Headline
CVE-2021-46243: Untrusted Pointer Dereference in H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c:499 · Issue #1326 · HDFGroup/hdf5
An untrusted pointer dereference vulnerability exists in HDF5 v1.13.1-1 via the function H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c. This vulnerability can lead to a Denial of Service (DoS).
Untrusted Pointer Dereference in H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c:499
Version
command:
POC.zip
Result
bt
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffec4695010 --> 0x0
RBX: 0x2
RCX: 0x5555559305d0 --> 0x0
RDX: 0x133350000
RSI: 0x5555559552ce --> 0x0
RDI: 0x7ffec4695010 --> 0x0
RBP: 0x555555930560 --> 0x0
RSP: 0x7fffffffc378 --> 0x55555568861f (<H5O__dtype_decode_helper+3375>: mov rax,QWORD PTR [rbp+0x28])
RIP: 0x7ffff7df8898 (<__memmove_avx_unaligned_erms+552>: vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20])
R8 : 0x55555595abd0 --> 0x0
R9 : 0x7ffec4695010 --> 0x0
R10: 0x22 ('"')
R11: 0x7ffff7e55be0 --> 0x55555595abe0 --> 0x0
R12: 0xf5
R13: 0x5555559552c6 --> 0x0
R14: 0x7fffffffc680 --> 0x5555559552ce --> 0x0
R15: 0x0
EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7df8889 <__memmove_avx_unaligned_erms+537>: vmovdqu ymm5,YMMWORD PTR [rsi+0x20]
0x7ffff7df888e <__memmove_avx_unaligned_erms+542>: vmovdqu ymm6,YMMWORD PTR [rsi+0x40]
0x7ffff7df8893 <__memmove_avx_unaligned_erms+547>: vmovdqu ymm7,YMMWORD PTR [rsi+0x60]
=> 0x7ffff7df8898 <__memmove_avx_unaligned_erms+552>: vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20]
0x7ffff7df889e <__memmove_avx_unaligned_erms+558>: lea r11,[rdi+rdx*1-0x20]
0x7ffff7df88a3 <__memmove_avx_unaligned_erms+563>: lea rcx,[rsi+rdx*1-0x20]
0x7ffff7df88a8 <__memmove_avx_unaligned_erms+568>: mov r9,r11
0x7ffff7df88ab <__memmove_avx_unaligned_erms+571>: mov r8,r11
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffc378 --> 0x55555568861f (<H5O__dtype_decode_helper+3375>: mov rax,QWORD PTR [rbp+0x28])
0008| 0x7fffffffc380 --> 0x1ffff0
0016| 0x7fffffffc388 --> 0x7ffff7d04af9 (<sysmalloc+1913>: cmp rax,0xffffffffffffffff)
0024| 0x7fffffffc390 --> 0x0
0032| 0x7fffffffc398 --> 0x0
0040| 0x7fffffffc3a0 --> 0x0
0048| 0x7fffffffc3a8 --> 0x0
0056| 0x7fffffffc3b0 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
440 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
gdb-peda$ bt
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
#1 0x000055555568861f in H5O__dtype_decode_helper (ioflags=ioflags@entry=0x7fffffffc6c4, pp=pp@entry=0x7fffffffc680, dt=dt@entry=0x555555930560) at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:499
#2 0x00005555556881a4 in H5O__dtype_decode_helper (ioflags=ioflags@entry=0x7fffffffc6c4, pp=pp@entry=0x7fffffffc680, dt=dt@entry=0x5555559303a0) at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:330
#3 0x0000555555689497 in H5O__dtype_decode (f=<optimized out>, open_oh=<optimized out>, mesg_flags=<optimized out>, p_size=<optimized out>, p=<optimized out>, ioflags=0x7fffffffc6c4)
at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:1137
#4 H5O__dtype_shared_decode (f=<optimized out>, open_oh=<optimized out>, mesg_flags=<optimized out>, ioflags=0x7fffffffc6c4, p_size=<optimized out>, p=<optimized out>)
at /home/zxq/CVE_testing/source/hdf5/src/H5Oshared.h:81
#5 0x00005555556987bb in H5O_msg_read_oh (f=0x55555594f480, oh=oh@entry=0x555555954880, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:514
#6 0x00005555556989d9 in H5O_msg_read (loc=loc@entry=0x555555955e70, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:455
#7 0x00005555555d0657 in H5D__open_oid (dapl_id=0xb00000000000007, dataset=0x555555955e70) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1707
#8 H5D_open (loc=loc@entry=0x7fffffffc8b0, dapl_id=dapl_id@entry=0xb00000000000007) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1512
#9 0x00005555557f84fa in H5O__dset_open (obj_loc=0x7fffffffc8b0, opened_type=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Doh.c:246
#10 0x0000555555690728 in H5O_open_by_loc (obj_loc=0x7fffffffc8b0, opened_type=0x7fffffffc9b4) at /home/zxq/CVE_testing/source/hdf5/src/H5Oint.c:758
#11 0x0000555555690823 in H5O_open_name (loc=loc@entry=0x7fffffffc940, name=0x555555954390 "/dset1", opened_type=opened_type@entry=0x7fffffffc9b4) at /home/zxq/CVE_testing/source/hdf5/src/H5Oint.c:625
#12 0x00005555557afd3f in H5VL__native_object_open (obj=<optimized out>, loc_params=0x7fffffffc9c0, opened_type=0x7fffffffc9b4, dxpl_id=<optimized out>, req=<optimized out>)
at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_object.c:88
#13 0x000055555579f0cc in H5VL__object_open (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, opened_type=0x7fffffffc9b4, params=0x7fffffffc9c0, obj=<optimized out>)
at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5569
#14 H5VL_object_open (vol_obj=0x555555951b40, params=params@entry=0x7fffffffc9c0, opened_type=opened_type@entry=0x7fffffffc9b4, dxpl_id=0xb00000000000008, req=req@entry=0x0)
at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5601
#15 0x0000555555673145 in H5O__open_api_common (_vol_obj_ptr=0x0, token_ptr=0x0, lapl_id=0x0, name=0x555555954390 "/dset1", loc_id=0x100000000000000) at /home/zxq/CVE_testing/source/hdf5/src/H5O.c:119
#16 H5Oopen (loc_id=0x100000000000000, name=0x555555954390 "/dset1", lapl_id=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5O.c:163
#17 0x0000555555567295 in list_obj (name=0x555555954390 "/dset1", oinfo=0x7fffffffd060, first_seen=0x0, _iter=0x7fffffffdd00) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5ls/h5ls.c:2226
#18 0x000055555558262a in traverse_cb (loc_id=<optimized out>, path=<optimized out>, linfo=<optimized out>, _udata=0x7fffffffd610) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:218
#19 0x000055555563244d in H5G__iterate_cb (_udata=0x7fffffffd3c0, lnk=0x7fffffffd150) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:866
#20 H5G__iterate_cb (lnk=0x7fffffffd150, _udata=0x7fffffffd3c0) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:839
#21 0x0000555555638c1e in H5G__node_iterate (f=f@entry=0x55555594f480, _lt_key=<optimized out>, addr=0x430, _rt_key=<optimized out>, _udata=_udata@entry=0x7fffffffd290)
at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
#22 0x00005555557daac0 in H5B__iterate_helper (f=0x55555594f480, type=0x555555902060 <H5B_SNODE>, addr=0x88, op=0x555555638b30 <H5G__node_iterate>, udata=udata@entry=0x7fffffffd290)
at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
#23 0x00005555557dbf9b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffd290) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
#24 0x000055555563d9f6 in H5G__stab_iterate (oloc=oloc@entry=0x5555559532b8, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x7fffffffd448,
op=op@entry=0x5555556323f0 <H5G__iterate_cb>, op_data=0x7fffffffd3c0) at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
#25 0x000055555563b575 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x5555559532b8, idx_type=idx_type@entry=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0,
last_lnk=last_lnk@entry=0x7fffffffd448, op=op@entry=0x5555556323f0 <H5G__iterate_cb>, op_data=0x7fffffffd3c0) at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
#26 0x0000555555633558 in H5G_iterate (loc=<optimized out>, group_name=<optimized out>, idx_type=H5_INDEX_NAME, order=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x7fffffffd448,
lnk_op=0x7fffffffd450, op_data=0x7fffffffd610) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:921
#27 0x000055555566b93a in H5L_iterate (loc=loc@entry=0x7fffffffd490, group_name=<optimized out>, idx_type=<optimized out>, order=<optimized out>, idx_p=<optimized out>, op=<optimized out>,
op_data=0x7fffffffd610) at /home/zxq/CVE_testing/source/hdf5/src/H5Lint.c:2243
#28 0x00005555557af715 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffd510, args=0x7fffffffd540, dxpl_id=<optimized out>, req=<optimized out>)
at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:381
#29 0x000055555579e570 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffd540, loc_params=0x7fffffffd510, obj=<optimized out>)
at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
#30 H5VL_link_specific (vol_obj=vol_obj@entry=0x555555951b40, loc_params=loc_params@entry=0x7fffffffd510, args=args@entry=0x7fffffffd540, dxpl_id=0xb00000000000008, req=req@entry=0x0)
at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
#31 0x000055555566722d in H5Literate_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x555555900010 <root_name> "/", idx_type=H5_INDEX_NAME, order=H5_ITER_INC,
idx_p=idx_p@entry=0x0, op=op@entry=0x555555582470 <traverse_cb>, op_data=0x7fffffffd610, lapl_id=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1823
#32 0x0000555555583b7d in traverse (fields=0x3, visitor=0x7fffffffd5d0, recurse=0x0, visit_start=<optimized out>, grp_name=0x555555900010 <root_name> "/", file_id=0x100000000000000)
at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:294
#33 h5trav_visit (fid=0x100000000000000, grp_name=0x555555900010 <root_name> "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>, visit_lnk=<optimized out>,
udata=0x7fffffffdd00, fields=0x3) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
#34 0x0000555555567464 in visit_obj (file=0x100000000000000, oname=0x555555900010 <root_name> "/", iter=0x7fffffffdd00) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5ls/h5ls.c:2499
#35 0x000055555556363a in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe338) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5ls/h5ls.c:3105
#36 0x00007ffff7c910b3 in __libc_start_main (main=0x555555562f50 <main>, argc=0x2, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe328)
at ../csu/libc-start.c:308
#37 0x000055555556419e in _start () at /usr/include/x86_64-linux-gnu/bits/stdio2.h:100