Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

segmentation fault in h5stat #1317

Closed
ZFeiXQ opened this issue Dec 18, 2021 · 2 comments
Closed

segmentation fault in h5stat #1317

ZFeiXQ opened this issue Dec 18, 2021 · 2 comments

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 18, 2021

Version:

Version 1.13.1-1

System information

Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

command:

h5stat POC8

POC8.zip

result

segmentation fault

ASAN information

Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__GI___libc_free (mem=0x61626c6c6163206c) at malloc.c:3102
3102  malloc.c: No such file or directory.
gdb-peda$ bt
#0  __GI___libc_free (mem=0x61626c6c6163206c) at malloc.c:3102
#1  0x000055555566ff52 in H5MM_xfree (mem=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5MM.c:557
#2  0x0000555555693fb1 in H5O__link_reset (_mesg=0x55555594d4b0) at /home/zxq/CVE_testing/source/hdf5/src/H5Olink.c:564
#3  0x0000555555695d8d in H5O__msg_reset_real (type=<optimized out>, type=<optimized out>, native=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:589
#4  H5O_msg_reset (type_id=type_id@entry=0x6, native=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:556
#5  0x0000555555631d78 in H5G__link_release_table (ltable=ltable@entry=0x7fffffffd990) at /home/zxq/CVE_testing/source/hdf5/src/H5Glink.c:517
#6  0x0000555555802355 in H5G__compact_iterate (oloc=oloc@entry=0x55555594d3d8, linfo=<optimized out>, idx_type=idx_type@entry=H5_INDEX_NAME, 
    order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=0x55555562f110 <H5G__visit_cb>, op_data=0x7fffffffdb30)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Gcompact.c:412
#7  0x000055555563887f in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x55555594d3d8, idx_type=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, 
    skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x55555562f110 <H5G__visit_cb>, op_data=0x7fffffffdb30)
    at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:661
#8  0x0000555555630b64 in H5G_visit (loc=loc@entry=0x7fffffffdbc0, group_name=<optimized out>, idx_type=<optimized out>, order=H5_ITER_INC, 
    op=<optimized out>, op_data=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1243
#9  0x00005555557ae1f5 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffdc40, args=0x7fffffffdc70, dxpl_id=<optimized out>, 
    req=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:374
#10 0x000055555579d200 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffdc70, loc_params=0x7fffffffdc40, 
    obj=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
#11 H5VL_link_specific (vol_obj=vol_obj@entry=0x55555594b890, loc_params=loc_params@entry=0x7fffffffdc40, args=args@entry=0x7fffffffdc70, 
    dxpl_id=0xb00000000000008, req=req@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
#12 0x0000555555664b41 in H5Lvisit_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x5555558166e4 "/", 
    idx_type=H5_INDEX_NAME, order=H5_ITER_INC, op=op@entry=0x55555557eda0 <traverse_cb>, op_data=op_data@entry=0x7fffffffdd40, lapl_id=<optimized out>)
    at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1984
#13 0x000055555558040e in traverse (fields=0x1f, visitor=0x7fffffffdd00, recurse=0x1, visit_start=<optimized out>, grp_name=0x5555558166e4 "/", 
    file_id=0x100000000000000) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:288
#14 h5trav_visit (fid=0x100000000000000, grp_name=0x5555558166e4 "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>, 
    visit_lnk=<optimized out>, udata=0x7fffffffde80, fields=0x1f) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
#15 0x0000555555563727 in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe308) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5stat/h5stat.c:1795
#16 0x00007ffff7c930b3 in __libc_start_main (main=0x555555562f20 <main>, argc=0x2, argv=0x7fffffffe308, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8) at ../csu/libc-start.c:308
#17 0x0000555555563a3e in _start ()
@carnil
Copy link

carnil commented Jan 28, 2022

This appears to be CVE-2021-45829.

@byrnHDF
Copy link
Contributor

byrnHDF commented Nov 21, 2022

Current develop fails by handling error:
Filename: POC8
HDF5-DIAG: Error detected in HDF5 (1.13.4-1) thread 0:
#000:/HDF_Projects/hdf5/dev/src/H5O.c line 1439 in H5Oget_native_info_by_name(): can't get native file format info for object: '/'
major: Object header
minor: Can't get value
#1: /HDF_Projects/hdf5/dev/src/H5VLcallback.c line 6196 in H5VL_object_optional(): unable to execute object optional callback
major: Virtual Object Layer
minor: Can't operate on object
#2: /HDF_Projects/hdf5/dev/src/H5VLcallback.c line 6164 in H5VL__object_optional(): unable to execute object optional callback
major: Virtual Object Layer
minor: Can't operate on object
#3: /HDF_Projects/hdf5/dev/src/H5VLnative_object.c line 531 in H5VL__native_object_optional(): object not found
major: Object header
minor: Object not found
#4: /HDF_Projects/hdf5/dev/src/H5Gloc.c line 881 in H5G_loc_native_info(): can't find object
major: Symbol table
minor: Object not found
#5: /HDF_Projects/hdf5/dev/src/H5Gtraverse.c line 836 in H5G_traverse(): internal path traversal failed
major: Symbol table
minor: Object not found
#6: /HDF_Projects/hdf5/dev/src/H5Gtraverse.c line 753 in H5G__traverse_real(): traversal operator failed
major: Symbol table
minor: Can't move to next iterator location
#7: /HDF_Projects/hdf5/dev/src/H5Gloc.c line 839 in H5G__loc_native_info_cb(): can't get object info
major: Symbol table
minor: Can't get value
#8:/HDF_Projects/hdf5/dev/src/H5Oint.c line 2319 in H5O_get_native_info(): can't retrieve object's btree & heap info
major: Object header
minor: Can't get value
#9: /HDF_Projects/hdf5/dev/src/H5Goh.c line 348 in H5O__group_bh_info(): unable to open v2 B-tree for name index
major: Symbol table
minor: Can't open object
#10: /HDF_Projects/hdf5/dev/src/H5B2.c line 208 in H5B2_open(): unable to protect v2 B-tree header
major: B-Tree node
minor: Unable to protect metadata
#11: /HDF_Projects/hdf5/dev/src/H5B2hdr.c line 529 in H5B2__hdr_protect(): unable to load v2 B-tree header, address = 18446744073694740479
major: B-Tree node
minor: Unable to protect metadata
#12:/HDF_Projects/hdf5/dev/src/H5AC.c line 1395 in H5AC_protect(): H5C_protect() failed
major: Object cache
minor: Unable to protect metadata
#13: /HDF_Projects/hdf5/dev/src/H5C.c line 2335 in H5C_protect(): can't load entry
major: Object cache
minor: Unable to load metadata into cache
#14: /HDF_Projects/hdf5/dev/src/H5C.c line 7179 in H5C__load_entry(): Can't read image*
major: Object cache
minor: Read failed
#15: /HDF_Projects/hdf5/dev/src/H5Fio.c line 140 in H5F_block_read(): attempting I/O in temporary file space
major: Low-level I/O
minor: Out of range
HDF5-DIAG: Error detected in HDF5 (1.13.4-1) thread 0:
#000: /HDF_Projects/hdf5/dev/src/H5L.c line 1988 in H5Lvisit_by_name2(): link visitation failed
major: Links
minor: Iteration failed
#1: /HDF_Projects/hdf5/dev/src/H5VLcallback.c line 5517 in H5VL_link_specific(): unable to execute link specific callback
major: Virtual Object Layer
minor: Can't operate on object
#2: /HDF_Projects/hdf5/dev/src/H5VLcallback.c line 5483 in H5VL__link_specific(): unable to execute link specific callback
major: Virtual Object Layer
minor: Can't operate on object
#3: /HDF_Projects/hdf5/dev/src/H5VLnative_link.c line 377 in H5VL__native_link_specific(): link visitation failed
major: Links
minor: Iteration failed
#4: /HDF_Projects/hdf5/dev/src/H5Gint.c line 1244 in H5G_visit(): can't visit links
major: Symbol table
minor: Iteration failed
#5: /HDF_Projects/hdf5/dev/src/H5Gobj.c line 662 in H5G__obj_iterate(): can't iterate over compact links
major: Symbol table
minor: Iteration failed
#6:/HDF_Projects/hdf5/dev/src/H5Gcompact.c line 403 in H5G__compact_iterate(): can't create link message table
major: Symbol table
minor: Unable to initialize object
#7: /HDF_Projects/hdf5/dev/src/H5Gcompact.c line 151 in H5G__compact_build_table(): error iterating over link messages
major: Symbol table
minor: Object not found
#8: /HDF_Projects/hdf5/dev/src/H5Omessage.c line 1174 in H5O_msg_iterate(): unable to iterate over object header messages
major: Object header
minor: Iteration failed
#9:/HDF_Projects/hdf5/dev/src/H5Omessage.c line 1236 in H5O__msg_iterate_real(): unable to decode message
major: Object header
minor: Unable to decode value
#10:/HDF_Projects/hdf5/dev/src/H5Olink.c line 130 in H5O__link_decode(): bad version number for message
major: Object header
minor: Unable to load metadata into cache
h5stat error: unable to traverse objects/links in file "POC8"
H5tools-DIAG: Error detected in HDF5:tools (1.13.4) thread 0:
#000: /HDF_Projects/hdf5/dev/tools/lib/h5trav.c line 1052 in h5trav_visit(): traverse failed
major: Failure in tools library
minor: error in function
#1:/HDF_Projects/hdf5/dev/tools/lib/h5trav.c line 284 in traverse(): H5Lvisit_by_name failed
major: Failure in tools library
minor: error in function
#2: /HDF_Projects/hdf5/dev/tools/src/h5stat/h5stat.c line 658 in obj_stats(): H5Oget_native_info_by_name failed
major: Failure in tools library
minor: error in function

@byrnHDF byrnHDF closed this as completed Nov 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @ZFeiXQ @byrnHDF