Bug 1093641 - (CVE-2018-11202) VUL-1: CVE-2018-11202: hdf5: A NULL pointer dereference in H5S_hyper_make_spans in H5Shyper.c allows a remote denial of service attack.
(CVE-2018-11202)
VUL-1: CVE-2018-11202: hdf5: A NULL pointer dereference in H5S_hyper_make_spa...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: HPC Bugzilla
Security Team bot
https://smash.suse.de/issue/205910/
CVSSv3.1:SUSE:CVE-2018-11202:3.3:(AV:...
:
Depends on:
Blocks: 1101742
  Show dependency treegraph
 
Reported: 2018-05-17 09:13 UTC by Karol Babioch
Modified: 2022-10-26 09:20 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
H5S_hyper_make_spans-H5Shyper.c_6139-null_pointer_dereference (11.73 KB, application/octet-stream)
2018-05-17 09:14 UTC, Karol Babioch
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-05-17 09:13:31 UTC
CVE-2018-11202

A NULL pointer dereference was discovered in H5S_hyper_make_spans in H5Shyper.c
in the HDF HDF5 1.10.2 library. It could allow a remote denial of service
attack.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11202
https://github.com/Twi1ight/fuzzing-pocs/tree/master/hdf5
Comment 1 Karol Babioch 2018-05-17 09:14:27 UTC
Created attachment 770557 [details]
H5S_hyper_make_spans-H5Shyper.c_6139-null_pointer_dereference
Comment 2 Karol Babioch 2018-05-17 09:15:29 UTC
valgrind h5dump Downloads/H5S_hyper_make_spans-H5Shyper.c_6139-null_pointer_dereference 
==12754== Memcheck, a memory error detector
==12754== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==12754== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==12754== Command: h5dump Downloads/H5S_hyper_make_spans-H5Shyper.c_6139-null_pointer_dereference
==12754== 
HDF5 "Downloads/H5S_hyper_make_spans-H5Shyper.c_6139-null_pointer_dereference" {
GROUP "/" {
   DATASET "Compressed_Data" {
      DATATYPE  H5T_STD_I32BE
      DATASPACE  SCALAR
==12754== Invalid write of size 4
==12754==    at 0x5042960: ??? (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x5043533: ??? (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x5046E2A: H5S_select_hyperslab (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x4EDB60B: ??? (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x4EFAC64: H5D__read (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x4EFB0BE: H5Dread (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x12B150: ??? (in /usr/bin/h5dump)
==12754==    by 0x12E247: ??? (in /usr/bin/h5dump)
==12754==    by 0x113967: ??? (in /usr/bin/h5dump)
==12754==    by 0x116950: ??? (in /usr/bin/h5dump)
==12754==    by 0x4F6CC0A: ??? (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x4F73FB5: H5G__node_iterate (in /usr/lib64/libhdf5.so.101.0.0)
==12754==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==12754== 
==12754== 
==12754== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==12754==  Access not within mapped region at address 0x0
==12754==    at 0x5042960: ??? (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x5043533: ??? (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x5046E2A: H5S_select_hyperslab (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x4EDB60B: ??? (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x4EFAC64: H5D__read (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x4EFB0BE: H5Dread (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x12B150: ??? (in /usr/bin/h5dump)
==12754==    by 0x12E247: ??? (in /usr/bin/h5dump)
==12754==    by 0x113967: ??? (in /usr/bin/h5dump)
==12754==    by 0x116950: ??? (in /usr/bin/h5dump)
==12754==    by 0x4F6CC0A: ??? (in /usr/lib64/libhdf5.so.101.0.0)
==12754==    by 0x4F73FB5: H5G__node_iterate (in /usr/lib64/libhdf5.so.101.0.0)
==12754==  If you believe this happened as a result of a stack
==12754==  overflow in your program's main thread (unlikely but
==12754==  possible), you can try to increase the size of the
==12754==  main thread stack using the --main-stacksize= flag.
==12754==  The main thread stack size used in this run was 8388608.
      DATA {==12754== 
==12754== HEAP SUMMARY:
==12754==     in use at exit: 1,887,564 bytes in 3,106 blocks
==12754==   total heap usage: 3,198 allocs, 92 frees, 1,954,958 bytes allocated
==12754== 
==12754== LEAK SUMMARY:
==12754==    definitely lost: 0 bytes in 0 blocks
==12754==    indirectly lost: 0 bytes in 0 blocks
==12754==      possibly lost: 0 bytes in 0 blocks
==12754==    still reachable: 1,887,564 bytes in 3,106 blocks
==12754==                       of which reachable via heuristic:
==12754==                         length64           : 1,080,078 bytes in 24 blocks
==12754==                         newarray           : 32 bytes in 2 blocks
==12754==         suppressed: 0 bytes in 0 blocks
==12754== Rerun with --leak-check=full to see details of leaked memory
==12754== 
==12754== For counts of detected and suppressed errors, rerun with: -v
==12754== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Speicherzugriffsfehler (Speicherabzug geschrieben)
Comment 3 Karol Babioch 2018-05-17 09:30:38 UTC
Probably an issue for all codestreams:

- SUSE:SLE-12-SP2:GA:Products:Update
- SUSE:SLE-12:Update
Comment 4 Swamp Workflow Management 2018-07-28 13:47:06 UTC
openSUSE-SU-2018:2119-1: An update that solves 23 vulnerabilities and has 283 fixes is now available.

Category: security (important)
Bug References: 1022476,1046303,1046305,1046306,1046307,1046540,1046542,1046543,1048129,1050242,1050252,1050529,1050536,1050538,1050545,1050549,1050662,1051510,1052766,1055117,1055186,1055968,1056427,1056643,1056651,1056653,1056657,1056658,1056662,1056686,1056787,1058115,1058513,1058659,1058717,1059336,1060463,1061024,1061840,1062897,1064802,1065600,1065729,1066110,1066129,1068032,1068054,1068546,1071218,1071995,1072829,1072856,1073513,1073765,1073960,1074562,1074578,1074701,1074741,1074873,1074919,1074984,1075006,1075007,1075262,1075419,1075748,1075876,1076049,1076115,1076372,1076830,1077338,1078248,1078353,1079152,1079747,1080039,1080157,1080542,1081599,1082485,1082504,1082869,1082962,1083647,1083684,1083900,1084001,1084570,1084721,1085308,1085341,1085400,1085539,1085626,1085933,1085936,1085937,1085938,1085939,1085941,1086224,1086282,1086283,1086286,1086288,1086319,1086323,1086400,1086467,1086652,1086739,1087084,1087088,1087092,1087205,1087210,1087213,1087214,1087284,1087405,1087458,1087939,1087978,1088273,1088354,1088374,1088690,1088704,1088713,1088722,1088796,1088804,1088821,1088866,1088872,1089074,1089086,1089115,1089141,1089198,1089268,1089271,1089467,1089608,1089644,1089663,1089664,1089667,1089669,1089752,1089753,1089762,1089878,1089889,1089977,1090098,1090150,1090457,1090522,1090534,1090535,1090605,1090643,1090646,1090658,1090717,1090734,1090818,1090888,1090953,1091101,1091158,1091171,1091264,1091424,1091532,1091543,1091594,1091666,1091678,1091686,1091781,1091782,1091815,1091860,1091960,1092100,1092289,1092472,1092566,1092710,1092772,1092888,1092904,1092975,1093023,1093027,1093035,1093118,1093148,1093158,1093184,1093205,1093273,1093290,1093604,1093641,1093649,1093653,1093655,1093657,1093663,1093721,1093728,1093904,1093990,1094244,1094356,1094420,1094541,1094575,1094751,1094825,1094840,1094978,1095042,1095094,1095104,1095115,1095155,1095265,1095321,1095337,1095467,1095573,1095735,1095893,1096065,1096480,1096529,1096696,1096705,1096728,1096753,1096790,1096793,1097034,1097105,1097234,1097356,1097373,1097439,1097465,1097468,1097470,1097471,1097472,1097551,1097780,1097796,1097800,1097941,1097961,1098016,1098043,1098050,1098174,1098176,1098236,1098401,1098425,1098435,1098599,1098626,1098706,1098983,1098995,1099029,1099041,1099109,1099142,1099183,1099715,1099792,1099918,1099924,1099966,1100132,1100209,1100340,1100362,1100382,1100416,1100418,1100491,1100602,1100633,1100734,1100843,1101296,1101315,1101324,971975,975772
CVE References: CVE-2017-5715,CVE-2017-5753,CVE-2018-1000200,CVE-2018-1000204,CVE-2018-10087,CVE-2018-10124,CVE-2018-10323,CVE-2018-1092,CVE-2018-1093,CVE-2018-1094,CVE-2018-1108,CVE-2018-1118,CVE-2018-1120,CVE-2018-1130,CVE-2018-12233,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-5803,CVE-2018-5848,CVE-2018-7492,CVE-2018-8781,CVE-2018-9385
Sources used:
openSUSE Leap 15.0 (src):    kernel-debug-4.12.14-lp150.12.7.1, kernel-default-4.12.14-lp150.12.7.1, kernel-docs-4.12.14-lp150.12.7.1, kernel-kvmsmall-4.12.14-lp150.12.7.1, kernel-obs-build-4.12.14-lp150.12.7.1, kernel-obs-qa-4.12.14-lp150.12.7.1, kernel-source-4.12.14-lp150.12.7.1, kernel-syms-4.12.14-lp150.12.7.1, kernel-vanilla-4.12.14-lp150.12.7.1
Comment 5 Swamp Workflow Management 2019-02-11 20:13:46 UTC
SUSE-SU-2019:0320-1: An update that solves 9 vulnerabilities and has 113 fixes is now available.

Category: security (important)
Bug References: 1012382,1015336,1015337,1015340,1019683,1019695,1020645,1023175,1027260,1027457,1031492,1042286,1043083,1046264,1047487,1048916,1065600,1066223,1068032,1069702,1070805,1079935,1086423,1087082,1091405,1092100,1093158,1093641,1093649,1093653,1093655,1093657,1093663,1094244,1094973,1096242,1096281,1099523,1100105,1101557,1102439,1102660,1103156,1103257,1103624,1104098,1104731,1106105,1106237,1106240,1106929,1107385,1108145,1108240,1109168,1109272,1109330,1109806,1110286,1111062,1111174,1111809,1112246,1112963,1113412,1113766,1114190,1114417,1114475,1114648,1114763,1114839,1114871,1115431,1115433,1115440,1115482,1115587,1115709,1116027,1116183,1116285,1116336,1116345,1116497,1116841,1116924,1116950,1116962,1117162,1117165,1117186,1117562,1118152,1118316,1118319,1118505,1118790,1118798,1118915,1118922,1118926,1118930,1118936,1119204,1119445,1119714,1119877,1119946,1119967,1119970,1120046,1120260,1120743,1120950,1121239,1121240,1121241,1121242,1121275,1121621,985031
CVE References: CVE-2017-16939,CVE-2018-1120,CVE-2018-16862,CVE-2018-16884,CVE-2018-19407,CVE-2018-19824,CVE-2018-19985,CVE-2018-20169,CVE-2018-9568
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP3 (src):    kernel-rt-4.4.170-3.32.2, kernel-rt_debug-4.4.170-3.32.2, kernel-source-rt-4.4.170-3.32.1, kernel-syms-rt-4.4.170-3.32.1
Comment 6 Marcus Meissner 2020-01-31 16:02:58 UTC
released
Comment 10 Swamp Workflow Management 2022-06-01 13:17:14 UTC
SUSE-SU-2022:1903-1: An update that solves 27 vulnerabilities, contains four features and has 5 fixes is now available.

Category: security (important)
Bug References: 1072087,1072090,1072108,1072111,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1134298,1167401,1167404,1167405,1169793,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: SLE-7766,SLE-7773,SLE-8501,SLE-8604
Sources used:
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150100.7.4.3
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150100.7.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150100.7.4.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-06-01 19:18:32 UTC
SUSE-SU-2022:1910-1: An update that solves 27 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1072087,1072090,1072108,1072111,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1167401,1167404,1167405,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: 
Sources used:
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150200.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150200.8.4.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150200.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150200.8.4.2, hdf5_1_10_8-gnu-openmpi3-hpc-1.10.8-150200.8.4.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-06-02 13:19:42 UTC
SUSE-SU-2022:1911-1: An update that solves 27 vulnerabilities, contains four features and has 8 fixes is now available.

Category: security (important)
Bug References: 1072087,1072090,1072108,1072111,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1116458,1124509,1133222,1134298,1167401,1167404,1167405,1169793,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: SLE-7766,SLE-7773,SLE-8501,SLE-8604
Sources used:
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150000.8.4.3, suse-hpc-0.5.20220206.0c6b168-150000.11.3.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    hdf5_1_10_8-gnu-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mpich-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-150000.8.4.3, hdf5_1_10_8-gnu-openmpi2-hpc-1.10.8-150000.8.4.3, suse-hpc-0.5.20220206.0c6b168-150000.11.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-06-03 13:17:14 UTC
SUSE-SU-2022:1933-1: An update that solves 27 vulnerabilities, contains four features and has 17 fixes is now available.

Category: security (important)
Bug References: 1058563,1072087,1072090,1072108,1072111,1080022,1080259,1080426,1080442,1082209,1084951,1088547,1091237,1093641,1093649,1093653,1093655,1093657,1101471,1101474,1101493,1101495,1102175,1109166,1109167,1109168,1109564,1109565,1109566,1109567,1109568,1109569,1109570,1116458,1124509,1133222,1134298,1167401,1167404,1167405,1169793,1174439,1179521,1196682
CVE References: CVE-2017-17505,CVE-2017-17506,CVE-2017-17508,CVE-2017-17509,CVE-2018-11202,CVE-2018-11203,CVE-2018-11204,CVE-2018-11206,CVE-2018-11207,CVE-2018-13869,CVE-2018-13870,CVE-2018-14032,CVE-2018-14033,CVE-2018-14460,CVE-2018-17233,CVE-2018-17234,CVE-2018-17237,CVE-2018-17432,CVE-2018-17433,CVE-2018-17434,CVE-2018-17435,CVE-2018-17436,CVE-2018-17437,CVE-2018-17438,CVE-2020-10809,CVE-2020-10810,CVE-2020-10811
JIRA References: SLE-7766,SLE-7773,SLE-8501,SLE-8604
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    hdf5_1_10_8-gnu-hpc-1.10.8-3.12.2, hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-3.12.2, hdf5_1_10_8-gnu-openmpi1-hpc-1.10.8-3.12.2, suse-hpc-0.5.20220206.0c6b168-5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Egbert Eich 2022-09-06 13:15:42 UTC
SEGV during WRITE to address 0:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6798f2f in H5S_hyper_make_spans (block=0x7fffffff6950, 
    count=0x7fffffff6810, stride=0x7fffffff66d0, start=0x7fffffff6590, rank=0)
    at H5Shyper.c:5958
5958	    down->count = 1;
(gdb) x/i $pc
=> 0x7ffff6798f2f <H5S_generate_hyperslab+9007>:	movl   $0x1,0x0
(gdb) p down
$1 = (H5S_hyper_span_info_t *) 0x0
(gdb)