OSGeo GDAL HDF-EOS Out-of-Bounds Read Vulnerability

A vulnerability in OSGeo GDAL versions up to 3.13.0dev-4 has been identified within the HDF-EOS Grid File Handler. The issue arises in the 'memmove' function of 'frmts/hdf4/hdf-eos/SWapi.c', where the code improperly handles metadata values. Specifically, the 'DimList' string is manipulated without adequate length checks, leading to a size_t underflow. This flaw allows for an out-of-bounds read, as the 'memmove' operation attempts to read an excessive amount of data, approximately 18 exabytes, causing a crash. The vulnerability requires local execution and has been publicly disclosed.

Impact

Exploitation of this vulnerability causes a heap-buffer overflow, leading to a crash of the application.

Reproduction

The vulnerability can be reproduced using the 'gdalmdiminfo' command-line tool with a crafted HDF-EOS swath file that triggers the underflow in the 'DimList' metadata. The file 'poc_swfinfo_dimlist_oob-read.he4' can be used to demonstrate the issue. When 'gdalmdiminfo' is run with this file, the AddressSanitizer output will show an error indicating an unknown crash due to an out-of-bounds read, confirming the exploitation of the vulnerability.

Remediation

Users can upgrade to OSGeo GDAL version 3.13.0RC1 to address this vulnerability.