Fix CVE-2025-2926 #5841
Fix CVE-2025-2926 #5841
Conversation
bmribler
requested review from
brtnfld,
byrnHDF,
derobins,
fortnern,
glennsong09,
jhendersonHDF,
lrknox,
mattjala,
qkoziol and
vchoi-hdfgroup
as code owners
|
Umm, FYI, this PR only has the changes in H5Centry.c and RELEASE.txt. Sorry! |
release_docs/RELEASE.txt
Outdated
| =================================== | ||
| Library | ||
| ------- | ||
| - Fixed CVE 2025 2926 |
There was a problem hiding this comment.
Should use hyphens in the name, like other CVE issues
There was a problem hiding this comment.
Hmm, I don't know how that happened. I always have hyphens... Thanks, Dana.
src/H5Cimage.c
Outdated
| if (H5C__decode_cache_image_header(f, cache_ptr, &p, image_len + 1) < 0) | ||
| HGOTO_ERROR(H5E_CACHE, H5E_CANTDECODE, FAIL, "cache image header decode failed"); | ||
| assert((size_t)(p - (uint8_t *)cache_ptr->image_buffer) < cache_ptr->image_len); | ||
| assert((size_t)(p - (uint8_t *)cache_ptr->image_buffer) < image_len); |
There was a problem hiding this comment.
Why not make this a real error check instead of an assert?
There was a problem hiding this comment.
If H5C__decode_cache_image_header checks for overflow an assert is appropriate here. And if it doesn't, it should.
There was a problem hiding this comment.
This change was merged into this PR by accident and that was fixed now. I'll check out about H5C__decode_cache_image_header() and create another PR instead.
src/H5Centry.c
Outdated
| if (type->get_initial_load_size(udata, &len) < 0) | ||
| HGOTO_ERROR(H5E_CACHE, H5E_CANTGET, NULL, "can't retrieve image size"); | ||
| assert(len > 0); | ||
| if (len == 0) |
There was a problem hiding this comment.
Seems to me this should really be checked in the callbacks, and left as an assert here.
There was a problem hiding this comment.
Do you know why the callback is returning len=0 without returning an error?
There was a problem hiding this comment.
I fixed it and push the change soon
jhendersonHDF
force-pushed
the
fix_CVE-2025-2926
branch
from
a4678ff to
b36c123
Compare
github-project-automation
bot
moved this from Scheduled/On-Deck
to In progress
in HDF5 - TRIAGE & TRACK
|
I think we still need to get to the bottom of this. I did some digging and it looks like the size in the udata comes from a continuation message, but H5O__cont_decode() checks for size == 0. Can you try to figure out how it's getting past that check? |
|
@fortnern I believe this commit took care of the len=0 issue. Although, I'm not exactly sure how that commit is not listed in the changed files of #5841... |
This check isn't as close to the file as it could be. As I mentioned previously, the udata->size in that function should come from H5O__cont_decode(), which already has a check for size == 0. Can you try to figure out how that was bypassed? |
Oh, it did catch: I thought we wanted additional checking too. |
|
So the CVE is already fixed without this PR? I think the check in this PR should just be an assertion (unless there's some case where we really can't catch it before here) |
|
We should only do enough non-assert checking as is necessary to guarantee a consistent internal state. Additional checking should be in the form of assertions. |
|
@fortnern The assert was already put back in the commit I mentioned in #5841 (comment). Sorry, I forgot that I did. |
lrknox
added
Component - C Library
|
There is no assert in H5O__cache_chk_get_initial_load_size() currently and this PR adds an error check instead of an assert. Is there a reason you think this should not be an assert instead? |
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?s=60&v=4){kind=small}
| assert(udata); | ||
| assert(udata->oh); | ||
| assert(image_len); | ||
| assert(udata->size); |
There was a problem hiding this comment.
The runtime check for udata->size==0 was removed and replaced with an assert. In production builds, asserts may be disabled, so a corrupted image size of 0 won’t be caught, possibly leading to a NULL pointer dereference. Please retain a runtime error check (e.g. using HGOTO_ERROR) to ensure the image size is nonzero.
| Fixed a heap buffer overflow in H5FS__sinfo_serialize_node_cb() by discarding file free space sections from the file free space manager when they are found to be invalid. Specifically crafted HDF5 files can result in an attempt to insert duplicate or overlapping file free space sections into a file free space manager, later resulting in a buffer overflow when the same free space section is serialized to the file multiple times. | ||
|
|
||
| Fixes GitHub issue #5577 | ||
|
|
There was a problem hiding this comment.
Hmm, I don't know how this entry got into my commit... I hope I didn't cause anything bad.
An image size was corrupted and decoded as 0 resulting in a NULL image buffer, which caused a NULL pointer dereference when the image being copied to the buffer. This PR adds the image size check.
Fixes #5384
Important
Fix CVE-2025-2926 by adding image size check in
H5O__cache_chk_get_initial_load_size()to prevent NULL pointer dereference.H5O__cache_chk_get_initial_load_size()inH5Ocache.cto prevent NULL pointer dereference.CHANGELOG.mdto document the fix for CVE-2025-2926.This description was created by
for f9a8267. You can customize this summary. It will automatically update as commits are pushed.