mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
hdf5: patch CVE-2025-2923, CVE-2025-6816, CVE-2025-6856
Single PR[1] addressed all three vulnerabilities Details: https://nvd.nist.gov/vuln/detail/CVE-2025-2923 https://nvd.nist.gov/vuln/detail/CVE-2025-6816 https://nvd.nist.gov/vuln/detail/CVE-2025-6856 [1] https://github.com/HDFGroup/hdf5/pull/5829 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
This commit is contained in:
@@ -0,0 +1,65 @@
|
|||||||
|
From 951ebdce0098dac1042d5e9650e655c6c1f92904 Mon Sep 17 00:00:00 2001
|
||||||
|
From: jhendersonHDF <jhenderson@hdfgroup.org>
|
||||||
|
Date: Fri, 26 Sep 2025 13:13:10 -0500
|
||||||
|
Subject: [PATCH] Fix issue with handling of corrupted object header continuation messages (#5829)
|
||||||
|
|
||||||
|
An HDF5 file could be specifically constructed such that an object
|
||||||
|
header contained a corrupted continuation message which pointed
|
||||||
|
back to itself. This eventually resulted in an internal buffer being
|
||||||
|
allocated with too small of a size, leading to a heap buffer overflow
|
||||||
|
when encoding an object header message into it. This has been fixed
|
||||||
|
by checking the expected number of deserialized object header chunks
|
||||||
|
against the actual value as chunks are being deserialized.
|
||||||
|
|
||||||
|
Fixes CVE-2025-6816, CVE-2025-6856, CVE-2025-2923
|
||||||
|
|
||||||
|
CVE: CVE-2025-2923, CVE-2025-6816, CVE-2025-6856
|
||||||
|
Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/29c847a43db0cdc85b01cafa5a7613ea73932675]
|
||||||
|
|
||||||
|
(cherry picked from commit 29c847a43db0cdc85b01cafa5a7613ea73932675)
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
src/H5Oint.c | 17 +++++++++++------
|
||||||
|
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/H5Oint.c b/src/H5Oint.c
|
||||||
|
index 022ee43..a5e0072 100644
|
||||||
|
--- a/src/H5Oint.c
|
||||||
|
+++ b/src/H5Oint.c
|
||||||
|
@@ -1013,10 +1013,9 @@ H5O_protect(const H5O_loc_t *loc, unsigned prot_flags, bool pin_all_chunks)
|
||||||
|
*/
|
||||||
|
curr_msg = 0;
|
||||||
|
while (curr_msg < cont_msg_info.nmsgs) {
|
||||||
|
- H5O_chunk_proxy_t *chk_proxy; /* Proxy for chunk, to bring it into memory */
|
||||||
|
-#ifndef NDEBUG
|
||||||
|
- size_t chkcnt = oh->nchunks; /* Count of chunks (for sanity checking) */
|
||||||
|
-#endif /* NDEBUG */
|
||||||
|
+ H5O_chunk_proxy_t *chk_proxy; /* Proxy for chunk, to bring it into memory */
|
||||||
|
+ unsigned chunkno; /* Chunk number for chunk proxy */
|
||||||
|
+ size_t chkcnt = oh->nchunks; /* Count of chunks (for sanity checking) */
|
||||||
|
|
||||||
|
/* Bring the chunk into the cache */
|
||||||
|
/* (which adds to the object header) */
|
||||||
|
@@ -1029,14 +1028,20 @@ H5O_protect(const H5O_loc_t *loc, unsigned prot_flags, bool pin_all_chunks)
|
||||||
|
|
||||||
|
/* Sanity check */
|
||||||
|
assert(chk_proxy->oh == oh);
|
||||||
|
- assert(chk_proxy->chunkno == chkcnt);
|
||||||
|
- assert(oh->nchunks == (chkcnt + 1));
|
||||||
|
+
|
||||||
|
+ chunkno = chk_proxy->chunkno;
|
||||||
|
|
||||||
|
/* Release the chunk from the cache */
|
||||||
|
if (H5AC_unprotect(loc->file, H5AC_OHDR_CHK, cont_msg_info.msgs[curr_msg].addr, chk_proxy,
|
||||||
|
H5AC__NO_FLAGS_SET) < 0)
|
||||||
|
HGOTO_ERROR(H5E_OHDR, H5E_CANTUNPROTECT, NULL, "unable to release object header chunk");
|
||||||
|
|
||||||
|
+ if (chunkno != chkcnt)
|
||||||
|
+ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "incorrect chunk number for object header chunk");
|
||||||
|
+ if (oh->nchunks != (chkcnt + 1))
|
||||||
|
+ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL,
|
||||||
|
+ "incorrect number of chunks after deserializing object header chunk");
|
||||||
|
+
|
||||||
|
/* Advance to next continuation message */
|
||||||
|
curr_msg++;
|
||||||
|
} /* end while */
|
||||||
@@ -18,6 +18,7 @@ SRC_URI = " \
|
|||||||
file://CVE-2025-2913.patch \
|
file://CVE-2025-2913.patch \
|
||||||
file://CVE-2025-2914.patch \
|
file://CVE-2025-2914.patch \
|
||||||
file://CVE-2025-2915.patch \
|
file://CVE-2025-2915.patch \
|
||||||
|
file://CVE-2025-2923-CVE-2025-6816-CVE-2025-6856.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
|
SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user