Skip to content

Fix CVE-2025-2925 #5739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Oct 9, 2025
Merged

Fix CVE-2025-2925 #5739

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
c731305
Fix issue5383
Aug 21, 2025
e5247be
Add check for 0
Aug 21, 2025
363d37c
Make Jordan's changes
Aug 21, 2025
21d8fc7
Committing clang-format changes
github-actions[bot] Aug 21, 2025
831fad6
Add release text
Sep 16, 2025
15da7a3
Add to changelog
Sep 24, 2025
2f5a1ee
Update release_docs/CHANGELOG.md
glennsong09 Oct 2, 2025
58cc0a3
Remove additions to release_archive
Oct 3, 2025
cdfdc51
Update CHANGELOG.md entry
Oct 6, 2025
d7e66e8
Fix typo
Oct 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions release_docs/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,11 @@ Simple example programs showing how to use complex number datatypes have been ad

## Library

### Fixed security issue CCVE-2025-2925
H5C__load_entry() now checks for an image buffer length of 0 before calling realloc. A bug was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being able to be 0 due to bad inputs. When realloc was called, it freed image, but got sent to done before new_image could be assigned to image. Because the pointer for image wasn't null, it is freed again in done, causing a double free bug.

Fixes issue Github issue #5383

### Fixed security issue CVE-2025-6857

An HDF5 file had a corrupted v1 B-tree that would result in a stack overflow when performing a lookup on it. This has been fixed with additional integrity checks.
Expand Down
10 changes: 10 additions & 0 deletions release_docs/release_archive.txt
View file
Open in desktop
Copy link
Collaborator

@jhendersonHDF jhendersonHDF Sep 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to remove the changes to this file

Original file line number Diff line number Diff line change
Expand Up @@ -700,6 +700,16 @@ New Features
library behavior, and the connector ID and information could not be read back
from that plist later.

- H5C__load_entry() now checks for an image buffer length of 0 before
calling realloc

A bug was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being able to
be 0 due to bad inputs. When realloc was called, it freed image, but got sent
to done before new_image could be assigned to image. Because the pointer for
image wasn't null, it is freed again in done, causing a double free bug.

Fixes issue Github issue #5383

Parallel Library:
-----------------
-
Expand Down
10 changes: 10 additions & 0 deletions src/H5Centry.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1052,9 +1052,14 @@ H5C__load_entry(H5F_t *f,
*/
do {
if (actual_len != len) {
/* Verify that the length isn't a bad value */
if (len == 0)
Copy link
Collaborator

@bmribler bmribler Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jhendersonHDF Does len need to be traced back to where it was obtained and caught there?

Copy link
Collaborator

@jhendersonHDF jhendersonHDF Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That could be useful to do in addition to these checks, though catching it at this level will probably cover a wider range of issues.

Copy link
Collaborator

@qkoziol qkoziol Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both would be good

HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "len is a bad value");

if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE)))
HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
image = (uint8_t *)new_image;

#if H5C_DO_MEMORY_SANITY_CHECKS
H5MM_memcpy(image + len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
#endif /* H5C_DO_MEMORY_SANITY_CHECKS */
Expand Down Expand Up @@ -1105,10 +1110,15 @@ H5C__load_entry(H5F_t *f,
if (H5C__verify_len_eoa(f, type, addr, &actual_len, true) < 0)
HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA");

/* Verify that the length isn't 0 */
if (actual_len == 0)
HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value");

/* Expand buffer to new size */
if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE)))
HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
image = (uint8_t *)new_image;

#if H5C_DO_MEMORY_SANITY_CHECKS
H5MM_memcpy(image + actual_len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
#endif /* H5C_DO_MEMORY_SANITY_CHECKS */
Expand Down
Loading