[meta-oe,scarthgap,v2,v2,05/18] hdf5: patch CVE-2025-2925

Message ID	20251014233233.304125-6-ankur.tyagi85@gmail.com
State	New
Headers	show Return-Path: <ankur.tyagi85@gmail.com> ip: 209.85.216.43, mailfrom: ankur.tyagi85@gmail.com) From: Ankur Tyagi <ankur.tyagi85@gmail.com> To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>, Gyorgy Sarvari <skandigraun@gmail.com> Subject: [oe][meta-oe][scarthgap][PATCH v2 v2 05/18] hdf5: patch CVE-2025-2925 Date: Wed, 15 Oct 2025 12:32:16 +1300 Message-ID: <20251014233233.304125-6-ankur.tyagi85@gmail.com> In-Reply-To: <20251014233233.304125-1-ankur.tyagi85@gmail.com> References: <20251014233233.304125-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	patch CVE \| expand [meta-oe,scarthgap,v2,v2,00/18] patch CVE [meta-oe,scarthgap,v2,v2,01/18] dash: set CVE_PRODUCT [meta-oe,scarthgap,v2,v2,02/18] libppd: patch CVE-2024-47175 [meta-oe,scarthgap,v2,v2,03/18] hdf5: patch CVE-2025-2923 [meta-oe,scarthgap,v2,v2,04/18] hdf5: patch CVE-2025-2924 [meta-oe,scarthgap,v2,v2,05/18] hdf5: patch CVE-2025-2925 [meta-oe,scarthgap,v2,v2,06/18] hdf5: patch CVE-2025-6269 [meta-oe,scarthgap,v2,v2,07/18] libcupsfilters: patch CVE-2024-47076 [meta-oe,scarthgap,v2,v2,08/18] libraw: patch CVE-2025-43961 CVE-2025-43962 [meta-oe,scarthgap,v2,v2,09/18] libraw: patch CVE-2025-43963 [meta-oe,scarthgap,v2,v2,10/18] libraw: patch CVE-2025-43964 [meta-oe,scarthgap,v2,v2,11/18] zlog: fix CVE-2024-22857 [meta-oe,scarthgap,v2,v2,12/18] exiv2: patch CVE-2025-26623 [meta-oe,scarthgap,v2,v2,13/18] exiv2: patch CVE-2025-54080 [meta-oe,scarthgap,v2,v2,14/18] exiv2: patch CVE-2025-55304 [meta-oe,scarthgap,v2,v2,15/18] gattlib: mark CVE-2019-6498 as fixed [meta-oe,scarthgap,v2,v2,16/18] influxdb: Do not remove non-existing files [meta-oe,scarthgap,v2,v2,17/18] influxdb: Update CVE status for CVE-2019-10329 [meta-oe,scarthgap,v2,v2,18/18] jasper: upgrade to 4.1.2 release

Message ID

20251014233233.304125-6-ankur.tyagi85@gmail.com

State

New

Headers

From: Ankur Tyagi <ankur.tyagi85@gmail.com>
To: openembedded-devel@lists.openembedded.org
Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>,
	Gyorgy Sarvari <skandigraun@gmail.com>
Subject: [oe][meta-oe][scarthgap][PATCH v2 v2 05/18] hdf5: patch CVE-2025-2925
Date: Wed, 15 Oct 2025 12:32:16 +1300
Message-ID: <20251014233233.304125-6-ankur.tyagi85@gmail.com>
In-Reply-To: <20251014233233.304125-1-ankur.tyagi85@gmail.com>
References: <20251014233233.304125-1-ankur.tyagi85@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

patch CVE | expand

Commit Message

Ankur Tyagi Oct. 14, 2025, 11:32 p.m. UTC

Details https://nvd.nist.gov/vuln/detail/CVE-2025-2925

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
(cherry picked from commit e7832348a68e4ab18c981b3ddedb6627d989a997)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../hdf5/files/0003-CVE-2025-2925.patch       | 53 +++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/0003-CVE-2025-2925.patch

diff --git a/meta-oe/recipes-support/hdf5/files/0003-CVE-2025-2925.patch b/meta-oe/recipes-support/hdf5/files/0003-CVE-2025-2925.patch
new file mode 100644
index 0000000000..83348190dd
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/0003-CVE-2025-2925.patch
@@ -0,0 +1,53 @@ 
+From 57a511958842f50cbf07b05262f2fe95e70c141b Mon Sep 17 00:00:00 2001
+From: Glenn Song <43005495+glennsong09@users.noreply.github.com>
+Date: Thu, 9 Oct 2025 14:48:55 -0500
+Subject: [PATCH] CVE-2025-2925
+
+This PR fixes issue #5383, which was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being 0. When realloc was called, it freed image, but gets sent to done before new_image can be assigned to image. Because the pointer for image isn't null, it attempts to free it here again, causing the double free to occur. This PR addresses Quincey's concern and fixes the issue while preserving new_image and image.
+
+The bug was first reproduced using the fuzzer and the POC file from #5383. With this change, the double free no longer occurs.
+
+CVE: CVE-2025-2925
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/4310c19608455c17a213383d07715efb2918defc]
+
+(cherry picked from commit 4310c19608455c17a213383d07715efb2918defc)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5Centry.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/H5Centry.c b/src/H5Centry.c
+index 6883e89..bef93d8 100644
+--- a/src/H5Centry.c
++++ b/src/H5Centry.c
+@@ -1051,9 +1051,14 @@ H5C__load_entry(H5F_t *f,
+          */
+         do {
+             if (actual_len != len) {
++                /* Verify that the length isn't a bad value  */
++                if (len == 0)
++                    HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "len is a bad value");
++
+                 if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE)))
+                     HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
+                 image = (uint8_t *)new_image;
++
+ #if H5C_DO_MEMORY_SANITY_CHECKS
+                 H5MM_memcpy(image + len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
+ #endif        /* H5C_DO_MEMORY_SANITY_CHECKS */
+@@ -1104,10 +1109,15 @@ H5C__load_entry(H5F_t *f,
+                     if (H5C__verify_len_eoa(f, type, addr, &actual_len, true) < 0)
+                         HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA");
+ 
++                    /* Verify that the length isn't 0  */
++                    if (actual_len == 0)
++                        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value");
++
+                     /* Expand buffer to new size */
+                     if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE)))
+                         HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
+                     image = (uint8_t *)new_image;
++
+ #if H5C_DO_MEMORY_SANITY_CHECKS
+                     H5MM_memcpy(image + actual_len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
+ #endif /* H5C_DO_MEMORY_SANITY_CHECKS */
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index 06a375c673..540c8459ea 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -17,6 +17,7 @@  SRC_URI = " \
     file://0001-cmake-remove-build-flags.patch \
     file://0001-CVE-2025-2923.patch \
     file://0002-CVE-2025-2924.patch \
+    file://0003-CVE-2025-2925.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"

[meta-oe,scarthgap,v2,v2,05/18] hdf5: patch CVE-2025-2925

Commit Message

Patch