Stack Overflow vulnerability in HDF5 1.10.2
Loginsoft-2018-15671
August 20, 2018
CVE Number
CVE-2018-15671
CWE
CWE-121: Stack-based Buffer Overflow
Product Details
HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of data types, and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.
URL: https://www.hdfgroup.org/downloads
Vulnerable Versions
HDF5 1.10.2
Vulnerability Details
An issue was discovered in the HDF HDF5 1.10.2 library. Excessive stack consumption has been detected in the function H5P__get_cb() in H5Pint.c during an attempted parse of a crafted HDF file. This results in denial of service.
SYNOPSIS
H5stat binary of HDF5 package is responsible for reporting the stats related to an HDF5 file (file info, file space information for file’s, group metadata, dataset info) & its object. A stack overflow issue was discovered which was the result of an excessive stack consumption due to recursive function calling.
The objects inside the groups are iterated via `H5G__obj_iterate()` & `H5G__stab_iterate()` continuously. Later the process, to retrieve the objects information `H5Oget_info_by_name2(`) is called, which further calls `H5G_loc_info()`, to retrieve the information for an object from a group location and path to that object. Later using `H5G_traverse()` & it’s internal routines it traverses to the path from the location.
It then looks up for the link in the group using the name (which is unbelievably long) & gets the link info message for that group.
It sets the meta-tag property in the provided property list & then get a property’s value in a property list via `H5P__get_cb()`, where the stack overflow is triggered due to exhausted memory.
Analysis
$rax : 0x7ffff5cd49b0 → <__memmove_avx_unaligned+0> mov rax, rdi
$rbx : 0x8
$rcx : 0x1
$rdx : 0x8
$rsp : 0x7fffff7fee40
$rbp : 0x7fffff7ff6b0 → 0x00007fffff7ff700 → 0x00007fffff7ff760 → 0x00007fffff7ff820 → 0x00007fffff7ff8e0 → 0x00007fffff7ffb10 → 0x00007fffff7ffbe0 → 0x00007fffff7ffcb0
$rsi : 0x602000009eb0 → 0x0000000000000060 ("`"?)
$rdi : 0x7fffff7ff880 → 0x00000c04000b1e33 → 0x0000000000000000
$rip : 0x7ffff6ef662f → <__asan_memcpy+111> call rax
$r8 : 0x7fffff7ff7c0 → 0x00007fffff7ff880 → 0x00000c04000b1e33 → 0x0000000000000000
$r9 : 0x65c
$r10 : 0x62d001b44400 → 0x000000000000864c
$r11 : 0x7fffff7ff5c0 → 0x00007fffff7ff7a0 → 0x0000000041b58ab3
$r12 : 0x7fffff7ff880 → 0x00000c04000b1e33 → 0x0000000000000000
$r13 : 0x7ffff7381744 → 0x0000000000000001
$r14 : 0x7fffff7ff7a0 → 0x0000000041b58ab3
$r15 : 0x602000009eb0 → 0x0000000000000060 ("`"?)
ASAN Output
Filename: /home/woot/Hdf5_crashes/hdf5_hls_results/stack-overflow_POC ASAN:SIGSEGV ================================================================= ==4432==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd76478fa8 (pc 0x7f79626c662f bp 0x7ffd76479820 sp 0x7ffd76478fb0 T0) #0 0x7f79626c662e in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c62e) #1 0x7f7961e5a971 in H5P__get_cb /home/woot/hdf5-hdf5-1_10_2/src/H5Pint.c:4329 #2 0x7f7961e52a3f in H5P__do_prop /home/woot/hdf5-hdf5-1_10_2/src/H5Pint.c:2641 #3 0x7f7961e5acce in H5P_get /home/woot/hdf5-hdf5-1_10_2/src/H5Pint.c:4383 #4 0x7f796190046d in H5AC_tag /home/woot/hdf5-hdf5-1_10_2/src/H5AC.c:2784 #5 0x7f7961bf2099 in H5G__obj_get_linfo /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:323 #6 0x7f7961bf9df9 in H5G__obj_lookup /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:1137 #7 0x7f7961c11c8f in H5G_traverse_real /home/woot/hdf5-hdf5-1_10_2/src/H5Gtraverse.c:593 #8 0x7f7961c1404e in H5G_traverse /home/woot/hdf5-hdf5-1_10_2/src/H5Gtraverse.c:866 #9 0x7f7961be08d5 in H5G_loc_info /home/woot/hdf5-hdf5-1_10_2/src/H5Gloc.c:744 #10 0x7f7961cf5ba7 in H5Oget_info_by_name /home/woot/hdf5-hdf5-1_10_2/src/H5O.c:535 #11 0x43868b (/home/woot/hdf5-hdf5-1_10_2/hdf5/bin/h5stat+0x43868b) #12 0x7f7961bd68e8 in H5G_visit_cb /home/woot/hdf5-hdf5-1_10_2/src/H5Gint.c:925 #13 0x7f7961becc4f in H5G__node_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gnode.c:1004 #14 0x7f79619161f9 in H5B__iterate_helper /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1179 #15 0x7f79619165c6 in H5B_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1224 #16 0x7f7961c036aa in H5G__stab_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gstab.c:563 #17 0x7f7961bf5ac8 in H5G__obj_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:706 #18 0x7f7961bd72cf in H5G_visit_cb /home/woot/hdf5-hdf5-1_10_2/src/H5Gint.c:1009 #19 0x7f7961becc4f in H5G__node_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gnode.c:1004 #20 0x7f79619161f9 in H5B__iterate_helper /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1179 #21 0x7f79619165c6 in H5B_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1224 #22 0x7f7961c036aa in H5G__stab_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gstab.c:563 #23 0x7f7961bf5ac8 in H5G__obj_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:706 #24 0x7f7961bd72cf in H5G_visit_cb /home/woot/hdf5-hdf5-1_10_2/src/H5Gint.c:1009 #25 0x7f7961becc4f in H5G__node_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gnode.c:1004 #26 0x7f79619161f9 in H5B__iterate_helper /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1179 #27 0x7f79619165c6 in H5B_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1224 #28 0x7f7961c036aa in H5G__stab_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gstab.c:563 #29 0x7f7961bf5ac8 in H5G__obj_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:706 #30 0x7f7961bd72cf in H5G_visit_cb /home/woot/hdf5-hdf5-1_10_2/src/H5Gint.c:1009 #31 0x7f7961becc4f in H5G__node_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gnode.c:1004 #32 0x7f79619161f9 in H5B__iterate_helper /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1179 #33 0x7f79619165c6 in H5B_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5B.c:1224 #34 0x7f7961c036aa in H5G__stab_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gstab.c:563 #35 0x7f7961bf5ac8 in H5G__obj_iterate /home/woot/hdf5-hdf5-1_10_2/src/H5Gobj.c:706 ..... ..... ..... SUMMARY: AddressSanitizer: stack-overflow ??:0 __asan_memcpy ==4432==ABORTING
Proof of concept
./h5stat -A -T -G -D -S $POC
-A prints attribute information
-T prints dataset’s datatype metadata
-G prints file space information for groups’ metadata
-D prints file space information for dataset’s metadata
Timeline
Vendor Disclosure: 2018-08-18
Patch Release: 2018-08-19
Public Disclosure: 2018-08-20
Credit
Discovered by ACE Team – Loginsoft