H5py: Segmentation fault loading a crafted model

Created on 15 Mar 2019  路  4Comments  路  Source: h5py/h5py

To assist reproducing bugs, please include the following:

  • Operating System: Debian (reproduced on Fedora 28 too)
  • Python version: 2.7 (reproduced on 3.6.5 too)
  • Where Python was acquired: system
  • h5py version: 2.9.0
  • HDF5 version: 1.10.4
  • full output from h5py.version.info:
Summary of the h5py configuration
---------------------------------

h5py    2.9.0
HDF5    1.10.4
Python  2.7.14+ (default, Dec  5 2017, 15:17:02) 
[GCC 7.2.0]
sys.platform    linux2
sys.maxsize     9223372036854775807
numpy   1.16.2

The following simple code results in a segfault when the input model is maliciously crafted to cause denial of service. This can be exploited to access invalid memory and cause further harm in all applications which use affected h5py code (e.g. Keras, TensorFlow, etc.) if not patched/handled.

import sys
import h5py

f = h5py.File(sys.argv[1], mode='r')
print(f['model_config'])

I'm attaching the crafted file and the original Python file which was sent to TensorFlow's team as a vulnerability report. We have tracked it down to an issue in h5py.
poc.zip

Original report is from PAAFS--TAN JIE against TensorFlow, I have sent them a link to this issue too.

bug-in-external-lib

All 4 comments

With hdf5 1.10.0 and 1.10.4 I get

In [64]: print(f['model_config'])
---------------------------------------------------------------------------
KeyError                                  Traceback (most recent call last)
<ipython-input-64-cebbffd3b225> in <module>
----> 1 print(f['model_config'])

h5py/_objects.pyx in h5py._objects.with_phil.wrapper()

h5py/_objects.pyx in h5py._objects.with_phil.wrapper()

~/mc3/envs/dd37/lib/python3.7/site-packages/h5py/_hl/group.py in __getitem__(self, name)
    260                 raise ValueError("Invalid HDF5 object reference")
    261         else:
--> 262             oid = h5o.open(self.id, self._e(name), lapl=self._lapl)
    263 
    264         otype = h5i.get_type(oid)

h5py/_objects.pyx in h5py._objects.with_phil.wrapper()

h5py/_objects.pyx in h5py._objects.with_phil.wrapper()

h5py/h5o.pyx in h5py.h5o.open()

KeyError: 'Unable to open object (address undefined)'

instead of a segfault.

Can you run 3.6 with faulthandler turned on?

If h5py gets a corrupted file (intentionally or not), the best we can do is raise an exception, It is up to the client (keras, tensorflow, etc) to handle that exception.

h5py does not do any byte manipulations (we wrap hdf5 via cython), it looks like it is failing inside of https://github.com/h5py/h5py/blob/0cc2c24a39718022465d919fb58209bde9e1bf14/h5py/h5o.pyx#L184-L190 which is in hdf5 its self. This may be better reported to hdf5group.

attn @epourmal

Thanks. Will follow-up soon

To be honest, regardless of this specific issue, I wouldn't advise opening HDF5 files from completely untrusted sources who might craft malicious files to attack you. It's a very complex binary format parsed by C code. I'm no security expert, but from everything I've heard that pattern is a rich source of potential vulnerabilities. And there have been quite a few CVEs issued for HDF5 over the years.

Anyway, should we close this issue as it sounds like it's not a bug in h5py?

Was this page helpful?
0 / 5 - 0 ratings