To assist reproducing bugs, please include the following:
h5py.version.info:Summary of the h5py configuration
---------------------------------
h5py 2.9.0
HDF5 1.10.4
Python 2.7.14+ (default, Dec 5 2017, 15:17:02)
[GCC 7.2.0]
sys.platform linux2
sys.maxsize 9223372036854775807
numpy 1.16.2
The following simple code results in a segfault when the input model is maliciously crafted to cause denial of service. This can be exploited to access invalid memory and cause further harm in all applications which use affected h5py code (e.g. Keras, TensorFlow, etc.) if not patched/handled.
import sys
import h5py
f = h5py.File(sys.argv[1], mode='r')
print(f['model_config'])
I'm attaching the crafted file and the original Python file which was sent to TensorFlow's team as a vulnerability report. We have tracked it down to an issue in h5py.
poc.zip
Original report is from PAAFS--TAN JIE against TensorFlow, I have sent them a link to this issue too.
With hdf5 1.10.0 and 1.10.4 I get
In [64]: print(f['model_config'])
---------------------------------------------------------------------------
KeyError Traceback (most recent call last)
<ipython-input-64-cebbffd3b225> in <module>
----> 1 print(f['model_config'])
h5py/_objects.pyx in h5py._objects.with_phil.wrapper()
h5py/_objects.pyx in h5py._objects.with_phil.wrapper()
~/mc3/envs/dd37/lib/python3.7/site-packages/h5py/_hl/group.py in __getitem__(self, name)
260 raise ValueError("Invalid HDF5 object reference")
261 else:
--> 262 oid = h5o.open(self.id, self._e(name), lapl=self._lapl)
263
264 otype = h5i.get_type(oid)
h5py/_objects.pyx in h5py._objects.with_phil.wrapper()
h5py/_objects.pyx in h5py._objects.with_phil.wrapper()
h5py/h5o.pyx in h5py.h5o.open()
KeyError: 'Unable to open object (address undefined)'
instead of a segfault.
Can you run 3.6 with faulthandler turned on?
If h5py gets a corrupted file (intentionally or not), the best we can do is raise an exception, It is up to the client (keras, tensorflow, etc) to handle that exception.
h5py does not do any byte manipulations (we wrap hdf5 via cython), it looks like it is failing inside of https://github.com/h5py/h5py/blob/0cc2c24a39718022465d919fb58209bde9e1bf14/h5py/h5o.pyx#L184-L190 which is in hdf5 its self. This may be better reported to hdf5group.
attn @epourmal
Thanks. Will follow-up soon
To be honest, regardless of this specific issue, I wouldn't advise opening HDF5 files from completely untrusted sources who might craft malicious files to attack you. It's a very complex binary format parsed by C code. I'm no security expert, but from everything I've heard that pattern is a rich source of potential vulnerabilities. And there have been quite a few CVEs issued for HDF5 over the years.
Anyway, should we close this issue as it sounds like it's not a bug in h5py?