|
|
@@ -0,0 +1,87 @@
|
|
|
+From 7159488b73fb429a78f79763f7b3775a3c160fad Mon Sep 17 00:00:00 2001
|
|
|
+From: bmribler <39579120+bmribler@users.noreply.github.com>
|
|
|
+Date: Fri, 26 Sep 2025 11:46:50 -0400
|
|
|
+Subject: [PATCH] Fixes CVE-2025-6750 (#5856)
|
|
|
+
|
|
|
+* Fixes CVE-2025-6750
|
|
|
+
|
|
|
+A heap buffer overflow occurred because an mtime message was not properly decoded, resulting in a buffer of size 0 being passed into the encoder.
|
|
|
+
|
|
|
+This PR added decoding for both old and new mtime messages which will allow invalid message size to be detected.
|
|
|
+
|
|
|
+Fixes #5549
|
|
|
+
|
|
|
+CVE: CVE-2025-6750
|
|
|
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/86149a098837a37b2513746e9baf84010f75fb54]
|
|
|
+
|
|
|
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
|
|
+---
|
|
|
+ src/H5Ocache.c | 41 +++++++++++++++++++++++++++++++++++------
|
|
|
+ 1 file changed, 35 insertions(+), 6 deletions(-)
|
|
|
+
|
|
|
+diff --git a/src/H5Ocache.c b/src/H5Ocache.c
|
|
|
+index 12c30cf..e6095a7 100644
|
|
|
+--- a/src/H5Ocache.c
|
|
|
++++ b/src/H5Ocache.c
|
|
|
+@@ -1265,6 +1265,9 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
|
|
|
+ if (mesg_size != H5O_ALIGN_OH(oh, mesg_size))
|
|
|
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message not aligned");
|
|
|
+
|
|
|
++ if (H5_IS_BUFFER_OVERFLOW(chunk_image, mesg_size, p_end))
|
|
|
++ HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message size exceeds buffer end");
|
|
|
++
|
|
|
+ /* Message flags */
|
|
|
+ if (H5_IS_BUFFER_OVERFLOW(chunk_image, 1, p_end))
|
|
|
+ HGOTO_ERROR(H5E_OHDR, H5E_OVERFLOW, FAIL, "ran off end of input buffer while decoding");
|
|
|
+@@ -1297,12 +1300,6 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+- /* Try to detect invalidly formatted object header message that
|
|
|
+- * extends past end of chunk.
|
|
|
+- */
|
|
|
+- if (chunk_image + mesg_size > eom_ptr)
|
|
|
+- HGOTO_ERROR(H5E_OHDR, H5E_CANTINIT, FAIL, "corrupt object header");
|
|
|
+-
|
|
|
+ /* Increment count of null messages */
|
|
|
+ if (H5O_NULL_ID == id)
|
|
|
+ nullcnt++;
|
|
|
+@@ -1449,6 +1446,38 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t
|
|
|
+ HGOTO_ERROR(H5E_OHDR, H5E_CANTSET, FAIL, "can't decode refcount");
|
|
|
+ oh->nlink = *refcount;
|
|
|
+ }
|
|
|
++ /* Check if message is an old mtime message */
|
|
|
++ else if (H5O_MTIME_ID == id) {
|
|
|
++ time_t *mtime = NULL;
|
|
|
++
|
|
|
++ /* Decode mtime message */
|
|
|
++ mtime =
|
|
|
++ (time_t *)(H5O_MSG_MTIME->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size, mesg->raw);
|
|
|
++
|
|
|
++ /* Save the decoded old format mtime */
|
|
|
++ if (!mtime)
|
|
|
++ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode old format mtime");
|
|
|
++
|
|
|
++ /* Save 'native' form of mtime message and its value */
|
|
|
++ mesg->native = mtime;
|
|
|
++ oh->ctime = *mtime;
|
|
|
++ }
|
|
|
++ /* Check if message is an new mtime message */
|
|
|
++ else if (H5O_MTIME_NEW_ID == id) {
|
|
|
++ time_t *mtime = NULL;
|
|
|
++
|
|
|
++ /* Decode mtime message */
|
|
|
++ mtime = (time_t *)(H5O_MSG_MTIME_NEW->decode)(udata->f, NULL, 0, &ioflags, mesg->raw_size,
|
|
|
++ mesg->raw);
|
|
|
++
|
|
|
++ /* Save the decoded new format mtime */
|
|
|
++ if (!mtime)
|
|
|
++ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, FAIL, "can't decode new format mtime");
|
|
|
++
|
|
|
++ /* Save 'native' form of mtime message and its value */
|
|
|
++ mesg->native = mtime;
|
|
|
++ oh->ctime = *mtime;
|
|
|
++ }
|
|
|
+ /* Check if message is a link message */
|
|
|
+ else if (H5O_LINK_ID == id) {
|
|
|
+ /* Increment the count of link messages */
|
Gyorgy Sarvari