Skip to content

heap-buffer-overflow in NC4_get_vars netcdf/libhdf5/hdf5var.c #2668

Closed
#3322
Closed
heap-buffer-overflow in NC4_get_vars netcdf/libhdf5/hdf5var.c#2668
#3322
@cniddodi

Description

@cniddodi
cniddodi
opened on Mar 20, 2023

heap-buffer-overflow in NC4_get_vars netcdf/libhdf5/hdf5var.c

Built from git commit hash 63150df
OS: Ubuntu 20.04
Compiler: clang version 11.0

Build options:

  • Shared library disabled
    CC=clang
    CXX=clang++
    CFLAGS="-g -fno-inline -fsanitize=address"
    CXXFLAGS="-g -fno-inline -fsanitize=address"
    LDFLAGS="$LDFLAGS -fsanitize=address"
    ASAN_OPTIONS=abort_on_error=1

Command: ./ncdump pov

POV file:
pov.zip

Stack trace:

==3254300==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000011018 at pc 0x00000043bdad bp 0x7ffcad464cd0 sp 0x7ffcad464480
READ of size 24 at 0x602000011018 thread T0
#0 0x43bdac in __interceptor_memcpy.part.0 /home/chaitra/aflgo-top/build/llvm_tools/llvm-11.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:808:5
#1 0x7f85eafcad32 in H5VM_memcpyvv (/lib/x86_64-linux-gnu/libhdf5_serial.so.103+0x29bd32)
#2 0x7f85eadcadee  (/lib/x86_64-linux-gnu/libhdf5_serial.so.103+0x9bdee)
#3 0x7f85eade6f79  (/lib/x86_64-linux-gnu/libhdf5_serial.so.103+0xb7f79)
#4 0x7f85eade77b9 in H5D__select_read (/lib/x86_64-linux-gnu/libhdf5_serial.so.103+0xb87b9)
#5 0x7f85eadc536e  (/lib/x86_64-linux-gnu/libhdf5_serial.so.103+0x9636e)
#6 0x7f85eade0513 in H5D__read (/lib/x86_64-linux-gnu/libhdf5_serial.so.103+0xb1513)
#7 0x7f85eade0a0c in H5Dread (/lib/x86_64-linux-gnu/libhdf5_serial.so.103+0xb1a0c)
#8 0x666b87 in NC4_get_vars netcdf/libhdf5/hdf5var.c:2102:13
#9 0x663bf2 in NC4_get_vara netcdf/libhdf5/hdf5var.c:1402:12
#10 0x563a50 in NC_get_vara netcdf/libdispatch/dvarget.c:104:12
#11 0x5679eb in nc_get_vara netcdf/libdispatch/dvarget.c:750:11
#12 0x50d0bc in print_rows netcdf/ncdump/vardata.c:478:2
#13 0x50cf3b in print_rows netcdf/ncdump/vardata.c:463:6
#14 0x50cf3b in print_rows netcdf/ncdump/vardata.c:463:6
#15 0x50cfdb in print_rows netcdf/ncdump/vardata.c:467:2
#16 0x50c95f in vardata netcdf/ncdump/vardata.c:588:5
#17 0x503794 in do_ncdump_rec netcdf/ncdump/ncdump.c:1965:7
#18 0x4fda26 in do_ncdump netcdf/ncdump/ncdump.c:2047:4
#19 0x4fb3b2 in main netcdf/ncdump/ncdump.c:2490:7
#20 0x7f85ea740082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#21 0x41fe2d in _start (netcdf/ncdump/ncdump+0x41fe2d)
0x602000011018 is located 0 bytes to the right of 8-byte region [0x602000011010,0x602000011018)
allocated by thread T0 here:
#0 0x4c4f4f in malloc /home/chaitra/aflgo-top/build/llvm_tools/llvm-11.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x7f85eae39641  (/lib/x86_64-linux-gnu/libhdf5_serial.so.103+0x10a641)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/chaitra/aflgo-top/build/llvm_tools/llvm-11.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:808:5 in __interceptor_memcpy.part.0
Shadow bytes around the buggy address:
0x0c047fffa1b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffa1c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffa1d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffa1e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffa1f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fffa200: fa fa 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
Shadow gap:              cc
==3254300==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions