[BUG] Out of bounds access on read in hdf5/src/H5Fint.c:2859:13

[kobrineli]

Hi! We have been fuzzing your project with sydr-fuzz
and found out of bounds access on read in hdf5/src/H5Fint.c:2859:13.

Environment

• OS: ubuntu 20.04
• hdf5 version: 509fe96

How to reprocude the error

1. Build docker container from here

    sudo docker build -t oss-sydr-fuzz-hdf5 .
   

2. Run docker container

    sudo docker run --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-hdf5 /bin/bash
   

3. Run /h5_read_afl with input

    /h5_read_afl crash-244484e1ab5cd0acab3563fa35bf2981c7d41c92.txt
   

4. You will see the following output

    ==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000005af8 at pc 0x0000008b8207 bp 0x7ffce6f47b30 sp 0x7ffce6f47b28
    READ of size 1 at 0x60d000005af8 thread T0
        #0 0x8b8206 in H5F_addr_decode_len /hdf5/src/H5Fint.c:2859:13
        #1 0x9a4f44 in H5G_ent_decode /hdf5/src/H5Gent.c:148:13
        #2 0x8fb744 in H5F__cache_superblock_deserialize /hdf5/src/H5Fsuper_cache.c:521:13
        #3 0x622ea4 in H5C__load_entry /hdf5/src/H5C.c:7298:26
        #4 0x622ea4 in H5C_protect /hdf5/src/H5C.c:2330:30
        #5 0x53bde1 in H5AC_protect /hdf5/src/H5AC.c:1394:26
        #6 0x8debd4 in H5F__super_read /hdf5/src/H5Fsuper.c:449:42
        #7 0x89f14a in H5F_open /hdf5/src/H5Fint.c:1964:13
        #8 0x146ddd4 in H5VL__native_file_open /hdf5/src/H5VLnative_file.c:127:29
        #9 0x14222a6 in H5VL__file_open /hdf5/src/H5VLcallback.c:3674:30
        #10 0x14218e5 in H5VL_file_open /hdf5/src/H5VLcallback.c:3823:30
        #11 0x876c29 in H5F__open_api_common /hdf5/src/H5F.c:794:29
        #12 0x8762ef in H5Fopen /hdf5/src/H5F.c:835:22
        #13 0x50c113 in LLVMFuzzerTestOneInput /h5_read_fuzzer.c:35:7
        #14 0x43b301 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
        #15 0x42521c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
        #16 0x42af6b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
        #17 0x454502 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
        #18 0x7f682830f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #19 0x41fb3d in _start (/h5_read_fuzzer+0x41fb3d)
    
    0x60d000005af8 is located 0 bytes to the right of 136-byte region [0x60d000005a70,0x60d000005af8)
    allocated by thread T0 here:
        #0 0x4d5629 in __interceptor_realloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:148:3
        #1 0xba2b83 in H5MM_realloc /hdf5/src/H5MM.c:144:21
        #2 0x622856 in H5C__load_entry /hdf5/src/H5C.c:7213:46
        #3 0x622856 in H5C_protect /hdf5/src/H5C.c:2330:30
        #4 0x53bde1 in H5AC_protect /hdf5/src/H5AC.c:1394:26
        #5 0x8debd4 in H5F__super_read /hdf5/src/H5Fsuper.c:449:42
        #6 0x89f14a in H5F_open /hdf5/src/H5Fint.c:1964:13
        #7 0x146ddd4 in H5VL__native_file_open /hdf5/src/H5VLnative_file.c:127:29
        #8 0x14222a6 in H5VL__file_open /hdf5/src/H5VLcallback.c:3674:30
        #9 0x14218e5 in H5VL_file_open /hdf5/src/H5VLcallback.c:3823:30
        #10 0x876c29 in H5F__open_api_common /hdf5/src/H5F.c:794:29
        #11 0x8762ef in H5Fopen /hdf5/src/H5F.c:835:22
        #12 0x50c113 in LLVMFuzzerTestOneInput /h5_read_fuzzer.c:35:7
        #13 0x43b301 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
        #14 0x42521c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
        #15 0x42af6b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
        #16 0x454502 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
        #17 0x7f682830f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /hdf5/src/H5Fint.c:2859:13 in H5F_addr_decode_len
    Shadow bytes around the buggy address:
      0x0c1a7fff8b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff8b10: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
      0x0c1a7fff8b20: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c1a7fff8b30: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff8b40: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
    =>0x0c1a7fff8b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
      0x0c1a7fff8b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14==ABORTING