By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Accept
Green Plus icon
Home
/
Research
/
Zero Day Discovery
/
CVE-2020-10810: Null pointer dereference in H5AC.c – HDF5 – 1.13.0

CVE-2020-10810: Null pointer dereference in H5AC.c – HDF5 – 1.13.0

Vulnerability Reports
March 11, 2020
Profile Icon

Jason Franscisco

Null pointer dereference in H5AC.c – HDF5 – 1.13.0

Loginsoft-2020-1005

11 March, 2020

CVE Number

CVE-2020-10810

CWECWE – 476 : NULL Pointer Dereference

Product DetailsHDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of data types and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.

URL: https://www.hdfgroup.org/downloads

Vulnerable Versions

1.13.0

Vulnerability DetailsDuring our research we observed Null pointer dereference in the function H5AC_unpin_entry() located in H5AC.c. The same be triggered by sending a crafted file to the h5clear binary. It allows an attacker to cause Denial of Service.

SYNOPSISDuring our research on hdf5, When function H5F__dest() to flushe the cache located in H5Fint.c calls another function H5AC_unpin_entry() to Unpin a cache entry located in H5AC.c, here before calling function H5C_log_write_unpin_entry_msg() for generating log message in line if(cache_ptr->log_info->logging) it is trying to dereference cache_ptr() pointer which is null and it triggers the null pointer dereference.

1418       /* If currently logging, generate a message */
  → 1419                 if(cache_ptr->log_info->logging)
    1420           if(H5C_log_write_unpin_entry_msg(cache_ptr, entry_ptr, ret_value) < 0)
    1421               HDONE_ERROR(H5E_CACHE, H5E_LOGGING, FAIL, "unable to emit log message")
    1422  
   1423       FUNC_LEAVE_NOAPI(ret_value)
    1424  } /* H5AC_unpin_entry() */

Analysis

DEBUG:

GDB:


Starting program: /hdf5/build/bin/h5clear -s -m POC
 
Program received signal SIGSEGV, Segmentation fault.
 [ Legend: Modified register | Code | Heap | Stack | String ]
 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
 $rax   : 0x0               
$rbx   : 0x0               
$rcx   : 0xd0000000000003c 
$rdx   : 0x000055555634b010  →  0x0000010000010001
 $rsp   : 0x00007fffffffdbd0  →  0x0000000000000000
 $rbp   : 0x000055555638fc40  →  0x0000000000000000
 $rsi   : 0x000055555626b2ea  →  "can't unpin entry"
 $rdi   : 0x0               
$rip   : 0x00005555555f425c  →   mov rdi, QWORD PTR [rbx+0x8]
 $r8    : 0x000055555634a138  →  0x0000555556391840  →  "Can't unpin entry from client"
 $r9    : 0x72746e65206e6970 ("pin entr"?)
 $r10   : 0x000055555634b010  →  0x0000010000010001
 $r11   : 0x0               
$r12   : 0xffffffff        
$r13   : 0x0               
$r14   : 0x000055555638ea10  →  0x0800000000000000
 $r15   : 0x000055555638e8e0  →  0x000055555638f8f0  →  "POC"
 $eflags: [zero carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
 $cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
 0x00007fffffffdbd0│+0x0000: 0x0000000000000000        ← $rsp
 0x00007fffffffdbd8│+0x0008: 0x000055555638e8e0  →  0x000055555638f8f0  →  "h5clear_fuzz/id:000033,sig:11,src:000169,op:flip1,[...]"
 0x00007fffffffdbe0│+0x0010: 0x0000000000000000
 0x00007fffffffdbe8│+0x0018: 0x0000555556346ac8  →  0x0000000000000001
 0x00007fffffffdbf0│+0x0020: 0x0000000000000000
 0x00007fffffffdbf8│+0x0028: 0x00005555557601f1  →   test eax, eax
 0x00007fffffffdc00│+0x0030: 0x000055555638e5c0  →  0x0000555556358350  →  0x0000555556354230  →  0x0000000000000000
 0x00007fffffffdc08│+0x0038: 0x00005555563413f8  →  0x0c00000000000000
 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
    0x5555555f424b  mov    rcx, QWORD PTR [rsp+0x8]
    0x5555555f4250  mov    rdx, QWORD PTR [rsp]
    0x5555555f4254  lea    rsp, [rsp+0x98]
  → 0x5555555f425c  mov    rdi, QWORD PTR [rbx+0x8]
    0x5555555f4260  cmp    BYTE PTR [rdi+0x1], 0x0
    0x5555555f4264  je     0x5555555f4080 
    0x5555555f426a  xchg   ax, ax
    0x5555555f426c  lea    rsp, [rsp-0x98]
    0x5555555f4274  mov    QWORD PTR [rsp], rdx
 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:/h[...].c+1419 ────
    1414       if(H5C_unpin_entry(thing) log_info->logging)
    1420           if(H5C_log_write_unpin_entry_msg(cache_ptr, entry_ptr, ret_value)  0)
    1421               HDONE_ERROR(H5E_CACHE, H5E_LOGGING, FAIL, unable to emit log message)
    1422  
   1423       FUNC_LEAVE_NOAPI(ret_value)
    1424  } /* H5AC_unpin_entry() */
 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
 [#0] Id 1, Name: h5clear, stopped, reason: SIGSEGV
 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
 [#0] 0x5555555f425c → H5AC_unpin_entry(thing=0x55555638fc40)
 [#1] 0x5555557601f1 → H5F__dest(f=0x55555638e8e0, flush=0x0)
 [#2] 0x55555576ba43 → H5F_open(name=, flags=, fcpl_id=, fapl_id=)
 [#3] 0x55555601a78b → H5VL__native_file_open(name=, flags=, fapl_id=, dxpl_id=, req=)
 [#4] 0x555555fdb1b9 → H5VL__file_open(cls=, req=0x0, dxpl_id=0xb00000000000008, fapl_id=0xb00000000000014, flags=0x1, name=0x55555638d2d0 h5clear_fuzz/id:000033,sig:11,src:000169,op:flip1,pos:73)
 [#5] 0x555555fdb1b9 → H5VL_file_open(connector_prop=0x7fffffffdd40, name=0x55555638d2d0 h5clear_fuzz/id:000033,sig:11,src:000169,op:flip1,pos:73, flags=0x1, fapl_id=0xb00000000000014, dxpl_id=0xb00000000000008, req=0x0)
 [#6] 0x555555745908 → H5Fopen(filename=0x55555638d2d0 h5clear_fuzz/id:000033,sig:11,src:000169,op:flip1,pos:73, flags=0x1, fapl_id=)
 [#7] 0x5555555683d8 → h5tools_fopen(fname=0x55555638d2d0 h5clear_fuzz/id:000033,sig:11,src:000169,op:flip1,pos:73, flags=0x1, fapl=0xb00000000000013, driver=, drivername=0x0, drivername_size=0x0)
 [#8] 0x555555564217 → main(argc=, argv=0x7fffffffdfe8)
 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 0x00005555555f425c in H5AC_unpin_entry (thing=0x55555638fc40) at /hdf5/src/H5AC.c:1419
 1419         if(cache_ptr->log_info->logging)
 
gef➤  ptype cache_ptr
 type = struct H5C_t {
     uint32_t magic;
     hbool_t flush_in_progress;
     H5C_log_info_t *log_info;
     void *aux_ptr;
     int32_t max_type_id;
     const H5C_class_t * const *class_table_ptr;
     size_t max_cache_size;
     size_t min_clean_size;
     H5C_write_permitted_func_t check_write_permitted;
     hbool_t write_permitted;
     H5C_log_flush_func_t log_flush;
     hbool_t evictions_enabled;
     hbool_t close_warning_received;
     uint32_t index_len;
     size_t index_size;
     uint32_t index_ring_len[6];
     size_t index_ring_size[6];
     size_t clean_index_size;
     size_t clean_index_ring_size[6];
     size_t dirty_index_size;
     size_t dirty_index_ring_size[6];
     H5C_cache_entry_t *index[65536];
     uint32_t il_len;
     size_t il_size;
     H5C_cache_entry_t *il_head;
     H5C_cache_entry_t *il_tail;
     int64_t entries_removed_counter;
     H5C_cache_entry_t *last_entry_removed_ptr;
     H5C_cache_entry_t *entry_watched_for_removal;
     hbool_t slist_changed;
     uint32_t slist_len;
     size_t slist_size;
     uint32_t slist_ring_len[6];
     size_t slist_ring_size[6];
     H5SL_t *slist_ptr;
     uint32_t num_last_entries;
     H5SL_t *tag_list;
     hbool_t ignore_tags;
     uint32_t num_objs_corked;
     uint32_t pl_len;
     size_t pl_size;
     H5C_cache_entry_t *pl_head_ptr;
     H5C_cache_entry_t *pl_tail_ptr;
     uint32_t pel_len;
     size_t pel_size;
     H5C_cache_entry_t *pel_head_ptr;
     H5C_cache_entry_t *pel_tail_ptr;
     uint32_t LRU_list_len;
     size_t LRU_list_size;
     H5C_cache_entry_t *LRU_head_ptr;
     H5C_cache_entry_t *LRU_tail_ptr;
     hbool_t size_increase_possible;
     hbool_t flash_size_increase_possible;
     size_t flash_size_increase_threshold;
     hbool_t size_decrease_possible;
     hbool_t resize_enabled;
     hbool_t cache_full;
     hbool_t size_decreased;
     hbool_t resize_in_progress;
     hbool_t msic_in_progress;
     H5C_auto_size_ctl_t resize_ctl;
     int32_t epoch_markers_active;
     hbool_t epoch_marker_active[10];
     int32_t epoch_marker_ringbuf[11];
     int32_t epoch_marker_ringbuf_first;
     int32_t epoch_marker_ringbuf_last;
     int32_t epoch_marker_ringbuf_size;
     H5C_cache_entry_t epoch_markers[10];
     int64_t cache_hits;
     int64_t cache_accesses;
     H5C_cache_image_ctl_t image_ctl;
     hbool_t serialization_in_progress;
     hbool_t load_image;
     hbool_t image_loaded;
     hbool_t delete_image;
     haddr_t image_addr;
     hsize_t image_len;
     hsize_t image_data_len;
     int64_t entries_loaded_counter;
     int64_t entries_inserted_counter;
     int64_t entries_relocated_counter;
     int64_t entry_fd_height_change_counter;
     uint32_t num_entries_in_image;
     H5C_image_entry_t *image_entries;
     void *image_buffer;
     hbool_t rdfsm_settled;
     hbool_t mdfsm_settled;
     char prefix[32];
 } *
 gef➤  p cache_ptr->log_info->logging
 Cannot access memory at address 0x8
 gef➤  p cache_ptr
 $1 = (H5C_t *) 0x0
 gef➤  i r
 rax            0x0  0x0
 rbx            0x0  0x0
 rcx            0xd0000000000003c  0xd0000000000003c
 rdx            0x55555634b010       0x55555634b010
 rsi            0x55555626b2ea         0x55555626b2ea
 rdi            0x0   0x0
 rbp            0x55555638fc40        0x55555638fc40
 rsp            0x7fffffffdbd0           0x7fffffffdbd0
 r8             0x55555634a138        0x55555634a138
 r9             0x72746e65206e6970 0x72746e65206e6970
 r10            0x55555634b010       0x55555634b010
 r11            0x0  0x0
 r12            0xffffffff      0xffffffff
 r13            0x0  0x0
 r14            0x55555638ea10       0x55555638ea10
 r15            0x55555638e8e0       0x55555638e8e0
 rip            0x5555555f425c        0x5555555f425c 
 eflags         0x10206       [ PF IF RF ]
 cs             0x33 0x33
 ss             0x2b  0x2b
 ds             0x0   0x0
 es             0x0   0x0
 fs             0x0   0x0
 gs             0x0   0x0

Valgrind Output:

==21963== Memcheck, a memory error detector ==21963== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==21963== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==21963== Command: ./h5clear -s -m POC ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C90: ??? ==21963==  Address 0x58c0c90 is 0 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C91: ??? ==21963==  Address 0x58c0c91 is 1 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C92: ??? ==21963==  Address 0x58c0c92 is 2 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C93: ??? ==21963==  Address 0x58c0c93 is 3 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C94: ??? ==21963==  Address 0x58c0c94 is 4 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C95: ??? ==21963==  Address 0x58c0c95 is 5 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C96: ??? ==21963==  Address 0x58c0c96 is 6 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C97: ??? ==21963==  Address 0x58c0c97 is 7 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C98: ??? ==21963==  Address 0x58c0c98 is 8 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C99: ??? ==21963==  Address 0x58c0c99 is 9 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C9A: ??? ==21963==  Address 0x58c0c9a is 10 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C9B: ??? ==21963==  Address 0x58c0c9b is 11 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C9C: ??? ==21963==  Address 0x58c0c9c is 12 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C9D: ??? ==21963==  Address 0x58c0c9d is 13 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C9E: ??? ==21963==  Address 0x58c0c9e is 14 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0C9F: ??? ==21963==  Address 0x58c0c9f is 15 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0CA0: ??? ==21963==  Address 0x58c0ca0 is 16 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0CA1: ??? ==21963==  Address 0x58c0ca1 is 17 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0CA2: ??? ==21963==  Address 0x58c0ca2 is 18 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0CA3: ??? ==21963==  Address 0x58c0ca3 is 19 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0CA4: ??? ==21963==  Address 0x58c0ca4 is 20 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0CA5: ??? ==21963==  Address 0x58c0ca5 is 21 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0CA6: ??? ==21963==  Address 0x58c0ca6 is 22 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0CA7: ??? ==21963==  Address 0x58c0ca7 is 23 bytes after a block of size 64 alloc'd ==21963==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21963==    by 0x38382F: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x58C0A8F: ??? ==21963==    by 0x58C089F: ??? ==21963==    by 0x37: ??? ==21963==    by 0x4CB5B2: ??? (in /hdf5/build/bin/h5clear) ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0CA8: ??? ==21963==  Address 0x58c0ca8 is 24 bytes after a block of size 64 in arena "client" ==21963== ==21963== Invalid read of size 1 ==21963==    at 0x318FB7: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x504A81: ??? (in /hdf5/build/bin/h5clear) ==21963==    by 0x16: ??? ==21963==    by 0x58C0CA9: ??? ==21963==  Address 0x58c0ca9 is 25 bytes after a block of size 64 in arena "client" ==21963== ==21963== Invalid read of size 8 ==21963==    at 0x1A825C: ??? (in /hdf5/build/bin/h5clear) ==21963==  Address 0x8 is not stack'd, malloc'd or (recently) free'd ==21963== ==21963== ==21963== Process terminating with default action of signal 11 (SIGSEGV) ==21963==  Access not within mapped region at address 0x8 ==21963==    at 0x1A825C: ??? (in /hdf5/build/bin/h5clear) ==21963==  If you believe this happened as a result of a stack ==21963==  overflow in your program's main thread (unlikely but ==21963==  possible), you can try to increase the size of the ==21963==  main thread stack using the --main-stacksize= flag. ==21963==  The main thread stack size used in this run was 8388608. Segmentation fault

Proof of Concept./h5clear -s -m $POC

Vendor Disclosure: 2020-3-10

Credit

Discovered by ACE Team – Loginsoft

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Reports and Resources

Related Resources

Article

The Rise of INTERLOCK Ransomware

Article

Fortifying the Cloud: A Guide to Securing Vulnerable Cloud Environments

Article

The Emergence of Mallox v1.0

Sign up to our Newsletter

Cybersecurity Solutions
Cloud Security Posture ManagementCloud Workload ProtectionOSS - Software Composition AnalysisOSS - Dependancy DefenceOSS - Zero-Day DiscoverySecurity & Threat Intelligence IntegrationsVulnerability IntelligenceThreat IntelligenceExternal Attack Surface DiscoveryVulnerability & Configuration Management
IT Solutions
Data Science & AISoftware Development  & SupportQA AutomationStaff Augmentation
Platforms
LOVICytellite
Company
BlogsReportsAbout usCareers
Research
Research-as-a -ServiceZero-Day Discovery
1-703-956-7410info@loginsoft.com
© 2024 - Copyright
Privacy policy