Version of the software
netcdf-c commit: f1d2504c29099cec967756e6357fd3219ca1f415
Environmental information
OS: Ubuntu 22.04.5 LTS
Kernel: Linux 6.8.0-90-generic x86_64
Compiler: GCC 11.4.0
glibc: 2.35
Bug Description
Running ncdump -b f on a NetCDF file triggers free(): invalid pointer and aborts. The crash occurs during recursive metadata processing in do_ncdump_rec().
Steps to Reproduce
The PoC attachment contains the input file that triggers the issue:
PoC.zip
COMMAND LINE: ./ncdump -b f Heap_Corruption_02
Expected behavior
ncdump should detect fail NetCDF input and exit with an error instead of crashing due to invalid memory deallocation.
Stack trace
(gdb) r
Starting program: /root/GraphDissect/benchmarks/netcdf/ncdump/ncdump -b f /root/GraphDissect/benchmarks/netcdf/ncdump/SIGABRT.PC.753363dd79fc.STACK.1834415f35.CODE.-6.ADDR.0.INSTR.mov____%eax,%r13d.fuzz
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/x86_64-linux-gnu/libthread_db.so.1".
netcdf SIGABRT.PC.753363dd79fc.STACK.1834415f35.CODE.-6.ADDR.0.INSTR.mov____%eax,%r13d {
dimensions:
= UNLIMITED ; // (0 currently)
free(): invalid pointer
Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=131432709384128) at ./nptl/pthread_kill.c:44
44 ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=131432709384128) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=131432709384128) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=131432709384128, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x0000778991ffd476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x0000778991fe37f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x0000778992044677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x778992196b77 "%s\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x000077899205bcfc in malloc_printerr (str=str@entry=0x778992194744 "free(): invalid pointer") at ./malloc/malloc.c:5664
#7 0x000077899205da44 in _int_free (av=, p=, have_lock=0) at ./malloc/malloc.c:4439
#8 0x0000778992060453 in __GI___libc_free (mem=) at ./malloc/malloc.c:3391
#9 0x0000000000439c07 in do_ncdump_rec ()
#10 0x0000000000437ee7 in do_ncdump ()
#11 0x0000000000436ba4 in main ()
(gdb)
Version of the software
netcdf-c commit: f1d2504c29099cec967756e6357fd3219ca1f415
Environmental information
OS: Ubuntu 22.04.5 LTS
Kernel: Linux 6.8.0-90-generic x86_64
Compiler: GCC 11.4.0
glibc: 2.35
Bug Description
Running ncdump -b f on a NetCDF file triggers free(): invalid pointer and aborts. The crash occurs during recursive metadata processing in do_ncdump_rec().
Steps to Reproduce
The PoC attachment contains the input file that triggers the issue:
PoC.zip
COMMAND LINE: ./ncdump -b f Heap_Corruption_02
Expected behavior
ncdump should detect fail NetCDF input and exit with an error instead of crashing due to invalid memory deallocation.
Stack trace
(gdb) r
Starting program: /root/GraphDissect/benchmarks/netcdf/ncdump/ncdump -b f /root/GraphDissect/benchmarks/netcdf/ncdump/SIGABRT.PC.753363dd79fc.STACK.1834415f35.CODE.-6.ADDR.0.INSTR.mov____%eax,%r13d.fuzz
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/x86_64-linux-gnu/libthread_db.so.1".
netcdf SIGABRT.PC.753363dd79fc.STACK.1834415f35.CODE.-6.ADDR.0.INSTR.mov____%eax,%r13d {
dimensions:
= UNLIMITED ; // (0 currently)
free(): invalid pointer
Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=131432709384128) at ./nptl/pthread_kill.c:44
44 ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=131432709384128) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=131432709384128) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=131432709384128, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x0000778991ffd476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x0000778991fe37f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x0000778992044677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x778992196b77 "%s\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x000077899205bcfc in malloc_printerr (str=str@entry=0x778992194744 "free(): invalid pointer") at ./malloc/malloc.c:5664
#7 0x000077899205da44 in _int_free (av=, p=, have_lock=0) at ./malloc/malloc.c:4439
#8 0x0000778992060453 in __GI___libc_free (mem=) at ./malloc/malloc.c:3391
#9 0x0000000000439c07 in do_ncdump_rec ()
#10 0x0000000000437ee7 in do_ncdump ()
#11 0x0000000000436ba4 in main ()
(gdb)