mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-17 04:37:19 +00:00
bd847d489a
Details https://nvd.nist.gov/vuln/detail/CVE-2025-2915 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
51 lines
2.5 KiB
Diff
51 lines
2.5 KiB
Diff
From 2bab8a1ffae567d35effa777dda82d423a80bccd Mon Sep 17 00:00:00 2001
|
|
From: Glenn Song <43005495+glennsong09@users.noreply.github.com>
|
|
Date: Mon, 20 Oct 2025 07:47:28 -0500
|
|
Subject: [PATCH] Fix CVE-2025-2915 (#5746)
|
|
|
|
This PR fixes issue #5380, which has a heap based buffer overflow after H5MF_xfree is called on an address of 0 (file superblock). This PR changes an assert making sure addr isn't 0 to an if check.
|
|
|
|
The bug was first reproduced using the fuzzer and the POC file from #5380. With this change, the heap based buffer overflow no longer occurs.
|
|
|
|
CVE: CVE-2025-2915
|
|
Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/26a76bafdef3a0950d348a08667de161a19b7c2c]
|
|
(cherry picked from commit 26a76bafdef3a0950d348a08667de161a19b7c2c)
|
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
|
---
|
|
src/H5Faccum.c | 3 +++
|
|
src/H5Ocache_image.c | 7 +++++++
|
|
2 files changed, 10 insertions(+)
|
|
|
|
diff --git a/src/H5Faccum.c b/src/H5Faccum.c
|
|
index 9c4c8cdbbd..145abd1cbd 100644
|
|
--- a/src/H5Faccum.c
|
|
+++ b/src/H5Faccum.c
|
|
@@ -879,6 +879,9 @@ H5F__accum_free(H5F_shared_t *f_sh, H5FD_mem_t H5_ATTR_UNUSED type, haddr_t addr
|
|
|
|
/* Calculate the size of the overlap with the accumulator, etc. */
|
|
H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t);
|
|
+ /* Sanity check */
|
|
+ /* Overlap size should not result in "negative" value after subtraction */
|
|
+ assert(overlap_size < accum->size);
|
|
new_accum_size = accum->size - overlap_size;
|
|
|
|
/* Move the accumulator buffer information to eliminate the freed block */
|
|
diff --git a/src/H5Ocache_image.c b/src/H5Ocache_image.c
|
|
index d91b46341c..c0ab004ec7 100644
|
|
--- a/src/H5Ocache_image.c
|
|
+++ b/src/H5Ocache_image.c
|
|
@@ -116,6 +116,13 @@ H5O__mdci_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
|
|
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
|
|
H5F_DECODE_LENGTH(f, p, mesg->size);
|
|
|
|
+ if (mesg->addr >= (HADDR_UNDEF - mesg->size))
|
|
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size overflows");
|
|
+ if (mesg->addr == HADDR_UNDEF)
|
|
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address is undefined");
|
|
+ if ((mesg->addr + mesg->size) > H5F_get_eoa(f, H5FD_MEM_SUPER))
|
|
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size exceeds file eoa");
|
|
+
|
|
/* Set return value */
|
|
ret_value = (void *)mesg;
|
|
|