漏洞总结:HST_conv_struct Use after Free 漏洞概述 HDF5 库中的 函数存在堆释放后使用(Use-after-Free)漏洞。攻击者可以通过控制 HDF5 文件中的 字段,在解析文件时触发该漏洞。这可能导致拒绝服务(DoS),在特定条件下可能进一步导致远程代码执行(RCE)。该漏洞是通过模糊测试 辅助工具发现的。 影响范围 受影响版本: 修复版本: None (截图中显示暂无官方补丁) 修复方案 目前截图中显示无官方修复版本。建议用户关注官方更新或自行编译修复后的版本。 POC 代码 1. 编译环境配置 2. 利用代码及 ASAN 输出 ASAN 报错关键信息: ```text HDF5/DUMP: Error in H5T_conv_struct(): heap-use-after-free on address 0x7fa4bebc4 at 0x7fa4bebc541 at 0x7ff00b02649 READ of size 3529 at 0x7fa4bebc4 thread T0 ... SUMMARY: AddressSanitizer: heap-use-after-free /home/.../src/hdf5/src/H5Tconv.c:193 in H5T_conv_struct ... Shadow bytes around the buggy address: 0x07fa4bebc400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc4a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc4b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc4c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc4d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc4f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc5a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc5b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc5c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc5d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc5e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc5f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc640: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc6b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc6c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc6d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc6e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc6f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa4bebc740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x07fa