From 073194de4c80bc8c6c010faa7d71ac9e3820e057 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Wed, 27 Aug 2025 14:36:26 -0500 Subject: [PATCH 01/14] Move addr assert into if check --- src/H5MF.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/H5MF.c b/src/H5MF.c index 763bf3f96a3..5e3c5ce6553 100644 --- a/src/H5MF.c +++ b/src/H5MF.c @@ -1057,8 +1057,10 @@ H5MF_xfree(H5F_t *f, H5FD_mem_t alloc_type, haddr_t addr, hsize_t size) assert(f); if (!H5_addr_defined(addr) || 0 == size) HGOTO_DONE(SUCCEED); - assert(addr != 0); /* Can't deallocate the superblock :-) */ - + + if (addr <= 0) + HGOTO_ERROR(H5E_RESOURCE, H5E_BADRANGE, FAIL, "attempting to free file superblock"); + H5MF__alloc_to_fs_type(f->shared, alloc_type, size, &fs_type); /* Set the ring type in the API context */ From 907a71d16f1afbd2f435b0f11719ec76ca4ca0d8 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Wed, 24 Sep 2025 13:27:17 -0500 Subject: [PATCH 02/14] Change fix to address bad input --- src/H5Faccum.c | 2 ++ src/H5MF.c | 4 +--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/H5Faccum.c b/src/H5Faccum.c index 4d713576ca6..831c731a1e8 100644 --- a/src/H5Faccum.c +++ b/src/H5Faccum.c @@ -879,6 +879,8 @@ H5F__accum_free(H5F_shared_t *f_sh, H5FD_mem_t H5_ATTR_UNUSED type, haddr_t addr /* Calculate the size of the overlap with the accumulator, etc. */ H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t); + if (overlap_size > accum->size) + HGOTO_ERROR(H5E_IO, H5E_BADVALUE, FAIL, "new accumulator size negative"); new_accum_size = accum->size - overlap_size; /* Move the accumulator buffer information to eliminate the freed block */ diff --git a/src/H5MF.c b/src/H5MF.c index 5e3c5ce6553..271bb80c999 100644 --- a/src/H5MF.c +++ b/src/H5MF.c @@ -1057,9 +1057,7 @@ H5MF_xfree(H5F_t *f, H5FD_mem_t alloc_type, haddr_t addr, hsize_t size) assert(f); if (!H5_addr_defined(addr) || 0 == size) HGOTO_DONE(SUCCEED); - - if (addr <= 0) - HGOTO_ERROR(H5E_RESOURCE, H5E_BADRANGE, FAIL, "attempting to free file superblock"); + assert(addr != 0); H5MF__alloc_to_fs_type(f->shared, alloc_type, size, &fs_type); From 6b9a9797b07bc1833400c110f95b674b6e75d608 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 27 Aug 2025 19:39:34 +0000 Subject: [PATCH 03/14] Committing clang-format changes --- src/H5MF.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/H5MF.c b/src/H5MF.c index 271bb80c999..a306a281eaf 100644 --- a/src/H5MF.c +++ b/src/H5MF.c @@ -1058,7 +1058,6 @@ H5MF_xfree(H5F_t *f, H5FD_mem_t alloc_type, haddr_t addr, hsize_t size) if (!H5_addr_defined(addr) || 0 == size) HGOTO_DONE(SUCCEED); assert(addr != 0); - H5MF__alloc_to_fs_type(f->shared, alloc_type, size, &fs_type); /* Set the ring type in the API context */ From 57733ff127d66911e0e9877c9d4f9ab545c08633 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Wed, 24 Sep 2025 14:22:26 -0500 Subject: [PATCH 04/14] Add commit message --- release_docs/CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index 1a9617a1115..99eb7ea3409 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -493,6 +493,11 @@ Simple example programs showing how to use complex number datatypes have been ad # 🪲 Bug Fixes +### Fixed security issue CVE-2025-2915 + In H5F__accum_free, a heap-based buffer overflow issue was ocurring due to calculating a new_accum_size that did not make sense due to an integer overflow. A new check has been added to make sure that accum->size - overlap_size can't result in a negative number, which prevents strange behavior later. + + Fixes GitHub issue #5380 + ## Library ### Fixed security issue CVE-2025-6857 From ad669e6119e7d43ee8dca6b952f06ddb85af00c7 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Wed, 24 Sep 2025 14:25:37 -0500 Subject: [PATCH 05/14] Re-add comment --- src/H5MF.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/H5MF.c b/src/H5MF.c index a306a281eaf..be2e08eb8c0 100644 --- a/src/H5MF.c +++ b/src/H5MF.c @@ -1057,7 +1057,7 @@ H5MF_xfree(H5F_t *f, H5FD_mem_t alloc_type, haddr_t addr, hsize_t size) assert(f); if (!H5_addr_defined(addr) || 0 == size) HGOTO_DONE(SUCCEED); - assert(addr != 0); + assert(addr != 0); /* Can't deallocate the superblock :-) */ H5MF__alloc_to_fs_type(f->shared, alloc_type, size, &fs_type); /* Set the ring type in the API context */ From f4e016b20d6581fd459afa4d91db674ba4a7d26d Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Wed, 24 Sep 2025 14:39:50 -0500 Subject: [PATCH 06/14] Fix spelling error --- release_docs/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index 99eb7ea3409..d8d4cfd3c0c 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -494,7 +494,7 @@ Simple example programs showing how to use complex number datatypes have been ad # 🪲 Bug Fixes ### Fixed security issue CVE-2025-2915 - In H5F__accum_free, a heap-based buffer overflow issue was ocurring due to calculating a new_accum_size that did not make sense due to an integer overflow. A new check has been added to make sure that accum->size - overlap_size can't result in a negative number, which prevents strange behavior later. + In H5F__accum_free, a heap-based buffer overflow issue was occurring due to calculating a new_accum_size that did not make sense due to an integer overflow. A new check has been added to make sure that accum->size - overlap_size can't result in a negative number, which prevents strange behavior later. Fixes GitHub issue #5380 From 1a9431b130dc2a5b0292ff26dee9fa3d2075b217 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Thu, 25 Sep 2025 12:45:59 -0500 Subject: [PATCH 07/14] Move change log entry to correct place --- release_docs/CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index d8d4cfd3c0c..e8833d8bf83 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -493,13 +493,13 @@ Simple example programs showing how to use complex number datatypes have been ad # 🪲 Bug Fixes +## Library + ### Fixed security issue CVE-2025-2915 In H5F__accum_free, a heap-based buffer overflow issue was occurring due to calculating a new_accum_size that did not make sense due to an integer overflow. A new check has been added to make sure that accum->size - overlap_size can't result in a negative number, which prevents strange behavior later. Fixes GitHub issue #5380 -## Library - ### Fixed security issue CVE-2025-6857 An HDF5 file had a corrupted v1 B-tree that would result in a stack overflow when performing a lookup on it. This has been fixed with additional integrity checks. From 1508f3f15c2b0225fbd404a18ae27238f6f59c6e Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Thu, 16 Oct 2025 17:02:23 -0500 Subject: [PATCH 08/14] Address Neil's comments and move check to when the value is read --- release_docs/CHANGELOG.md | 2 +- src/H5Faccum.c | 5 +++-- src/H5Ocache_image.c | 7 +++++++ 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index e8833d8bf83..49ec7f8ec41 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -496,7 +496,7 @@ Simple example programs showing how to use complex number datatypes have been ad ## Library ### Fixed security issue CVE-2025-2915 - In H5F__accum_free, a heap-based buffer overflow issue was occurring due to calculating a new_accum_size that did not make sense due to an integer overflow. A new check has been added to make sure that accum->size - overlap_size can't result in a negative number, which prevents strange behavior later. + Fixed a heap-based buffer overflow in H5F__accum_free caused by an integer overflow when calculating new_accum_size. Added validation in H5O__mdci_decode to detect and reject invalid values early, preventing the overflow condition. Fixes GitHub issue #5380 diff --git a/src/H5Faccum.c b/src/H5Faccum.c index 831c731a1e8..e0b58813d9b 100644 --- a/src/H5Faccum.c +++ b/src/H5Faccum.c @@ -879,8 +879,9 @@ H5F__accum_free(H5F_shared_t *f_sh, H5FD_mem_t H5_ATTR_UNUSED type, haddr_t addr /* Calculate the size of the overlap with the accumulator, etc. */ H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t); - if (overlap_size > accum->size) - HGOTO_ERROR(H5E_IO, H5E_BADVALUE, FAIL, "new accumulator size negative"); + /* Sanity check */ + /* Overlap size should not result in "negative" value after subtraction */ + assert(overlap_size > accum->size); new_accum_size = accum->size - overlap_size; /* Move the accumulator buffer information to eliminate the freed block */ diff --git a/src/H5Ocache_image.c b/src/H5Ocache_image.c index 30f0732d671..adbcc421d45 100644 --- a/src/H5Ocache_image.c +++ b/src/H5Ocache_image.c @@ -116,6 +116,13 @@ H5O__mdci_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "ran off end of input buffer while decoding"); H5F_DECODE_LENGTH(f, p, mesg->size); + if (mesg->addr >= (HADDR_UNDEF - mesg->size)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size overflows"); + if (mesg->addr == HADDR_UNDEF) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address is undefined"); + if ((mesg->addr + mesg->size) > H5F_get_eoa(f, H5FD_MEM_DEFAULT)) + HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size exceeds file eoa"); + /* Set return value */ ret_value = (void *)mesg; From 1a26f5b94ade1aec3f13f7c2b7c21fc954edac2d Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Fri, 17 Oct 2025 09:55:36 -0500 Subject: [PATCH 09/14] Re-add deleted line --- src/H5MF.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/H5MF.c b/src/H5MF.c index be2e08eb8c0..cdd08bce175 100644 --- a/src/H5MF.c +++ b/src/H5MF.c @@ -1058,6 +1058,7 @@ H5MF_xfree(H5F_t *f, H5FD_mem_t alloc_type, haddr_t addr, hsize_t size) if (!H5_addr_defined(addr) || 0 == size) HGOTO_DONE(SUCCEED); assert(addr != 0); /* Can't deallocate the superblock :-) */ + H5MF__alloc_to_fs_type(f->shared, alloc_type, size, &fs_type); /* Set the ring type in the API context */ From 1ba2d5850c6c7746505c66a4f8a078960e7f2286 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Fri, 17 Oct 2025 09:56:00 -0500 Subject: [PATCH 10/14] Remove whitespace --- src/H5MF.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/H5MF.c b/src/H5MF.c index cdd08bce175..763bf3f96a3 100644 --- a/src/H5MF.c +++ b/src/H5MF.c @@ -1058,7 +1058,7 @@ H5MF_xfree(H5F_t *f, H5FD_mem_t alloc_type, haddr_t addr, hsize_t size) if (!H5_addr_defined(addr) || 0 == size) HGOTO_DONE(SUCCEED); assert(addr != 0); /* Can't deallocate the superblock :-) */ - + H5MF__alloc_to_fs_type(f->shared, alloc_type, size, &fs_type); /* Set the ring type in the API context */ From b4d2a0e1923e1b0e669dcaf8371fe5c5e6041dc2 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Fri, 17 Oct 2025 10:13:54 -0500 Subject: [PATCH 11/14] Add additional issue to changelog entry --- release_docs/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index 49ec7f8ec41..2f57a22647c 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -495,7 +495,7 @@ Simple example programs showing how to use complex number datatypes have been ad ## Library -### Fixed security issue CVE-2025-2915 +### Fixed security issue CVE-2025-2915 and OSV-2024-381 Fixed a heap-based buffer overflow in H5F__accum_free caused by an integer overflow when calculating new_accum_size. Added validation in H5O__mdci_decode to detect and reject invalid values early, preventing the overflow condition. Fixes GitHub issue #5380 From 9297c7988f9b6024dc26e66f152f0f310d0d5690 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Fri, 17 Oct 2025 16:02:22 -0500 Subject: [PATCH 12/14] Change type --- src/H5Ocache_image.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/H5Ocache_image.c b/src/H5Ocache_image.c index adbcc421d45..e7c6765d32e 100644 --- a/src/H5Ocache_image.c +++ b/src/H5Ocache_image.c @@ -120,7 +120,7 @@ H5O__mdci_decode(H5F_t *f, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSE HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size overflows"); if (mesg->addr == HADDR_UNDEF) HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address is undefined"); - if ((mesg->addr + mesg->size) > H5F_get_eoa(f, H5FD_MEM_DEFAULT)) + if ((mesg->addr + mesg->size) > H5F_get_eoa(f, H5FD_MEM_SUPER)) HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, NULL, "address plus size exceeds file eoa"); /* Set return value */ From b5021d1c5d802c085c4a8f840eb6fd7f72b798af Mon Sep 17 00:00:00 2001 From: Glenn Song <43005495+glennsong09@users.noreply.github.com> Date: Fri, 17 Oct 2025 16:20:19 -0500 Subject: [PATCH 13/14] Update src/H5Faccum.c Co-authored-by: Neil Fortner --- src/H5Faccum.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/H5Faccum.c b/src/H5Faccum.c index e0b58813d9b..5aefc5340e4 100644 --- a/src/H5Faccum.c +++ b/src/H5Faccum.c @@ -881,7 +881,7 @@ H5F__accum_free(H5F_shared_t *f_sh, H5FD_mem_t H5_ATTR_UNUSED type, haddr_t addr H5_CHECKED_ASSIGN(overlap_size, size_t, (addr + size) - accum->loc, haddr_t); /* Sanity check */ /* Overlap size should not result in "negative" value after subtraction */ - assert(overlap_size > accum->size); + assert(overlap_size < accum->size); new_accum_size = accum->size - overlap_size; /* Move the accumulator buffer information to eliminate the freed block */ From fa8fd3a17371288d6d6c879fe410d9141e652fae Mon Sep 17 00:00:00 2001 From: Larry Knox Date: Mon, 20 Oct 2025 07:45:53 -0500 Subject: [PATCH 14/14] Apply suggestions from code review --- release_docs/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index eb76aa311ce..d08176bc677 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -557,8 +557,8 @@ Added Fortran wrapper h5fdsubfiling_get_file_mapping_f() for the subfiling file ## Library - ### Fixed security issue CVE-2025-2915 and OSV-2024-381 + Fixed a heap-based buffer overflow in H5F__accum_free caused by an integer overflow when calculating new_accum_size. Added validation in H5O__mdci_decode to detect and reject invalid values early, preventing the overflow condition. Fixes GitHub issue #5380