h5repack aborts due to double free when using -c with --enable-error-stack #6124
Description
Describe the bug
Running h5repack with compression enabled using -c 10 and --enable-error-stack on a crafted HDF5 file causes the tool to abort due to a double free detected by the GNU C Library allocator.
The program terminates with:
free(): double free detected in tcache 2
SIGABRT
Steps to Reproduce:
The PoC attachment contains the input file that triggers the crash:
COMMAND LINE: ./h5repack -c 10 --enable-error-stack Double_Free_2 out.h5
Expected behavior
h5repack should handle malformed input gracefully and exit with an error message, rather than aborting due to a double free.
Platform (please complete the following information)
- HDF5 version:
Git develop branch
commit: 441d83a - OS and version:
Ubuntu 18.04.6 LTS - Compiler and version:
clang 14.0.6 (used via hfuzz-clang wrapper) - Build system (e.g. CMake version) and generator (e.g. XCode, Ninja):
Build system: CMake 3.30.0
Generator: default Unix Makefiles (via cmake -S . -B build) - Any configure options you specified:
-DHDF5_BUILD_TOOLS=ON -DHDF5_BUILD_EXAMPLES=OFF -DHDF5_BUILD_TESTING=OFF -
DHDF5_BUILD_HL_LIB=ON -DBUILD_SHARED_LIBS=OFF -DBUILD_STATIC_LIBS=ON -
DCMAKE_BUILD_TYPE=RelWithDebInfo, compiler flags include -g -O2 -fsanitize-coverage=trace-pc-guard -
finstrument-functions. - MPI library and version (parallel HDF5):
Parallel HDF5 not enabled; no MPI library used.
Additional context
GDB output excerpt:
#18: /root/DriveSched/benchmarks/hdf5/hdf5/src/H5PB.c line 697 in H5PB_read(): read through metadata accumulator failed
major: Page Buffering
minor: Read failed
#19: /root/DriveSched/benchmarks/hdf5/hdf5/src/H5Faccum.c line 248 in H5F__accum_read(): unable to copy chunked storage
major: Low-level I/O
minor: Read failed
#20: /root/DriveSched/benchmarks/hdf5/hdf5/src/H5FDint.c line 260 in H5FD_read(): addr overflow, addr = 6040, size = 1835101741, eoa = 8088
major: Invalid arguments to routine
minor: Address overflowed
free(): double free detected in tcache 2
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff6e367f1 in __GI_abort () at abort.c:79
#2 0x00007ffff6e7f837 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff6faca7b "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff6e868ba in malloc_printerr (str=str@entry=0x7ffff6fae6e8 "free(): double free detected in tcache 2") at malloc.c:5342
#4 0x00007ffff6e8e0ed in _int_free (have_lock=0, p=0xa877c60, av=0x7ffff71e1c40 <main_arena>) at malloc.c:4195
#5 __GI___libc_free (mem=0xa877c70) at malloc.c:3134
#6 0x00000000006c30ba in H5MM_xfree (mem=0xa877c70) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5MM.c:201
#7 H5MM_xfree_const (mem=0xa877c70) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5MM.c:224
#8 0x0000000000575d53 in H5E__clear_entries (nentries=, estack=) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5Eint.c:1810
#9 H5E_clear_stack () at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5Eint.c:1852
#10 0x000000000056b6ee in H5Epush2 (err_stack=1008806316530991104, file=0xb4bcf8 "/root/DriveSched/benchmarks/hdf5/hdf5/tools/src/h5repack/h5repack_copy.c",
func=0xb4c3ce "do_copy_objects", line=1300, cls_id=864691128455135233, maj_id=936748722493063349, min_id=936748722493063350, fmt=0xb4c757 "H5Ocopy failed")
at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5E.c:545
#11 0x000000000043ed28 in do_copy_objects (fidin=fidin@entry=72057594037927936, fidout=fidout@entry=72057594037927937, travt=0xa872670, options=options@entry=0xa809360)
at /root/DriveSched/benchmarks/hdf5/hdf5/tools/src/h5repack/h5repack_copy.c:1308
#12 0x0000000000437abf in copy_objects (
fnamein=fnamein@entry=0x7fffffffe508 "/tmp/168_c_10_enable_error_stack/SIGABRT.PC.7ffff6e34e87.STACK.e2e133389.CODE.-6.ADDR.0.INSTR.mov____0x108(%rsp),%rcx.fuzz",
fnameout=fnameout@entry=0x7fffffffe583 "out.h5", options=options@entry=0xa809360) at /root/DriveSched/benchmarks/hdf5/hdf5/tools/src/h5repack/h5repack_copy.c:326
#13 0x000000000045d111 in h5repack (
infile=0x7fffffffe508 "/tmp/168_c_10_enable_error_stack/SIGABRT.PC.7ffff6e34e87.STACK.e2e133389.CODE.-6.ADDR.0.INSTR.mov____0x108(%rsp),%rcx.fuzz",
outfile=0x7fffffffe583 "out.h5", options=options@entry=0xa809360) at /root/DriveSched/benchmarks/hdf5/hdf5/tools/src/h5repack/h5repack.c:53
#14 0x0000000000463ade in main (argc=, argv=) at /root/DriveSched/benchmarks/hdf5/hdf5/tools/src/h5repack/h5repack_main.c:1037
(gdb)
Metadata
Metadata
Assignees
Labels
Type
Projects
Status