From bd847d489a4ca3538b2315b061f0f591df0e8ec9 Mon Sep 17 00:00:00 2001 From: Ankur Tyagi Date: Wed, 29 Oct 2025 00:32:43 +1300 Subject: [PATCH] hdf5: patch CVE-2025-2915 Details https://nvd.nist.gov/vuln/detail/CVE-2025-2915 Signed-off-by: Ankur Tyagi Signed-off-by: Anuj Mittal --- .../hdf5/files/CVE-2025-2915.patch | 50 +++++++++++++++++++ meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch diff --git a/meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch b/meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch new file mode 100644 index 0000000000..83eb8ff504 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/CVE-2025-2915.patch @@ -0,0 +1,50 @@ +From 2bab8a1ffae567d35effa777dda82d423a80bccd Mon Sep 17 00:00:00 2001 +From: Glenn Song <43005495+glennsong09@users.noreply.github.com> +Date: Mon, 20 Oct 2025 07:47:28 -0500 +Subject: [PATCH] Fix CVE-2025-2915 (#5746) + +This PR fixes issue #5380, which has a heap based buffer overflow after H5MF_xfree is called on an address of 0 (file superblock). This PR changes an assert making sure addr isn't 0 to an if check. + +The bug was first reproduced using the fuzzer and the POC file from #5380. With this change, the heap based buffer overflow no longer occurs. + +CVE: CVE-2025-2915 +Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/26a76bafdef3a0950d348a08667de161a19b7c2c] +(cherry picked from commit 26a76bafdef3a0950d348a08667de161a19b7c2c) +Signed-off-by: Ankur Tyagi +--- + src/H5Faccum.c | 3 +++ + src/H5Ocache_image.c | 7 +++++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/H5Faccum.c b/src/H5Faccum.c +index 9c4c8cdbbd..145abd1cbd 100644 +--- a/src/H5Faccum.c ++++ b/src/H5Faccum.c +@@ -879,6 +879,9 @@ H5F__accum_free(H5F_shared_t *f_sh, H5FD_mem_t H5_ATTR_UNUSED type, haddr_t addr + + /* Calculate the size of the overlap with the accumulator, etc. */ + H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t); ++ /* Sanity check */ ++ /* Overlap size should not result in "negative" value after subtraction */ ++ assert(overlap_size < accum->size); + new_accum_size = accum->size - overlap_size; + + /* Move the accumulator buffer information to eliminate the freed block */ +diff --git a/src/H5Ocache_image.c b/src/H5Ocache_image.c +index d91b46341c..c0ab004ec7 100644 +--- a/src/H5Ocache_image.c ++++ b/src/H5Ocache_image.c +@@ -116,6 +116,13 @@ H5O__mdci_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); + H5F_DECODE_LENGTH(f, p, mesg->size); + ++ if (mesg->addr >= (HADDR_UNDEF - mesg->size)) ++ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size overflows"); ++ if (mesg->addr == HADDR_UNDEF) ++ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address is undefined"); ++ if ((mesg->addr + mesg->size) > H5F_get_eoa(f, H5FD_MEM_SUPER)) ++ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size exceeds file eoa"); ++ + /* Set return value */ + ret_value = (void *)mesg; + diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb index 875510b0e2..59506526fb 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb @@ -17,6 +17,7 @@ SRC_URI = " \ file://0001-cmake-remove-build-flags.patch \ file://CVE-2025-2913.patch \ file://CVE-2025-2914.patch \ + file://CVE-2025-2915.patch \ " SRC_URI[sha256sum] = "019ac451d9e1cf89c0482ba2a06f07a46166caf23f60fea5ef3c37724a318e03"