h5repack aborts due to heap corruption when using --low compression #6125
Description
Describe the bug
Running h5repack with the --low compression option on a crafted HDF5 file causes the tool to abort due to heap corruption, detected by the GNU C Library allocator.
Steps to Reproduce:
The PoC attachment contains the input file that triggers the crash:
COMMAND LINE: ./h5repack --low 2 -v 2 Heap_Corruption out.h5
Expected behavior
h5repack should handle malformed input gracefully and either reject the file or exit cleanly with an error message, rather than aborting due to heap corruption.
Platform (please complete the following information)
- HDF5 version:
Git develop branch
441d83a - OS and version:
Ubuntu 18.04.6 LTS - Compiler and version:
clang 14.0.6 (used via hfuzz-clang wrapper) - Build system (e.g. CMake version) and generator (e.g. XCode, Ninja):
Build system: CMake 3.30.0
Generator: default Unix Makefiles (via cmake -S . -B build) - Any configure options you specified:
-DHDF5_BUILD_TOOLS=ON -DHDF5_BUILD_EXAMPLES=OFF -DHDF5_BUILD_TESTING=OFF -
DHDF5_BUILD_HL_LIB=ON -DBUILD_SHARED_LIBS=OFF -DBUILD_STATIC_LIBS=ON -
DCMAKE_BUILD_TYPE=RelWithDebInfo, compiler flags include -g -O2 -fsanitize-coverage=trace-pc-guard -
finstrument-functions. - MPI library and version (parallel HDF5):
Parallel HDF5 not enabled; no MPI library used.
Additional context
GDB output excerpt:
(gdb) r
Starting program: /root/DriveSched/benchmarks/hdf5/h5repack/h5repack --low 2 -v 2 /tmp/cbh_tmp/73_low_2_v_2/SIGABRT.PC.7ffff6e34e87.STACK.19cfba42a6.CODE.-6.ADDR.0.INSTR.mov____0x108(%rsp),%rcx.fuzz out.h5
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Making new file ...
Type Filter (Compression) Timing read/write Name
group /
dset 0.000000e+00/2.184017e-03 /dset
malloc_consolidate(): invalid chunk size
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff6e367f1 in __GI_abort () at abort.c:79
#2 0x00007ffff6e7f837 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff6faca7b "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff6e868ba in malloc_printerr (str=str@entry=0x7ffff6fae2d8 "malloc_consolidate(): invalid chunk size") at malloc.c:5342
#4 0x00007ffff6e86b5e in malloc_consolidate (av=av@entry=0x7ffff71e1c40 <main_arena>) at malloc.c:4471
#5 0x00007ffff6e8a848 in _int_malloc (av=av@entry=0x7ffff71e1c40 <main_arena>, bytes=bytes@entry=1992) at malloc.c:3713
#6 0x00007ffff6e8d0ac in __GI___libc_malloc (bytes=1992) at malloc.c:3067
#7 0x0000000000617b7f in H5FL__malloc (mem_size=1992) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5FL.c:211
#8 H5FL_blk_malloc (head=head@entry=0xe21ba8 <H5_H5FS_bin_t_seq_free_list>, size=size@entry=1984) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5FL.c:773
#9 0x000000000061a7dc in H5FL_blk_calloc (head=0x2, size=1984) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5FL.c:819
#10 H5FL_seq_calloc (head=0x2, elem=elem@entry=62) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5FL.c:1651
#11 0x0000000000622ba3 in H5FS__sinfo_new (f=f@entry=0xa86e470, fspace=fspace@entry=0xa8b7800) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5FSsection.c:142
#12 0x0000000000624504 in H5FS__sinfo_lock (f=0xa86e470, fspace=0xa8b7800, accmode=0) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5FSsection.c:272
#13 H5FS_sect_add (f=f@entry=0xa86e470, fspace=fspace@entry=0xa8b7800, sect=sect@entry=0xa8ad000, flags=flags@entry=2, op_data=op_data@entry=0x7fffffffd5e8,
merged_or_shrunk=merged_or_shrunk@entry=0x7fffffffd647) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5FSsection.c:1326
#14 0x00000000006b4365 in H5MF__add_sect (f=0xa86e470, alloc_type=H5FD_MEM_DRAW, fspace=0xa8b7800, node=0xa8ad000, merged_or_shrunk=0x7fffffffd647)
at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5MF.c:635
#15 H5MF_xfree (f=f@entry=0xa86e470, alloc_type=alloc_type@entry=H5FD_MEM_DRAW, addr=addr@entry=2243, size=size@entry=2008)
at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5MF.c:1180
#16 0x00000000006c03cc in H5MF__aggr_reset (f=0xa86e470, aggr=) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5MFaggr.c:725
#17 H5MF_free_aggrs (f=f@entry=0xa86e470) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5MFaggr.c:791
#18 0x00000000005a5173 in H5F__flush_phase1 (f=0x2) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5Fint.c:2314
#19 H5F__dest (f=0x2, f@entry=0xa86e470, flush=248, free_on_failure=244) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5Fint.c:1424
#20 0x00000000005a759f in H5F_try_close (f=f@entry=0xa86e470, was_closed=was_closed@entry=0x0) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5Fint.c:2685
#21 0x00000000005a6c0b in H5F__close (f=f@entry=0xa86e470) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5Fint.c:2487
#22 0x0000000000a4a5f0 in H5VL__native_file_close (file=file@entry=0xa86e470, dxpl_id=, req=)
at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5VLnative_file.c:777
#23 0x0000000000a1cfc5 in H5VL__file_close (obj=0xa86e470, cls=0xa869d70, dxpl_id=140737488343008, req=0x0) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5VLcallback.c:4326
#24 H5VL_file_close (vol_obj=vol_obj@entry=0xa872f20, dxpl_id=140737488343008, req=req@entry=0x0) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5VLcallback.c:4360
#25 0x00000000005ac330 in H5F__close_cb (file_vol_obj=file_vol_obj@entry=0xa872f20, request=request@entry=0x0) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5Fint.c:249
#26 0x000000000069af84 in H5I__dec_ref (id=72057594037927937, request=0x0) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5Iint.c:1076
#27 H5I__dec_app_ref (id=72057594037927937, request=0x0) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5Iint.c:1156
#28 H5I_dec_app_ref (id=id@entry=72057594037927937) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5Iint.c:1201
#29 0x0000000000591a46 in H5Fclose (file_id=file_id@entry=72057594037927937) at /root/DriveSched/benchmarks/hdf5/hdf5/src/H5F.c:1040
#30 0x00000000004361d8 in copy_objects (
fnamein=fnamein@entry=0x7fffffffe50e "/tmp/cbh_tmp/73_low_2_v_2/SIGABRT.PC.7ffff6e34e87.STACK.19cfba42a6.CODE.-6.ADDR.0.INSTR.mov____0x108(%rsp),%rcx.fuzz",
fnameout=fnameout@entry=0x7fffffffe583 "out.h5", options=options@entry=0xa809360) at /root/DriveSched/benchmarks/hdf5/hdf5/tools/src/h5repack/h5repack_copy.c:390
#31 0x000000000045d111 in h5repack (infile=0x7fffffffe50e "/tmp/cbh_tmp/73_low_2_v_2/SIGABRT.PC.7ffff6e34e87.STACK.19cfba42a6.CODE.-6.ADDR.0.INSTR.mov____0x108(%rsp),%rcx.fuzz",
outfile=0x7fffffffe583 "out.h5", options=options@entry=0xa809360) at /root/DriveSched/benchmarks/hdf5/hdf5/tools/src/h5repack/h5repack.c:53
#32 0x0000000000463ade in main (argc=, argv=) at /root/DriveSched/benchmarks/hdf5/hdf5/tools/src/h5repack/h5repack_main.c:1037
(gdb)
Metadata
Metadata
Assignees
Labels
Type
Projects
Status