Fix oss-fuzz vulns

[oss-patch]

commit c792aa1 Fix

• OSV-2023-76 - POC
  Full Sanitizer Report:

==13557==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000003640 at pc 0x5627fc3fc76d bp 0x7ffcee65e870 sp 0x7ffcee65e868
READ of size 4 at 0x502000003640 thread T0
    #0 0x5627fc3fc76c in H5SM_delete /root/src/H5SM.c:1542:24
    #1 0x5627fc1bef62 in H5O__msg_write_real /root/src/H5Omessage.c:364:13
    #2 0x5627fc1be718 in H5O_msg_write /root/src/H5Omessage.c:246:9
    #3 0x5627fc0163ab in H5G__stab_valid /root/src/H5Gstab.c:1016:13
    #4 0x5627fc00d689 in H5G_mkroot /root/src/H5Groot.c:235:21
    #5 0x5627fbebb4b8 in H5F_open /root/src/H5Fint.c:2134:13
    #6 0x5627fca30d89 in H5VL__native_file_open /root/src/H5VLnative_file.c:127:9
    #7 0x5627fc9dfe16 in H5VL__file_open /root/src/H5VLcallback.c:3714:25
    #8 0x5627fc9df44d in H5VL_file_open /root/src/H5VLcallback.c:3832:30
    #9 0x5627fbe8d874 in H5F__open_api_common /root/src/H5F.c:780:29
    #10 0x5627fbe8ca70 in H5Fopen /root/src/H5F.c:820:22
    #11 0x5627fbc5ab6c in LLVMFuzzerTestOneInput /root/src/h5_extended_fuzzer.c:29:24
    #12 0x5627fbb65f04 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/out/h5_extended_fuzzer+0x188f04) (BuildId: fbd396d65561ef37960c8b3f8a14c0d50bb772c3)
    #13 0x5627fbb4f036 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/out/h5_extended_fuzzer+0x172036) (BuildId: fbd396d65561ef37960c8b3f8a14c0d50bb772c3)
    #14 0x5627fbb54aea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/out/h5_extended_fuzzer+0x177aea) (BuildId: fbd396d65561ef37960c8b3f8a14c0d50bb772c3)
    #15 0x5627fbb7f2a6 in main (/root/out/h5_extended_fuzzer+0x1a22a6) (BuildId: fbd396d65561ef37960c8b3f8a14c0d50bb772c3)
    #16 0x7f0c431461c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x7f0c4314628a in __libc_start_main csu/../csu/libc-start.c:360:3
    #18 0x5627fbb49c04 in _start (/root/out/h5_extended_fuzzer+0x16cc04) (BuildId: fbd396d65561ef37960c8b3f8a14c0d50bb772c3)

0x502000003640 is located 0 bytes after 16-byte region [0x502000003630,0x502000003640)
allocated by thread T0 here:
    #0 0x5627fbc1a033 in malloc (/root/out/h5_extended_fuzzer+0x23d033) (BuildId: fbd396d65561ef37960c8b3f8a14c0d50bb772c3)
    #1 0x5627fbfa7bd9 in H5FL__malloc /root/src/H5FL.c:211:30
    #2 0x5627fbfa775c in H5FL_reg_malloc /root/src/H5FL.c:363:34
    #3 0x5627fbfa7ecc in H5FL_reg_calloc /root/src/H5FL.c:395:30
    #4 0x5627fc1e5d2f in H5O__stab_decode /root/src/H5Ostab.c:97:25
    #...

commit 1126b83 Fix

• OSV-2024-379 - POC
  Full Sanitizer Report:

==10819==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51d000004480 at pc 0x55cdd6b1b525 bp 0x7ffe35ecefd0 sp 0x7ffe35ecefc8
READ of size 8 at 0x51d000004480 thread T0
    #0 0x55cdd6b1b524 in H5FS__sect_link_size /root/src/H5FSsection.c:935:26
    #1 0x55cdd6b12abc in H5FS__sect_link /root/src/H5FSsection.c:1074:9
    #2 0x55cdd6b10b08 in H5FS_sect_add /root/src/H5FSsection.c:1340:13
    #3 0x55cdd6c39e4e in H5MF__add_sect /root/src/H5MF.c:637:9
    #4 0x55cdd6c3c378 in H5MF__alloc_pagefs /root/src/H5MF.c:906:21
    #5 0x55cdd6c3b766 in H5MF_alloc /root/src/H5MF.c:806:45
    #6 0x55cdd6c3c539 in H5MF__alloc_pagefs /root/src/H5MF.c:923:44
    #7 0x55cdd6c3b766 in H5MF_alloc /root/src/H5MF.c:806:45
    #8 0x55cdd6b19321 in H5FS_vfd_alloc_hdr_and_section_info_if_needed /root/src/H5FSsection.c:2360:48
    #9 0x55cdd6c4b784 in H5MF_settle_meta_data_fsm /root/src/H5MF.c:3192:21
    #10 0x55cdd685045a in H5C_flush_cache /root/src/H5C.c:696:33
    #11 0x55cdd67ea4b0 in H5AC_flush /root/src/H5AC.c:645:9
    #12 0x55cdd6a14cb0 in H5F__flush_phase2 /root/src/H5Fint.c:2341:9
    #13 0x55cdd6a1183a in H5F__dest /root/src/H5Fint.c:1441:17
    #14 0x55cdd6a16ab3 in H5F_try_close /root/src/H5Fint.c:2680:9
    #15 0x55cdd6a157d8 in H5F__close /root/src/H5Fint.c:2482:9
    #16 0x55cdd7583dc0 in H5VL__native_file_close /root/src/H5VLnative_file.c:777:13
    #17 0x55cdd7532a69 in H5VL__file_close /root/src/H5VLcallback.c:4326:25
    #18 0x55cdd75324ca in H5VL_file_close /root/src/H5VLcallback.c:4360:9
    #19 0x55cdd6a20876 in H5F__close_cb /root/src/H5Fint.c:249:9
    #20 0x55cdd6c2468c in H5I__dec_ref /root/src/H5Iint.c:1076:30
    #21 0x55cdd6c24d10 in H5I__dec_app_ref /root/src/H5Iint.c:1156:22
    #22 0x55cdd6c24b8f in H5I_dec_app_ref /root/src/H5Iint.c:1201:22
    #23 0x55cdd69ddd85 in H5Fclose /root/src/H5F.c:1040:9
    #24 0x55cdd67a7bd8 in LLVMFuzzerTestOneInput /root/src/h5_extended_fuzzer.c:39:7
    #25 0x55cdd66b2f04 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/out/h5_extended_fuzzer+0x188f04) (BuildId: 1a2fd423976350948bc250d1471b3ab6317a20b3)
    #26 0x55cdd669c036 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/out/h5_extended_fuzzer+0x172036) (BuildId: 1a2fd423976350948bc250d1471b3ab6317a20b3)
    #27 0x55cdd66a1aea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/out/h5_extended_fuzzer+0x177aea) (BuildId: 1a2fd423976350948bc250d1471b3ab6317a20b3)
    #28 0x55cdd66cc2a6 in main (/root/out/h5_extended_fuzzer+0x1a22a6) (BuildId: 1a2fd423976350948bc250d1471b3ab6317a20b3)
    #29 0x7efeb01931c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #30 0x7efeb019328a in __libc_start_main csu/../csu/libc-start.c:360:3
    #31 0x55cdd6696c04 in _start (/root/out/h5_extended_fuzzer+0x16cc04) (BuildId: 1a2fd423976350948bc250d1471b3ab6317a20b3)

0x51d000004480 is located 56 bytes after 1992-byte region [0x51d000003c80,0x51d000004448)
allocated by thread T0 here:
    #0 0x55cdd6767033 in malloc (/root/out/h5_extended_fuzzer+0x23d033) (BuildId: 1a2fd423976350948bc250d1471b3ab6317a20b3)
    #1 0x55cdd6af4bd9 in H5FL__malloc /root/src/H5FL.c:211:30

• OSV-2024-575 - POC
  Full Sanitizer Report:

==74935==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51d000003a80 at pc 0x5600a6ae3525 bp 0x7fff0c3d9b50 sp 0x7fff0c3d9b48
READ of size 8 at 0x51d000003a80 thread T0
    #0 0x5600a6ae3524 in H5FS__sect_link_size /root/src/H5FSsection.c:935:26
    #1 0x5600a6adaabc in H5FS__sect_link /root/src/H5FSsection.c:1074:9
    #2 0x5600a6ad8b08 in H5FS_sect_add /root/src/H5FSsection.c:1340:13
    #3 0x5600a6c01e4e in H5MF__add_sect /root/src/H5MF.c:637:9
    #4 0x5600a6c04378 in H5MF__alloc_pagefs /root/src/H5MF.c:906:21
    #5 0x5600a6c03766 in H5MF_alloc /root/src/H5MF.c:806:45
    #6 0x5600a6c04539 in H5MF__alloc_pagefs /root/src/H5MF.c:923:44
    #7 0x5600a6c03766 in H5MF_alloc /root/src/H5MF.c:806:45
    #8 0x5600a774745c in H5O__alloc_chunk /root/src/H5Oalloc.c:883:22
    #9 0x5600a775214c in H5O__alloc_new_chunk /root/src/H5Oalloc.c:1154:9
    #10 0x5600a774d9f8 in H5O__alloc /root/src/H5Oalloc.c:1291:17
    #11 0x5600a6cd27ca in H5O__msg_alloc /root/src/H5Omessage.c:1729:9
    #12 0x5600a6cd1ee4 in H5O__msg_append_real /root/src/H5Omessage.c:191:9
    #13 0x5600a6cd1c17 in H5O_msg_append_oh /root/src/H5Omessage.c:156:9
    #14 0x5600a6cd1718 in H5O_msg_create /root/src/H5Omessage.c:113:9
    #15 0x5600a6a01682 in H5F__super_ext_write_msg /root/src/H5Fsuper.c:1701:13
    #16 0x5600a6c110fd in H5MF_settle_raw_data_fsm /root/src/H5MF.c:2775:17
    #17 0x5600a681831a in H5C_flush_cache /root/src/H5C.c:689:33
    #18 0x5600a67b24b0 in H5AC_flush /root/src/H5AC.c:645:9
    #19 0x5600a69dccb0 in H5F__flush_phase2 /root/src/H5Fint.c:2341:9
    #20 0x5600a69d983a in H5F__dest /root/src/H5Fint.c:1441:17
    #21 0x5600a69deab3 in H5F_try_close /root/src/H5Fint.c:2680:9
    #22 0x5600a69dd7d8 in H5F__close /root/src/H5Fint.c:2482:9
    #23 0x5600a754bdc0 in H5VL__native_file_close /root/src/H5VLnative_file.c:777:13
    #24 0x5600a74faa69 in H5VL__file_close /root/src/H5VLcallback.c:4326:25
    #25 0x5600a74fa4ca in H5VL_file_close /root/src/H5VLcallback.c:4360:9
    #26 0x5600a69e8876 in H5F__close_cb /root/src/H5Fint.c:249:9
    #27 0x5600a6bec68c in H5I__dec_ref /root/src/H5Iint.c:1076:30
    #28 0x5600a6becd10 in H5I__dec_app_ref /root/src/H5Iint.c:1156:22
    #29 0x5600a6becb8f in H5I_dec_app_ref /root/src/H5Iint.c:1201:22
    #30 0x5600a69a5d85 in H5Fclose /root/src/H5F.c:1040:9
    #31 0x5600a676fbd8 in LLVMFuzzerTestOneInput /root/src/h5_extended_fuzzer.c:39:7

• OSV-2024-772 - POC

==75833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51d000004e80 at pc 0x55a9de3a4525 bp 0x7ffc61902a10 sp 0x7ffc61902a08
READ of size 8 at 0x51d000004e80 thread T0
    #0 0x55a9de3a4524 in H5FS__sect_link_size /root/src/H5FSsection.c:935:26
    #1 0x55a9de39babc in H5FS__sect_link /root/src/H5FSsection.c:1074:9
    #2 0x55a9de399b08 in H5FS_sect_add /root/src/H5FSsection.c:1340:13
    #3 0x55a9de4c2e4e in H5MF__add_sect /root/src/H5MF.c:637:9
    #4 0x55a9de4c5378 in H5MF__alloc_pagefs /root/src/H5MF.c:906:21
    #5 0x55a9de4c4766 in H5MF_alloc /root/src/H5MF.c:806:45
    #6 0x55a9de4c5539 in H5MF__alloc_pagefs /root/src/H5MF.c:923:44
    #7 0x55a9de4c4766 in H5MF_alloc /root/src/H5MF.c:806:45
    #8 0x55a9de55efc5 in H5O_apply_ohdr /root/src/H5Oint.c:484:15
    #9 0x55a9de55cf62 in H5O_create /root/src/H5Oint.c:309:9
    #10 0x55a9de2c8acb in H5F__super_ext_create /root/src/H5Fsuper.c:119:13
    #11 0x55a9de2c23b4 in H5F__super_ext_write_msg /root/src/H5Fsuper.c:1683:13
    #12 0x55a9de4d20fd in H5MF_settle_raw_data_fsm /root/src/H5MF.c:2775:17
    #13 0x55a9de0d931a in H5C_flush_cache /root/src/H5C.c:689:33
    #14 0x55a9de0734b0 in H5AC_flush /root/src/H5AC.c:645:9
    #15 0x55a9de29dcb0 in H5F__flush_phase2 /root/src/H5Fint.c:2341:9
    #16 0x55a9de29a83a in H5F__dest /root/src/H5Fint.c:1441:17
    #17 0x55a9de29fab3 in H5F_try_close /root/src/H5Fint.c:2680:9
    #18 0x55a9de29e7d8 in H5F__close /root/src/H5Fint.c:2482:9
    #19 0x55a9dee0cdc0 in H5VL__native_file_close /root/src/H5VLnative_file.c:777:13
    #20 0x55a9dedbba69 in H5VL__file_close /root/src/H5VLcallback.c:4326:25
    #21 0x55a9dedbb4ca in H5VL_file_close /root/src/H5VLcallback.c:4360:9
    #22 0x55a9de2a9876 in H5F__close_cb /root/src/H5Fint.c:249:9
    #23 0x55a9de4ad68c in H5I__dec_ref /root/src/H5Iint.c:1076:30
    #24 0x55a9de4add10 in H5I__dec_app_ref /root/src/H5Iint.c:1156:22
    #25 0x55a9de4adb8f in H5I_dec_app_ref /root/src/H5Iint.c:1201:22
    #26 0x55a9de266d85 in H5Fclose /root/src/H5F.c:1040:9
    #27 0x55a9de030bd8 in LLVMFuzzerTestOneInput /root/src/h5_extended_fuzzer.c:39:7
    #28 0x55a9ddf3bf04 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/out/h5_extended_fuzzer+0x188f04)
    #29 0x55a9ddf25036 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/out/h5_extended_fuzzer+0x172036)
    #30 0x55a9ddf2aaea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/out/h5_extended_fuzzer+0x177aea)
    #31 0x55a9ddf552a6 in main (/root/out/h5_extended_fuzzer+0x1a22a6)
    #32 0x7f79531d71c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #33 0x7f79531d728a in __libc_start_main csu/../csu/libc-start.c:360:3
    #34 0x55a9ddf1fc04 in _start (/root/out/h5_extended_fuzzer+0x16cc04)

0x51d000004e80 is located 56 bytes after 1992-byte region [0x51d000004680,0x51d000004e48)
allocated by thread T0 here:
    #0 0x55a9ddff0033 in malloc (/root/out/h5_extended_fuzzer+0x23d033)
    #1 0x55a9de37dbd9 in H5FL__malloc /root/src/H5FL.c:211:30
    #2 0x55a9de37eb03 in H5FL_blk_malloc /root/src/H5FL.c:773:48
    #3 0x55a9de37f394 in H5FL_blk_calloc /root/src/H5FL.c:819:30
    #4 0x55a9de382c46 in H5FL_seq_calloc /root/src/H5FL.c:1651:17
    #5 0x55a9de3966e3 in H5FS__sinfo_new /root/src/H5FSsection.c:142:32
    #6 0x55a9de397afe in H5FS__sinfo_lock /root/src/H5FSsection.c:272:42
    #7 0x55a9de399721 in H5FS_sect_add /root/src/H5FSsection.c:1314:9
    #8 0x55a9de4c2e4e in H5MF__add_sect /root/src/H5MF.c:637:9
    #9 0x55a9de4c5378 in H5MF__alloc_pagefs /root/src/H5MF.c:906:21
    #10 0x55a9de4c4766 in H5MF_alloc /root/src/H5MF.c:806:45
    #11 0x55a9de4c5539 in H5MF__alloc_pagefs /root/src/H5MF.c:923:44
    #12 0x55a9de4c4766 in H5MF_alloc /root/src/H5MF.c:806:45
    #13 0x55a9de55efc5 in H5O_apply_ohdr /root/src/H5Oint.c:484:15
    #14 0x55a9de55cf62 in H5O_create /root/src/H5Oint.c:309:9
    #15 0x55a9de2c8acb in H5F__super_ext_create /root/src/H5Fsuper.c:119:13
    #16 0x55a9de2c23b4 in H5F__super_ext_write_msg /root/src/H5Fsuper.c:1683:13
    #17 0x55a9de4d20fd in H5MF_settle_raw_data_fsm /root/src/H5MF.c:2775:17
    #18 0x55a9de0d931a in H5C_flush_cache /root/src/H5C.c:689:33
    #19 0x55a9de0734b0 in H5AC_flush /root/src/H5AC.c:645:9
    #20 0x55a9de29dcb0 in H5F__flush_phase2 /root/src/H5Fint.c:2341:9
    #21 0x55a9de29a83a in H5F__dest /root/src/H5Fint.c:1441:17
    #22 0x55a9de29fab3 in H5F_try_close /root/src/H5Fint.c:2680:9
    #23 0x55a9de29e7d8 in H5F__close /root/src/H5Fint.c:2482:9
    #24 0x55a9dee0cdc0 in H5VL__native_file_close /root/src/H5VLnative_file.c:777:13
    #25 0x55a9dedbba69 in H5VL__file_close /root/src/H5VLcallback.c:4326:25
    #26 0x55a9dedbb4ca in H5VL_file_close /root/src/H5VLcallback.c:4360:9
    #27 0x55a9de2a9876 in H5F__close_cb /root/src/H5Fint.c:249:9
    #28 0x55a9de4ad68c in H5I__dec_ref /root/src/H5Iint.c:1076:30
    #29 0x55a9de4add10 in H5I__dec_app_ref /root/src/H5Iint.c:1156:22

SUMMARY: AddressSanitizer

What these issues have in common is that they should trigger an assert before the vulnerability.

I'm not sure if it should be fixed more completely than just replacing assert with a real error checking.

[qkoziol]

These are not bad, but seem like they are addressing symptoms rather that root causes. Are there test files that trigger them to look at?

[oss-patch]

These are not bad, but seem like they are addressing symptoms rather that root causes. Are there test files that trigger them to look at?

@qkoziol You can download them by clicking on the POC link. I wonder why I can't upload Sanitizer Report...

[bmribler]

@qkoziol You can download them by clicking on the POC link. I wonder why I can't upload Sanitizer Report...

@aled-ua Probably because of the type of the file. What kind of file format is the Sanitizer Report?

[oss-patch]

@bmribler Update now

[bmribler]

These are not bad, but seem like they are addressing symptoms rather that root causes. Are there test files that trigger them to look at?

@qkoziol Hi Quincey, are you looking at the test file, by any chance?

[qkoziol]

I have been busy on some internal projects for the past few days, but I am planning to. Please don't let me impede you diving in and investigating also. :-)

[bmribler]

I have been busy on some internal projects for the past few days, but I am planning to. Please don't let me impede you diving in and investigating also. :-)

I don't want to double the efforts though. :-)

[bmribler]

@qkoziol Are you still planning to look at this issue too?

[Copilot]

Pull Request Overview

This PR addresses several OSS-Fuzz reported heap-buffer-overflow vulnerabilities by replacing asserts with explicit error checks. The changes add runtime validations to ensure that critical fields such as the SOHM address and bin indices are valid before proceeding.

• H5SM.c: Added an explicit runtime check for the SOHM address in H5SM_delete.
• H5FSsection.c: Replaced an assert with a proper error check to validate the computed bin index.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
src/H5SM.c	Added runtime validation for the SOHM address to prevent misuse.
src/H5FSsection.c	Replaced assert with error handling for bin index validation.

Comments suppressed due to low confidence (1)

src/H5FSsection.c:935

• The added check correctly prevents out-of-bounds access on the bins array; ensure similar validations are applied consistently wherever bin indices are computed.

if (bin >= sinfo->nbins)

[Copilot]

[nitpick] The SOHM address is already asserted at the top of the function; consider removing the earlier assert to avoid redundancy or inconsistency in error handling.