diff mbox series

[meta-oe,scarthgap,3/7] hdf5: patch CVE-2025-2915

Message ID 20251028113247.1761834-4-ankur.tyagi85@gmail.com
State New
Headers show
Series hdf5 CVE fixes | expand

Commit Message

Ankur Tyagi Oct. 28, 2025, 11:32 a.m. UTC 
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2915

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../hdf5/files/CVE-2025-2915.patch            | 50 +++++++++++++++++++
 meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch
new file mode 100644
index 0000000000..83eb8ff504
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch
@@ -0,0 +1,50 @@ 
+From 2bab8a1ffae567d35effa777dda82d423a80bccd Mon Sep 17 00:00:00 2001
+From: Glenn Song <43005495+glennsong09@users.noreply.github.com>
+Date: Mon, 20 Oct 2025 07:47:28 -0500
+Subject: [PATCH] Fix CVE-2025-2915 (#5746)
+
+This PR fixes issue #5380, which has a heap based buffer overflow after H5MF_xfree is called on an address of 0 (file superblock). This PR changes an assert making sure addr isn't 0 to an if check.
+
+The bug was first reproduced using the fuzzer and the POC file from #5380. With this change, the heap based buffer overflow no longer occurs.
+
+CVE: CVE-2025-2915
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/26a76bafdef3a0950d348a08667de161a19b7c2c]
+(cherry picked from commit 26a76bafdef3a0950d348a08667de161a19b7c2c)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5Faccum.c       | 3 +++
+ src/H5Ocache_image.c | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/src/H5Faccum.c b/src/H5Faccum.c
+index 9c4c8cdbbd..145abd1cbd 100644
+--- a/src/H5Faccum.c
++++ b/src/H5Faccum.c
+@@ -879,6 +879,9 @@ H5F__accum_free(H5F_shared_t *f_sh, H5FD_mem_t H5_ATTR_UNUSED type, haddr_t addr
+ 
+                 /* Calculate the size of the overlap with the accumulator, etc. */
+                 H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t);
++                /* Sanity check */
++                /* Overlap size should not result in "negative" value after subtraction */
++                assert(overlap_size < accum->size);
+                 new_accum_size = accum->size - overlap_size;
+ 
+                 /* Move the accumulator buffer information to eliminate the freed block */
+diff --git a/src/H5Ocache_image.c b/src/H5Ocache_image.c
+index d91b46341c..c0ab004ec7 100644
+--- a/src/H5Ocache_image.c
++++ b/src/H5Ocache_image.c
+@@ -116,6 +116,13 @@ H5O__mdci_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     H5F_DECODE_LENGTH(f, p, mesg->size);
+ 
++    if (mesg->addr >= (HADDR_UNDEF - mesg->size))
++        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size overflows");
++    if (mesg->addr == HADDR_UNDEF)
++        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address is undefined");
++    if ((mesg->addr + mesg->size) > H5F_get_eoa(f, H5FD_MEM_SUPER))
++        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size exceeds file eoa");
++
+     /* Set return value */
+     ret_value = (void *)mesg;
+ 
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index 875510b0e2..59506526fb 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -17,6 +17,7 @@  SRC_URI = " \
     file://0001-cmake-remove-build-flags.patch \
     file://CVE-2025-2913.patch \
     file://CVE-2025-2914.patch \
+    file://CVE-2025-2915.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"