Memory leak vulnerability in HDF5 1.10.3

Loginsoft-2018-17234

September 16, 2018 

CVE Number

CVE-2018-17234

CWE

CWE-401: Improper Release of Memory Before Removing Last Reference (‘Memory Leak’)

Product Details

HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of datatypes, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.

URL: https://www.hdfgroup.org/downloads/hdf5/

Vulnerable Versions

HDF5 1.10.3

Vulnerability Details

Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.

SYNOPSIS

H5dump binary allows the users to examine the contents of a hdf5 file by dumping the contents in a human readable form (ASCII). It can help in reading the entire HDF5 file or selected objects, which can be groups, datasets, a subset of a dataset, links, attributes, or datatypes etc. All the links in a group are found out by calling H5Lvisit_by_name(). Then iteration is done over the objects in a group via H5G__obj_iterate() & then calls the list callback for each leaf node of the B-tree, passing it the UDATA structure. Finally the group/node is iterated by calling H5G__node_iterate() & calling its callback function H5G_visit_cb(), which is where few dynamic memory is being allocated, but not being free’d properly, creating a memory leak issue.

 

Analysis
{
DATASET "BAG_root/metadata" {
DATATYPE H5T_STRING {
STRSIZE 1;
STRPAD H5T_STR_NULLTERM;
CSET H5T_CSET_ASCII;
CTYPE H5T_C_S1;
}
DATASPACE SIMPLE { ( 4795 ) / ( H5S_UNLIMITED ) }

Program received signal SIGFPE, Arithmetic exception.
0x00007ffff6140acf in H5D__create_chunk_file_map_hyper (fm=0x61e000000c80, io_info=0x7fffffffb910) at H5Dchunk.c:1578
1578 scaled[u] = start_scaled[u] = sel_start[u] / fm->layout->u.chunk.dim[u];

(gdb) x/i $pc
=> 0x7ffff6140acf <H5D__create_chunk_file_map_hyper+1018>: div rdi

(gdb) info registers 
rax 0x7ffff668b280 140737327444608
rbx 0x7fffffffb320 140737488335648
rcx 0x0 0
rdx 0x0 0
rsi 0x7ffff668b280 140737327444608
rdi 0x0 0
rbp 0x7fffffffb340 0x7fffffffb340
rsp 0x7fffffffaa30 0x7fffffffaa30
r8 0x7 7
r9 0x61e000000c80 107614700571776
r10 0x3d1 977
r11 0x7ffff66882e1 140737327432417
r12 0xffffffff550 17592186041680
r13 0x7fffffffaa80 140737488333440
r14 0x7fffffffaa80 140737488333440
r15 0x7fffffffb3e0 140737488335840
rip 0x7ffff6140acf 0x7ffff6140acf <H5D__create_chunk_file_map_hyper+1018>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

Backtrace
ASAN:DEADLYSIGNAL
=================================================================
==37286==ERROR: AddressSanitizer: FPE on unknown address 0x7ffff6140acf (pc 0x7ffff6140acf bp 0x7fffffffb340 sp 0x7fffffffaa30 T0)
#0 0x7ffff6140ace in H5D__create_chunk_file_map_hyper /home/ethan/hdf5-1_10_3_gcc/src/H5Dchunk.c:1578
#1 0x7ffff613dfa0 in H5D__chunk_io_init /home/ethan/hdf5-1_10_3_gcc/src/H5Dchunk.c:1169
#2 0x7ffff61b6702 in H5D__read /home/ethan/hdf5-1_10_3_gcc/src/H5Dio.c:589
#3 0x7ffff61b2515 in H5Dread /home/ethan/hdf5-1_10_3_gcc/src/H5Dio.c:198
#4 0x5555555bce14 (/home/ethan/hdf5-1_10_3_gcc/hdf5/bin/h5dump+0x68e14)
#5 0x5555555be2b4 (/home/ethan/hdf5-1_10_3_gcc/hdf5/bin/h5dump+0x6a2b4)
#6 0x5555555cc6de (/home/ethan/hdf5-1_10_3_gcc/hdf5/bin/h5dump+0x786de)
#7 0x555555582a85 (/home/ethan/hdf5-1_10_3_gcc/hdf5/bin/h5dump+0x2ea85)
#8 0x5555555881c1 (/home/ethan/hdf5-1_10_3_gcc/hdf5/bin/h5dump+0x341c1)
#9 0x555555579872 (/home/ethan/hdf5-1_10_3_gcc/hdf5/bin/h5dump+0x25872)
#10 0x7ffff5aa41c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
#11 0x555555572129 (/home/ethan/hdf5-1_10_3_gcc/hdf5/bin/h5dump+0x1e129)

 

Proof of concept

./h5dump -r -d BAG_root/metadata $POC

-r switch is used to print 1-bytes integer datasets as ASCII.

-d is for dumping a dataset from a group in a hdf5 file.

  

Timeline

Vendor Disclosure: 2018-09-15

Public Disclosure: 2018-09-16

 

Credit

Discovered by ACE Team – Loginsoft