Skip to content

Commit 61a840a

Browse files
azurelinux-securityazurelinux-security
committed
1 parent 092d8e6 commit 61a840a

File tree

6 files changed

+1388
-1
lines changed

6 files changed

+1388
-1
lines changed

SPECS/hdf5/CVE-2025-2913.patch

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
From 5f977a44cd87b7dd7afa3fb610c84cf0b11fc8d5 Mon Sep 17 00:00:00 2001
2+
From: Binh-Minh <[email protected]>
3+
Date: Mon, 4 Aug 2025 03:10:29 -0400
4+
Subject: [PATCH] Fix reading bad size in the raw header continuation message
5+
6+
This issue was reported in GH-5376 as a heap-use-after-free vulnerability in
7+
one of the free lists. It appeared that the library came to this vulnerability
8+
after it encountered an undetected reading of a bad value. The fuzzer now failed
9+
with an appropriate error message.
10+
11+
This considers addressing what GH-5376 reported.
12+
13+
Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
14+
Upstream-reference: https://github.com/HDFGroup/hdf5/pull/5710.patch
15+
---
16+
src/H5Ocont.c | 2 ++
17+
1 file changed, 2 insertions(+)
18+
19+
diff --git a/src/H5Ocont.c b/src/H5Ocont.c
20+
index 621095a..c03f4dd 100644
21+
--- a/src/H5Ocont.c
22+
+++ b/src/H5Ocont.c
23+
@@ -100,6 +100,8 @@ H5O__cont_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE
24+
if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_size(f), p_end))
25+
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
26+
H5F_DECODE_LENGTH(f, p, cont->size);
27+
+ if (cont->size == 0)
28+
+ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid continuation chunk size (0)");
29+
30+
cont->chunkno = 0;
31+
32+
--
33+
2.45.4
34+

SPECS/hdf5/CVE-2025-2914.patch

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
From 79bfbd8ab3b2dafdea47c727cad735b22c1144ce Mon Sep 17 00:00:00 2001
2+
From: Binh-Minh <[email protected]>
3+
Date: Tue, 12 Aug 2025 20:06:42 -0400
4+
Subject: [PATCH] Refix of the attempts in PR-5209
5+
6+
This PR addresses the root cause of the issue by adding a sanity-check immediately
7+
after reading the file space page size from the file.
8+
9+
The same fuzzer in GH-5376 was used to verify that the assert before the vulnerability
10+
had occurred and that an error indicating a corrupted file space page size replaced it.
11+
12+
Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
13+
Upstream-reference: https://github.com/HDFGroup/hdf5/pull/5722.patch
14+
---
15+
src/H5Fsuper.c | 2 ++
16+
src/H5Ofsinfo.c | 3 +++
17+
2 files changed, 5 insertions(+)
18+
19+
diff --git a/src/H5Fsuper.c b/src/H5Fsuper.c
20+
index 3e5bc9a..4de4c1f 100644
21+
--- a/src/H5Fsuper.c
22+
+++ b/src/H5Fsuper.c
23+
@@ -756,6 +756,8 @@ H5F__super_read(H5F_t *f, H5P_genplist_t *fa_plist, bool initial_read)
24+
if (!(flags & H5O_MSG_FLAG_WAS_UNKNOWN)) {
25+
H5O_fsinfo_t fsinfo; /* File space info message from superblock extension */
26+
27+
+ memset(&fsinfo, 0, sizeof(H5O_fsinfo_t));
28+
+
29+
/* f->shared->null_fsm_addr: Whether to drop free-space to the floor */
30+
/* The h5clear tool uses this property to tell the library
31+
* to drop free-space to the floor
32+
diff --git a/src/H5Ofsinfo.c b/src/H5Ofsinfo.c
33+
index 5b69235..2bb6ea6 100644
34+
--- a/src/H5Ofsinfo.c
35+
+++ b/src/H5Ofsinfo.c
36+
@@ -182,6 +182,9 @@ H5O__fsinfo_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNU
37+
if (H5_IS_BUFFER_OVERFLOW(p, H5F_sizeof_size(f), p_end))
38+
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
39+
H5F_DECODE_LENGTH(f, p, fsinfo->page_size); /* File space page size */
40+
+ /* Basic sanity check */
41+
+ if (fsinfo->page_size == 0 || fsinfo->page_size > H5F_FILE_SPACE_PAGE_SIZE_MAX)
42+
+ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, NULL, "invalid page size in file space info");
43+
44+
if (H5_IS_BUFFER_OVERFLOW(p, 2, p_end))
45+
HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding");
46+
--
47+
2.45.4
48+

SPECS/hdf5/CVE-2025-2924.patch

Lines changed: 147 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
From abc0b16c2e39652ce297688446f7c380c3c4ee74 Mon Sep 17 00:00:00 2001
2+
From: Glenn Song <[email protected]>
3+
Date: Thu, 11 Sep 2025 16:24:33 -0500
4+
Subject: [PATCH 1/4] Add to sanity check
5+
6+
---
7+
src/H5HLcache.c | 2 +-
8+
1 file changed, 1 insertion(+), 1 deletion(-)
9+
10+
diff --git a/src/H5HLcache.c b/src/H5HLcache.c
11+
index d0836fe..dd66162 100644
12+
--- a/src/H5HLcache.c
13+
+++ b/src/H5HLcache.c
14+
@@ -232,7 +232,7 @@ H5HL__fl_deserialize(H5HL_t *heap)
15+
const uint8_t *image; /* Pointer into image buffer */
16+
17+
/* Sanity check */
18+
- if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size)
19+
+ if ((free_block > heap->dblk_size) || ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size))
20+
HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
21+
22+
/* Allocate & initialize free list node */
23+
--
24+
2.45.4
25+
26+
27+
From 738fe08756f8dd388b883e31ffe93905140360ce Mon Sep 17 00:00:00 2001
28+
From: Glenn Song <[email protected]>
29+
Date: Thu, 11 Sep 2025 18:47:22 -0500
30+
Subject: [PATCH 2/4] Add better check for overflow
31+
32+
---
33+
src/H5HLcache.c | 7 ++++++-
34+
1 file changed, 6 insertions(+), 1 deletion(-)
35+
36+
diff --git a/src/H5HLcache.c b/src/H5HLcache.c
37+
index dd66162..ed27e23 100644
38+
--- a/src/H5HLcache.c
39+
+++ b/src/H5HLcache.c
40+
@@ -232,7 +232,12 @@ H5HL__fl_deserialize(H5HL_t *heap)
41+
const uint8_t *image; /* Pointer into image buffer */
42+
43+
/* Sanity check */
44+
- if ((free_block > heap->dblk_size) || ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size))
45+
+ HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
46+
+
47+
+ if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
48+
+ HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
49+
+
50+
+ if ((free_block + (2 * heap->sizeof_size)) > heap->dblk_size)
51+
HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "bad heap free list");
52+
53+
/* Allocate & initialize free list node */
54+
--
55+
2.45.4
56+
57+
58+
From 155a1ffba3e19d11bf4de43deb27f4dac0bb9644 Mon Sep 17 00:00:00 2001
59+
From: Glenn Song <[email protected]>
60+
Date: Thu, 11 Sep 2025 19:22:38 -0500
61+
Subject: [PATCH 3/4] Add release note
62+
63+
---
64+
release_docs/RELEASE.txt | 7 +++++++
65+
src/H5HLcache.c | 6 +++---
66+
2 files changed, 10 insertions(+), 3 deletions(-)
67+
68+
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
69+
index d94ed33..7e76a37 100644
70+
--- a/release_docs/RELEASE.txt
71+
+++ b/release_docs/RELEASE.txt
72+
@@ -997,6 +997,13 @@ Bug Fixes since HDF5-1.14.3 release
73+
The MPI-2 supporting artifacts have been removed due to the cessation
74+
of MPI-2 maintenance and testing since version HDF5 1.12.
75+
76+
+ - Check for overflow in decoded heap block addresses
77+
+
78+
+ Currently, we do not check for overflow when decoding addresses from
79+
+ the heap, which can cause overflow problems. We've added a check in
80+
+ H5HL__fl_deserialize to ensure no overflow can occur.
81+
+
82+
+ Fixes GitHub issue #5382
83+
84+
- Fixed a segfault when using a user-defined conversion function between compound datatypes
85+
86+
diff --git a/src/H5HLcache.c b/src/H5HLcache.c
87+
index ed27e23..0e684cc 100644
88+
--- a/src/H5HLcache.c
89+
+++ b/src/H5HLcache.c
90+
@@ -225,15 +225,15 @@ H5HL__fl_deserialize(H5HL_t *heap)
91+
/* check arguments */
92+
assert(heap);
93+
assert(!heap->freelist);
94+
-
95+
+ HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
96+
+
97+
/* Build free list */
98+
free_block = heap->free_block;
99+
while (H5HL_FREE_NULL != free_block) {
100+
const uint8_t *image; /* Pointer into image buffer */
101+
102+
/* Sanity check */
103+
- HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
104+
-
105+
+
106+
if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
107+
HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
108+
109+
--
110+
2.45.4
111+
112+
113+
From dda4babedbcf26002d88fc5a62123d293f1358a2 Mon Sep 17 00:00:00 2001
114+
From: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
115+
Date: Fri, 12 Sep 2025 00:24:29 +0000
116+
Subject: [PATCH 4/4] Committing clang-format changes
117+
118+
Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
119+
Upstream-reference: https://github.com/HDFGroup/hdf5/pull/5814.patch
120+
---
121+
src/H5HLcache.c | 4 ++--
122+
1 file changed, 2 insertions(+), 2 deletions(-)
123+
124+
diff --git a/src/H5HLcache.c b/src/H5HLcache.c
125+
index 0e684cc..7f412d2 100644
126+
--- a/src/H5HLcache.c
127+
+++ b/src/H5HLcache.c
128+
@@ -226,14 +226,14 @@ H5HL__fl_deserialize(H5HL_t *heap)
129+
assert(heap);
130+
assert(!heap->freelist);
131+
HDcompile_assert(sizeof(hsize_t) == sizeof(uint64_t));
132+
-
133+
+
134+
/* Build free list */
135+
free_block = heap->free_block;
136+
while (H5HL_FREE_NULL != free_block) {
137+
const uint8_t *image; /* Pointer into image buffer */
138+
139+
/* Sanity check */
140+
-
141+
+
142+
if (free_block > UINT64_MAX - (2 * heap->sizeof_size))
143+
HGOTO_ERROR(H5E_HEAP, H5E_BADRANGE, FAIL, "decoded heap block address overflow");
144+
145+
--
146+
2.45.4
147+

SPECS/hdf5/CVE-2025-44905.patch

Lines changed: 154 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,154 @@
1+
From f4cd98cfc5a8d9380b4e089326b8340a10b9769f Mon Sep 17 00:00:00 2001
2+
From: Christian Wojek <[email protected]>
3+
Date: Sat, 11 Oct 2025 12:43:06 +0200
4+
Subject: [PATCH 1/5] Fixing CVE-2025-44905. A malformed HDF5 can cause reading
5+
beyond a heap allocation.
6+
7+
---
8+
src/H5Zscaleoffset.c | 3 +++
9+
1 file changed, 3 insertions(+)
10+
11+
diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
12+
index 048344b..ad118f3 100644
13+
--- a/src/H5Zscaleoffset.c
14+
+++ b/src/H5Zscaleoffset.c
15+
@@ -1205,6 +1205,9 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
16+
unsigned minval_size = 0;
17+
18+
minbits = 0;
19+
+ if (*buf_size < 4)
20+
+ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
21+
+
22+
for (i = 0; i < 4; i++) {
23+
minbits_mask = ((unsigned char *)*buf)[i];
24+
minbits_mask <<= i * 8;
25+
--
26+
2.45.4
27+
28+
29+
From 186cef3aa5c7c5b0bd70f58a169a11443a7feb1f Mon Sep 17 00:00:00 2001
30+
From: Christian Wojek <[email protected]>
31+
Date: Sat, 11 Oct 2025 16:27:18 +0200
32+
Subject: [PATCH 2/5] Use H5_IS_BUFFER_OVERFLOW
33+
34+
---
35+
src/H5Zscaleoffset.c | 2 +-
36+
1 file changed, 1 insertion(+), 1 deletion(-)
37+
38+
diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
39+
index ad118f3..24b442a 100644
40+
--- a/src/H5Zscaleoffset.c
41+
+++ b/src/H5Zscaleoffset.c
42+
@@ -1205,7 +1205,7 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
43+
unsigned minval_size = 0;
44+
45+
minbits = 0;
46+
- if (*buf_size < 4)
47+
+ if (H5_IS_BUFFER_OVERFLOW(buf, 4, buf + *buf_size - 1))
48+
HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
49+
50+
for (i = 0; i < 4; i++) {
51+
--
52+
2.45.4
53+
54+
55+
From c81220cbeeccd711adc384f9c89e20ee4862e866 Mon Sep 17 00:00:00 2001
56+
From: Christian Wojek <[email protected]>
57+
Date: Mon, 27 Oct 2025 22:01:08 +0100
58+
Subject: [PATCH 3/5] Revised fix after internal review
59+
60+
---
61+
src/H5Zscaleoffset.c | 4 +++-
62+
1 file changed, 3 insertions(+), 1 deletion(-)
63+
64+
diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
65+
index 24b442a..a397724 100644
66+
--- a/src/H5Zscaleoffset.c
67+
+++ b/src/H5Zscaleoffset.c
68+
@@ -1205,7 +1205,7 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
69+
unsigned minval_size = 0;
70+
71+
minbits = 0;
72+
- if (H5_IS_BUFFER_OVERFLOW(buf, 4, buf + *buf_size - 1))
73+
+ if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5, (unsigned char*)*buf + *buf_size - 1))
74+
HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
75+
76+
for (i = 0; i < 4; i++) {
77+
@@ -1223,6 +1223,8 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
78+
minval_size = sizeof(unsigned long long) <= ((unsigned char *)*buf)[4] ? sizeof(unsigned long long)
79+
: ((unsigned char *)*buf)[4];
80+
minval = 0;
81+
+ if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size, (unsigned char*)*buf + *buf_size - 1))
82+
+ HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
83+
for (i = 0; i < minval_size; i++) {
84+
minval_mask = ((unsigned char *)*buf)[5 + i];
85+
minval_mask <<= i * 8;
86+
--
87+
2.45.4
88+
89+
90+
From 0a82add95ed0f1f8f60b1232f3c0f9ac7de672bb Mon Sep 17 00:00:00 2001
91+
From: Larry Knox <[email protected]>
92+
Date: Tue, 28 Oct 2025 22:27:01 -0500
93+
Subject: [PATCH 4/5] Apply suggestions from code review
94+
95+
---
96+
src/H5Zscaleoffset.c | 5 +++--
97+
1 file changed, 3 insertions(+), 2 deletions(-)
98+
99+
diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
100+
index a397724..42a9541 100644
101+
--- a/src/H5Zscaleoffset.c
102+
+++ b/src/H5Zscaleoffset.c
103+
@@ -1205,7 +1205,7 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
104+
unsigned minval_size = 0;
105+
106+
minbits = 0;
107+
- if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5, (unsigned char*)*buf + *buf_size - 1))
108+
+ if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5, (unsigned char *)*buf + *buf_size - 1))
109+
HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
110+
111+
for (i = 0; i < 4; i++) {
112+
@@ -1223,7 +1223,8 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
113+
minval_size = sizeof(unsigned long long) <= ((unsigned char *)*buf)[4] ? sizeof(unsigned long long)
114+
: ((unsigned char *)*buf)[4];
115+
minval = 0;
116+
- if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size, (unsigned char*)*buf + *buf_size - 1))
117+
+ if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size,
118+
+ (unsigned char *)*buf + *buf_size - 1))
119+
HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
120+
for (i = 0; i < minval_size; i++) {
121+
minval_mask = ((unsigned char *)*buf)[5 + i];
122+
--
123+
2.45.4
124+
125+
126+
From d8c235b9a696578ccd20a0ac23c8c6bedf79b37a Mon Sep 17 00:00:00 2001
127+
From: Larry Knox <[email protected]>
128+
Date: Tue, 28 Oct 2025 22:33:15 -0500
129+
Subject: [PATCH 5/5] Update src/H5Zscaleoffset.c
130+
131+
Eliminate extra spaces
132+
133+
Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
134+
Upstream-reference: https://github.com/HDFGroup/hdf5/pull/5915.patch
135+
---
136+
src/H5Zscaleoffset.c | 2 +-
137+
1 file changed, 1 insertion(+), 1 deletion(-)
138+
139+
diff --git a/src/H5Zscaleoffset.c b/src/H5Zscaleoffset.c
140+
index 42a9541..fbf12d6 100644
141+
--- a/src/H5Zscaleoffset.c
142+
+++ b/src/H5Zscaleoffset.c
143+
@@ -1224,7 +1224,7 @@ H5Z__filter_scaleoffset(unsigned flags, size_t cd_nelmts, const unsigned cd_valu
144+
: ((unsigned char *)*buf)[4];
145+
minval = 0;
146+
if (H5_IS_BUFFER_OVERFLOW((unsigned char *)*buf, 5 + minval_size,
147+
- (unsigned char *)*buf + *buf_size - 1))
148+
+ (unsigned char *)*buf + *buf_size - 1))
149+
HGOTO_ERROR(H5E_ARGS, H5E_BADVALUE, 0, "buffer too short");
150+
for (i = 0; i < minval_size; i++) {
151+
minval_mask = ((unsigned char *)*buf)[5 + i];
152+
--
153+
2.45.4
154+

0 commit comments

Comments
 (0)