hdf5: patch CVE-2025-2915

Details https://nvd.nist.gov/vuln/detail/CVE-2025-2915 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
2026-06-13 17:39:57 +00:00 · 2025-10-29 00:32:43 +13:00
parent 7d1b63f0af
commit bd847d489a
2 changed files with 51 additions and 0 deletions
@@ -0,0 +1,50 @@
+From 2bab8a1ffae567d35effa777dda82d423a80bccd Mon Sep 17 00:00:00 2001
+From: Glenn Song <43005495+glennsong09@users.noreply.github.com>
+Date: Mon, 20 Oct 2025 07:47:28 -0500
+Subject: [PATCH] Fix CVE-2025-2915 (#5746)
+
+This PR fixes issue #5380, which has a heap based buffer overflow after H5MF_xfree is called on an address of 0 (file superblock). This PR changes an assert making sure addr isn't 0 to an if check.
+
+The bug was first reproduced using the fuzzer and the POC file from #5380. With this change, the heap based buffer overflow no longer occurs.
+
+CVE: CVE-2025-2915
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/26a76bafdef3a0950d348a08667de161a19b7c2c]
+(cherry picked from commit 26a76bafdef3a0950d348a08667de161a19b7c2c)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/H5Faccum.c       | 3 +++
+ src/H5Ocache_image.c | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/src/H5Faccum.c b/src/H5Faccum.c
+index 9c4c8cdbbd..145abd1cbd 100644
+--- a/src/H5Faccum.c
+++ b/src/H5Faccum.c
+@@ -879,6 +879,9 @@ H5F__accum_free(H5F_shared_t *f_sh, H5FD_mem_t H5_ATTR_UNUSED type, haddr_t addr
+ 
+                 /* Calculate the size of the overlap with the accumulator, etc. */
+                 H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t);
+                /* Sanity check */
+                /* Overlap size should not result in "negative" value after subtraction */
+                assert(overlap_size < accum->size);
+                 new_accum_size = accum->size - overlap_size;
+ 
+                 /* Move the accumulator buffer information to eliminate the freed block */
+diff --git a/src/H5Ocache_image.c b/src/H5Ocache_image.c
+index d91b46341c..c0ab004ec7 100644
+--- a/src/H5Ocache_image.c
+++ b/src/H5Ocache_image.c
+@@ -116,6 +116,13 @@ H5O__mdci_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
+         HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
+     H5F_DECODE_LENGTH(f, p, mesg->size);
+ 
+    if (mesg->addr >= (HADDR_UNDEF - mesg->size))
+        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size overflows");
+    if (mesg->addr == HADDR_UNDEF)
+        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address is undefined");
+    if ((mesg->addr + mesg->size) > H5F_get_eoa(f, H5FD_MEM_SUPER))
+        HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size exceeds file eoa");
+
+     /* Set return value */
+     ret_value = (void *)mesg;
+ 
@@ -17,6 +17,7 @@ SRC_URI = " \
    file://0001-cmake-remove-build-flags.patch \
    file://CVE-2025-2913.patch \
    file://CVE-2025-2914.patch \
+    file://CVE-2025-2915.patch \
 "
 SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"