Skip to content

Fix CVE-2025-2926 #5841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Fix CVE-2025-2926 #5841

wants to merge 4 commits into from

Conversation

bmribler
Copy link
Collaborator

@bmribler bmribler commented Sep 16, 2025
edited by ellipsis-dev bot
Loading

An image size was corrupted and decoded as 0 resulting in a NULL image buffer, which caused a NULL pointer dereference when the image being copied to the buffer. This PR adds the image size check.

Fixes #5384

Important

Fixes CVE-2025-2926 by adding an image size check in H5O__cache_chk_get_initial_load_size() to prevent NULL pointer dereference.

  • Security Fix:
    • Adds image size check in H5O__cache_chk_get_initial_load_size() in H5Ocache.c to prevent NULL pointer dereference when image size is corrupted and decoded as 0.
    • Updates CHANGELOG.md to document the fix for CVE-2025-2926.

This description was created by Ellipsis for 05369d0. You can customize this summary. It will automatically update as commits are pushed.

@github-project-automation github-project-automation bot moved this to To be triaged in HDF5 - TRIAGE & TRACK Sep 16, 2025
@bmribler
Copy link
Collaborator Author

Umm, FYI, this PR only has the changes in H5Centry.c and RELEASE.txt. Sorry!

@jhendersonHDF jhendersonHDF linked an issue Sep 16, 2025 that may be closed by this pull request
NULL Pointer Dereference in H5O__cache_chk_serialize #5384
Open
derobins
derobins reviewed Sep 17, 2025
View reviewed changes
release_docs/RELEASE.txt Outdated
===================================
Library
-------
- Fixed CVE 2025 2926
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should use hyphens in the name, like other CVE issues

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I don't know how that happened. I always have hyphens... Thanks, Dana.

derobins
derobins reviewed Sep 17, 2025
View reviewed changes
src/H5Cimage.c Outdated
if (H5C__decode_cache_image_header(f, cache_ptr, &p, image_len + 1) < 0)
HGOTO_ERROR(H5E_CACHE, H5E_CANTDECODE, FAIL, "cache image header decode failed");
assert((size_t)(p - (uint8_t *)cache_ptr->image_buffer) < cache_ptr->image_len);
assert((size_t)(p - (uint8_t *)cache_ptr->image_buffer) < image_len);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not make this a real error check instead of an assert?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If H5C__decode_cache_image_header checks for overflow an assert is appropriate here. And if it doesn't, it should.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change was merged into this PR by accident and that was fixed now. I'll check out about H5C__decode_cache_image_header() and create another PR instead.

Copy link
Collaborator Author

@bmribler bmribler Sep 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR #5884 adds the missing overflow checks, @fortnern.

@derobins derobins changed the title Fix CVE 2025 2926 Fix CVE-2025-2926 Sep 17, 2025
mattjala
mattjala previously approved these changes Sep 18, 2025
View reviewed changes
@nbagha1 nbagha1 moved this from To be triaged to Scheduled/On-Deck in HDF5 - TRIAGE & TRACK Sep 23, 2025
fortnern
fortnern reviewed Sep 24, 2025
View reviewed changes
src/H5Centry.c Outdated
if (type->get_initial_load_size(udata, &len) < 0)
HGOTO_ERROR(H5E_CACHE, H5E_CANTGET, NULL, "can't retrieve image size");
assert(len > 0);
if (len == 0)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to me this should really be checked in the callbacks, and left as an assert here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know why the callback is returning len=0 wihtout returning an error?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed it and push the change soon

@bmribler @jhendersonHDF
Fix CVE-2025-2926
b36c123 
An image size was corrupted and decoded as 0 resulting in a NULL image buffer,
which caused a NULL pointer dereference when the image being copied to the buffer.
The invalid image size was caught in the PR #5710.  This change catches right
before the copying.

Fixes GH issue #5384
fortnern
fortnern requested changes Sep 24, 2025
View reviewed changes
Copy link
Member

@fortnern fortnern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See questions about get_initial_load_size returning len==0

@github-project-automation github-project-automation bot moved this from Scheduled/On-Deck to In progress in HDF5 - TRIAGE & TRACK Sep 24, 2025
@bmribler bmribler requested a review from fortnern September 25, 2025 15:27
@bmribler bmribler requested a review from mattjala September 25, 2025 15:27
@fortnern
Copy link
Member

I think we still need to get to the bottom of this. I did some digging and it looks like the size in the udata comes from a continuation message, but H5O__cont_decode() checks for size == 0. Can you try to figure out how it's getting past that check?

@bmribler bmribler mentioned this pull request Sep 27, 2025
Open
@bmribler
Copy link
Collaborator Author

bmribler commented Sep 27, 2025
edited
Loading

@fortnern I believe this commit took care of the len=0 issue. Although, I'm not exactly sure how that commit is not listed in the changed files of #5841...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derobins derobins derobins left review comments

@lrknox lrknox Awaiting requested review from lrknox lrknox is a code owner

@byrnHDF byrnHDF Awaiting requested review from byrnHDF byrnHDF is a code owner

@jhendersonHDF jhendersonHDF Awaiting requested review from jhendersonHDF jhendersonHDF is a code owner

@qkoziol qkoziol Awaiting requested review from qkoziol qkoziol is a code owner

@vchoi-hdfgroup vchoi-hdfgroup Awaiting requested review from vchoi-hdfgroup vchoi-hdfgroup is a code owner

@glennsong09 glennsong09 Awaiting requested review from glennsong09 glennsong09 is a code owner

@brtnfld brtnfld Awaiting requested review from brtnfld brtnfld is a code owner

@fortnern fortnern Awaiting requested review from fortnern fortnern is a code owner

@mattjala mattjala Awaiting requested review from mattjala mattjala is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@fortnern fortnern

@glennsong09 glennsong09

Labels
None yet
Projects
HDF5 - TRIAGE & TRACK
Status: In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NULL Pointer Dereference in H5O__cache_chk_serialize
5 participants
@bmribler @fortnern @derobins @mattjala @glennsong09