diff mbox series

[oe,meta-oe,scarthgap,v3,08/11] hdf5: fix CVE-2025-2308

Message ID 20260417083032.3462824-1-libo.chen.cn@windriver.com
State Not Applicable, archived
Delegated to: Yoann Congal
Headers show
Series None | expand

Commit Message

Chen, Libo (CN) April 17, 2026, 8:30 a.m. UTC 
From: Libo Chen <libo.chen.cn@windriver.com>

According to [1], A vulnerability, which was classified as critical, was
found in HDF5 1.14.6. This affects the function
H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter.
The manipulation leads to heap-based buffer overflow. An attack has to be
approached locally. The exploit has been disclosed to the public and may be
used. The vendor plans to fix this issue in an upcoming release.

Backport patch [2] from upstream to fix CVE-2025-2308

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2308
[2] https://github.com/HDFGroup/hdf5/commit/2ce7fdc4cf147d280aa6d49686297faacc250e40

Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
---
 .../hdf5/files/CVE-2025-2308.patch            | 333 ++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb |   1 +
 2 files changed, 334 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2308.patch

Comments

patchtest@automation.yoctoproject.org April 17, 2026, 8:45 a.m. UTC | #1 
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/oe-meta-oe-scarthgap-v3-08-11-hdf5-fix-CVE-2025-2308.patch

FAIL: test target mailing list: Series sent to the wrong mailing list or some patches from the series correspond to different mailing lists (test_mbox.TestMbox.test_target_mailing_list)

PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2308.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2308.patch
new file mode 100644
index 0000000000..336a0d2697
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2308.patch
@@ -0,0 +1,333 @@ 
+From cbce4c2ecf6f5557605890eec125ecfaa4371131 Mon Sep 17 00:00:00 2001
+From: Libo Chen <libo.chen.cn@windriver.com>
+Date: Fri, 30 Jan 2026 16:43:04 +0800
+Subject: [PATCH] Fix CVE-2025-2308 (#5960)
+
+A malformed file can cause the scale-offset filter to have too little input data causing a heap buffer overflow. Additional checks on the maximum buffer length are required during the decompression.
+
+This PR fixes CVE-2025-2308.
+
+CVE: CVE-2025-2308
+
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/2ce7fdc4cf147d280aa6d49686297faacc250e40]
+
+Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
+---
+ src/H5Zscaleoffset.c      |  177 ++--
+ src/H5Zscaleoffset.c.orig | 1781 +++++++++++++++++++++++++++++++++++++
+ 1 files changed, 105 insertions(+), 72 deletions(-)
+ create mode 100644 src/H5Zscaleoffset.c.orig
+
+diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
+index fbf12d6..8355b13 100644
+--- a/src/H5Zscaleoffset.c
++++ b/src/H5Zscaleoffset.c
+@@ -69,21 +69,22 @@ static herr_t H5Z__scaleoffset_precompress_fd(void *data, unsigned d_nelmts, enu
+ static herr_t H5Z__scaleoffset_postdecompress_fd(void *data, unsigned d_nelmts, enum H5Z_scaleoffset_t type,
+                                                  unsigned filavail, const unsigned cd_values[],
+                                                  uint32_t minbits, unsigned long long minval, double D_val);
+-static void   H5Z__scaleoffset_next_byte(size_t *j, unsigned *buf_len);
+-static void   H5Z__scaleoffset_decompress_one_byte(unsigned char *data, size_t data_offset, unsigned k,
+-                                                   unsigned begin_i, const unsigned char *buffer, size_t *j,
+-                                                   unsigned *buf_len, parms_atomic p, unsigned dtype_len);
++static void   H5Z__scaleoffset_next_byte(size_t *j, unsigned *bits_to_fill);
++static herr_t H5Z__scaleoffset_decompress_one_byte(unsigned char *data, size_t data_offset, unsigned k,
++                                                   unsigned begin_i, const unsigned char *buffer,
++                                                   size_t buf_size, size_t *j, unsigned *bits_to_fill,
++                                                   parms_atomic p, unsigned dtype_len);
+ static void   H5Z__scaleoffset_compress_one_byte(const unsigned char *data, size_t data_offset, unsigned k,
+                                                  unsigned begin_i, unsigned char *buffer, size_t *j,
+-                                                 unsigned *buf_len, parms_atomic p, unsigned dtype_len);
+-static void   H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset,
+-                                                     unsigned char *buffer, size_t *j, unsigned *buf_len,
+-                                                     parms_atomic p);
++                                                 unsigned *bits_to_fill, parms_atomic p, unsigned dtype_len);
++static herr_t H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset,
++                                                     unsigned char *buffer, size_t buf_size, size_t *j,
++                                                     unsigned *bits_to_fill, parms_atomic p);
+ static void   H5Z__scaleoffset_compress_one_atomic(unsigned char *data, size_t data_offset,
+-                                                   unsigned char *buffer, size_t *j, unsigned *buf_len,
++                                                   unsigned char *buffer, size_t *j, unsigned *bits_to_fill,
+                                                    parms_atomic p);
+-static void   H5Z__scaleoffset_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,
+-                                          parms_atomic p);
++static herr_t H5Z__scaleoffset_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,
++                                          size_t buf_size, parms_atomic p);
+ static void   H5Z__scaleoffset_compress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer,
+                                         size_t buffer_size, parms_atomic p);
+ 
+@@ -1261,8 +1262,11 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
+         }
+ 
+         /* decompress the buffer if minbits not equal to zero */
+-        if (minbits != 0)
+-            H5Z__scaleoffset_decompress(outbuf, d_nelmts, (unsigned char *)(*buf) + buf_offset, p);
++        if (minbits != 0) {
++            if (H5Z__scaleoffset_decompress(outbuf, d_nelmts, (unsigned char *)(*buf) + buf_offset,
++                                            *buf_size - buf_offset, p))
++                HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Scaleoffset decompression failed");
++        }
+         else {
+             /* fill value is not defined and all data elements have the same value */
+             for (i = 0; i < size_out; i++)
+@@ -1603,55 +1607,69 @@ done:
+ }
+ 
+ static void
+-H5Z__scaleoffset_next_byte(size_t *j, unsigned *buf_len)
++H5Z__scaleoffset_next_byte(size_t *j, unsigned *bits_to_fill)
+ {
+     ++(*j);
+-    *buf_len = 8 * sizeof(unsigned char);
++    *bits_to_fill = 8 * sizeof(unsigned char);
+ }
+ 
+-static void
++static herr_t
+ H5Z__scaleoffset_decompress_one_byte(unsigned char *data, size_t data_offset, unsigned k, unsigned begin_i,
+-                                     const unsigned char *buffer, size_t *j, unsigned *buf_len,
+-                                     parms_atomic p, unsigned dtype_len)
++                                     const unsigned char *buffer, size_t buf_size, size_t *j,
++                                     unsigned *bits_to_fill, parms_atomic p, unsigned dtype_len)
+ {
+-    unsigned      dat_len; /* dat_len is the number of bits to be copied in each data byte */
+-    unsigned char val;     /* value to be copied in each data byte */
++    unsigned      bits_to_copy;        /* bits_to_copy is the number of bits to be copied in each data byte */
++    unsigned char val;                 /* value to be copied in each data byte */
++    herr_t        ret_value = SUCCEED; /* Return value */
++
++    FUNC_ENTER_PACKAGE
++
++    if (*j >= buf_size)
++        HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Buffer too short");
+ 
+     /* initialize value and bits of unsigned char to be copied */
+     val = buffer[*j];
+     if (k == begin_i)
+-        dat_len = 8 - (dtype_len - p.minbits) % 8;
++        bits_to_copy = 8 - (dtype_len - p.minbits) % 8;
+     else
+-        dat_len = 8;
++        bits_to_copy = 8;
+ 
+-    if (*buf_len > dat_len) {
+-        data[data_offset + k] =
+-            (unsigned char)((unsigned)(val >> (*buf_len - dat_len)) & (unsigned)(~((unsigned)~0 << dat_len)));
+-        *buf_len -= dat_len;
++    if (*bits_to_fill > bits_to_copy) {
++        data[data_offset + k] = (unsigned char)((unsigned)(val >> (*bits_to_fill - bits_to_copy)) &
++                                                (unsigned)(~((unsigned)~0 << bits_to_copy)));
++        *bits_to_fill -= bits_to_copy;
+     } /* end if */
+     else {
+         data[data_offset + k] =
+-            (unsigned char)((val & ~((unsigned)(~0) << *buf_len)) << (dat_len - *buf_len));
+-        dat_len -= *buf_len;
+-        H5Z__scaleoffset_next_byte(j, buf_len);
+-        if (dat_len == 0)
+-            return;
++            (unsigned char)((val & ~((unsigned)(~0) << *bits_to_fill)) << (bits_to_copy - *bits_to_fill));
++        bits_to_copy -= *bits_to_fill;
++        H5Z__scaleoffset_next_byte(j, bits_to_fill);
++        if (bits_to_copy == 0)
++            goto done;
++        else if (*j >= buf_size)
++            HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Buffer too short");
+ 
+         val = buffer[*j];
+-        data[data_offset + k] |=
+-            (unsigned char)((unsigned)(val >> (*buf_len - dat_len)) & ~((unsigned)(~0) << dat_len));
+-        *buf_len -= dat_len;
++        data[data_offset + k] |= (unsigned char)((unsigned)(val >> (*bits_to_fill - bits_to_copy)) &
++                                                 ~((unsigned)(~0) << bits_to_copy));
++        *bits_to_fill -= bits_to_copy;
+     } /* end else */
++
++done:
++    FUNC_LEAVE_NOAPI(ret_value)
+ }
+ 
+-static void
++static herr_t
+ H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset, unsigned char *buffer,
+-                                       size_t *j, unsigned *buf_len, parms_atomic p)
++                                       size_t buf_size, size_t *j, unsigned *bits_to_fill, parms_atomic p)
+ {
+     /* begin_i: the index of byte having first significant bit */
+     unsigned begin_i;
+     unsigned dtype_len;
+     int      k;
++    herr_t   ret_value = SUCCEED; /* Return value */
++
++    FUNC_ENTER_PACKAGE
+ 
+     assert(p.minbits > 0);
+ 
+@@ -1661,8 +1679,9 @@ H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset,
+         begin_i = p.size - 1 - (dtype_len - p.minbits) / 8;
+ 
+         for (k = (int)begin_i; k >= 0; k--)
+-            H5Z__scaleoffset_decompress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len,
+-                                                 p, dtype_len);
++            if (H5Z__scaleoffset_decompress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer,
++                                                     buf_size, j, bits_to_fill, p, dtype_len))
++                HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Atomic decompression failed");
+     }
+     else { /* big endian */
+         assert(p.mem_order == H5Z_SCALEOFFSET_ORDER_BE);
+@@ -1670,67 +1689,81 @@ H5Z__scaleoffset_decompress_one_atomic(unsigned char *data, size_t data_offset,
+         begin_i = (dtype_len - p.minbits) / 8;
+ 
+         for (k = (int)begin_i; k <= (int)(p.size - 1); k++)
+-            H5Z__scaleoffset_decompress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len,
+-                                                 p, dtype_len);
++            if (H5Z__scaleoffset_decompress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer,
++                                                     buf_size, j, bits_to_fill, p, dtype_len))
++                HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Atomic decompression failed");
+     }
++
++done:
++    FUNC_LEAVE_NOAPI(ret_value)
+ }
+ 
+-static void
+-H5Z__scaleoffset_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, parms_atomic p)
++static herr_t
++H5Z__scaleoffset_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, size_t buf_size,
++                            parms_atomic p)
+ {
+     /* i: index of data, j: index of buffer,
+-       buf_len: number of bits to be filled in current byte */
++       bits_to_fill: number of bits to be filled in current byte */
+     size_t   i, j;
+-    unsigned buf_len;
++    unsigned bits_to_fill;
++    herr_t   ret_value = SUCCEED; /* Return value */
++
++    FUNC_ENTER_PACKAGE
+ 
+     /* must initialize to zeros */
+     for (i = 0; i < d_nelmts * (size_t)p.size; i++)
+         data[i] = 0;
+ 
+     /* initialization before the loop */
+-    j       = 0;
+-    buf_len = sizeof(unsigned char) * 8;
++    j            = 0;
++    bits_to_fill = sizeof(unsigned char) * 8;
+ 
+     /* decompress */
+     for (i = 0; i < d_nelmts; i++)
+-        H5Z__scaleoffset_decompress_one_atomic(data, i * p.size, buffer, &j, &buf_len, p);
++        if (H5Z__scaleoffset_decompress_one_atomic(data, i * p.size, buffer, buf_size, &j, &bits_to_fill, p))
++            HGOTO_ERROR(H5E_PLINE, H5E_BADVALUE, 0, "Scaleoffset decompression failed");
++
++done:
++    FUNC_LEAVE_NOAPI(ret_value)
+ }
+ 
+ static void
+ H5Z__scaleoffset_compress_one_byte(const unsigned char *data, size_t data_offset, unsigned k,
+-                                   unsigned begin_i, unsigned char *buffer, size_t *j, unsigned *buf_len,
++                                   unsigned begin_i, unsigned char *buffer, size_t *j, unsigned *bits_to_fill,
+                                    parms_atomic p, unsigned dtype_len)
+ {
+-    unsigned      dat_len; /* dat_len is the number of bits to be copied in each data byte */
+-    unsigned char val;     /* value to be copied in each data byte */
++    unsigned      bits_to_copy; /* bits_to_copy is the number of bits to be copied in each data byte */
++    unsigned char val;          /* value to be copied in each data byte */
+ 
+     /* initialize value and bits of unsigned char to be copied */
+     val = data[data_offset + k];
+     if (k == begin_i)
+-        dat_len = 8 - (dtype_len - p.minbits) % 8;
++        bits_to_copy = 8 - (dtype_len - p.minbits) % 8;
+     else
+-        dat_len = 8;
++        bits_to_copy = 8;
+ 
+-    if (*buf_len > dat_len) {
+-        buffer[*j] |= (unsigned char)((val & ~((unsigned)(~0) << dat_len)) << (*buf_len - dat_len));
+-        *buf_len -= dat_len;
++    if (*bits_to_fill > bits_to_copy) {
++        buffer[*j] |=
++            (unsigned char)((val & ~((unsigned)(~0) << bits_to_copy)) << (*bits_to_fill - bits_to_copy));
++        *bits_to_fill -= bits_to_copy;
+     }
+     else {
+-        buffer[*j] |=
+-            (unsigned char)((unsigned)(val >> (dat_len - *buf_len)) & ~((unsigned)(~0) << *buf_len));
+-        dat_len -= *buf_len;
+-        H5Z__scaleoffset_next_byte(j, buf_len);
+-        if (dat_len == 0)
++        buffer[*j] |= (unsigned char)((unsigned)(val >> (bits_to_copy - *bits_to_fill)) &
++                                      ~((unsigned)(~0) << *bits_to_fill));
++        bits_to_copy -= *bits_to_fill;
++        H5Z__scaleoffset_next_byte(j, bits_to_fill);
++        if (bits_to_copy == 0)
+             return;
+ 
+-        buffer[*j] = (unsigned char)((val & ~((unsigned)(~0) << dat_len)) << (*buf_len - dat_len));
+-        *buf_len -= dat_len;
++        buffer[*j] =
++            (unsigned char)((val & ~((unsigned)(~0) << bits_to_copy)) << (*bits_to_fill - bits_to_copy));
++        *bits_to_fill -= bits_to_copy;
+     } /* end else */
+ }
+ 
+ static void
+ H5Z__scaleoffset_compress_one_atomic(unsigned char *data, size_t data_offset, unsigned char *buffer,
+-                                     size_t *j, unsigned *buf_len, parms_atomic p)
++                                     size_t *j, unsigned *bits_to_fill, parms_atomic p)
+ {
+     /* begin_i: the index of byte having first significant bit */
+     unsigned begin_i;
+@@ -1745,16 +1778,16 @@ H5Z__scaleoffset_compress_one_atomic(unsigned char *data, size_t data_offset, un
+         begin_i = p.size - 1 - (dtype_len - p.minbits) / 8;
+ 
+         for (k = (int)begin_i; k >= 0; k--)
+-            H5Z__scaleoffset_compress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len, p,
+-                                               dtype_len);
++            H5Z__scaleoffset_compress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j,
++                                               bits_to_fill, p, dtype_len);
+     }
+     else { /* big endian */
+         assert(p.mem_order == H5Z_SCALEOFFSET_ORDER_BE);
+         begin_i = (dtype_len - p.minbits) / 8;
+ 
+         for (k = (int)begin_i; k <= (int)(p.size - 1); k++)
+-            H5Z__scaleoffset_compress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j, buf_len, p,
+-                                               dtype_len);
++            H5Z__scaleoffset_compress_one_byte(data, data_offset, (unsigned)k, begin_i, buffer, j,
++                                               bits_to_fill, p, dtype_len);
+     }
+ }
+ 
+@@ -1763,19 +1796,19 @@ H5Z__scaleoffset_compress(unsigned char *data, unsigned d_nelmts, unsigned char
+                           parms_atomic p)
+ {
+     /* i: index of data, j: index of buffer,
+-       buf_len: number of bits to be filled in current byte */
++       bits_to_fill: number of bits to be filled in current byte */
+     size_t   i, j;
+-    unsigned buf_len;
++    unsigned bits_to_fill;
+ 
+     /* must initialize buffer to be zeros */
+     for (j = 0; j < buffer_size; j++)
+         buffer[j] = 0;
+ 
+     /* initialization before the loop */
+-    j       = 0;
+-    buf_len = sizeof(unsigned char) * 8;
++    j            = 0;
++    bits_to_fill = sizeof(unsigned char) * 8;
+ 
+     /* compress */
+     for (i = 0; i < d_nelmts; i++)
+-        H5Z__scaleoffset_compress_one_atomic(data, i * p.size, buffer, &j, &buf_len, p);
++        H5Z__scaleoffset_compress_one_atomic(data, i * p.size, buffer, &j, &bits_to_fill, p);
+ }
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index ca1e8d7076..b31a8d8cfa 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -28,6 +28,7 @@  SRC_URI = " \
     file://CVE-2025-2310.patch \
     file://CVE-2025-44905.patch \
     file://CVE-2025-2309.patch \
+    file://CVE-2025-2308.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"