2 f2 f2 f2 f2[f2]00 00 00 00 00 00 00 00 00 00
  0x10000802f530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000802f540: 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10000802f550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000802f560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000802f570: 00 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3192859==ABORTING

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE