Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allocation-size-too-big error in H5MM.c #4431

Open
gabe-sherman opened this issue Apr 21, 2024 · 2 comments · May be fixed by #5076
Open

allocation-size-too-big error in H5MM.c #4431

gabe-sherman opened this issue Apr 21, 2024 · 2 comments · May be fixed by #5076
Assignees
@bmribler
Labels
Component - C Library Core C library issues (usually in the src directory) Confirmed Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub Type - Security Security issues, including library crashers and memory leaks
Milestone
2.0.0

Comments

@gabe-sherman
Copy link

gabe-sherman commented Apr 21, 2024
edited
Loading

An allocation-size-too-big error occurs in the h5dump program when provided with a malformed input. This behavior occurs at line 87 in H5MM.c

How to trigger

LD_PRELOAD=path-to/libhdf5.so h5dump poc

POC File

https://github.com/FuturesLab/POC/blob/main/hdf5/poc-03

Test Environment

Ubuntu 22.04, 64bit

Version

Latest: 0394b03

Address Sanitizer Output

=================================================================
==1364666==ERROR: AddressSanitizer: requested allocation size 0xffffffffffffff20 (0x720 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x5555565cc886 in __interceptor_realloc (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-03/harness+0x1078886) (BuildId: 94291fc76aea62f5b3a7c090191c03989c9ebc1c)
    #1 0x5555566987aa in H5MM_realloc /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5MM.c:87:21
    #2 0x555556f79dc2 in H5AC_protect /home/gabesherman/harness_test/AutoHarn-Evaluation/hdf5/lib_asan/src/H5AC.c:1276:26

==1364666==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/home/gabesherman/harness_test/AutoHarn-Results/hdf5/autoharn-03/harness+0x1078886) (BuildId: 94291fc76aea62f5b3a7c090191c03989c9ebc1c) in __interceptor_realloc
==1364666==ABORTING
@derobins derobins added this to the 1.14.5 milestone Apr 22, 2024
@derobins derobins added Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Component - C Library Core C library issues (usually in the src directory) Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub UNCONFIRMED New issues are unconfirmed until a maintainer can duplicate them labels Apr 22, 2024
@gabe-sherman
Copy link
Author

To add a bit more context, here is the harness that discovered this crash

#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <stdlib.h>
#include <hdf5.h>

int main(int argc, char *argv[])
{
   char *fuzzData = argv[1];

   char H5Gcreate1var0[256];
	sprintf(H5Gcreate1var0, "yhoom");
   char H5Gcreate2var0[256];
	sprintf(H5Gcreate2var0, "7td9h");
   hid_t H5Fopenval1 = H5Fopen(fuzzData, 1, 0);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Fopenval1 < 0){
		fprintf(stderr, "err");
	}
   hid_t H5Gcreate1val1 = H5Gcreate1(H5Fopenval1, H5Gcreate1var0, 1);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Gcreate1val1 < 0){
		fprintf(stderr, "err");
	}
   hid_t H5Gcreate2val1 = H5Gcreate2(H5Gcreate1val1, H5Gcreate2var0, 0, 0, 0);
	if(strcmp(argv[1], fuzzData)){
		fprintf(stderr, "err");
	}
	if(H5Gcreate2val1 < 0){
		fprintf(stderr, "err");
	}
   return 0;
}

@derobins derobins added the Type - Security Security issues, including library crashers and memory leaks label Jun 25, 2024
@hyoklee hyoklee mentioned this issue Aug 27, 2024
Closed
@hyoklee hyoklee added Confirmed and removed UNCONFIRMED New issues are unconfirmed until a maintainer can duplicate them labels Aug 27, 2024
@bmribler
Copy link
Contributor

This one has the same issue as GH-4435.

@derobins derobins modified the milestones: 1.14.5, 2.0.0 Oct 15, 2024
@bmribler bmribler linked a pull request Nov 6, 2024 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bmribler bmribler

Labels
Component - C Library Core C library issues (usually in the src directory) Confirmed Priority - 0. Blocker ⛔ This MUST be merged for the release to happen Type - Bug / Bugfix Please report security issues to [email protected] instead of creating an issue on GitHub Type - Security Security issues, including library crashers and memory leaks
Projects
None yet
Milestone
2.0.0
4 participants
@derobins @hyoklee @bmribler @gabe-sherman