Fix CVE-2025-2153 #5795
Merged
Fix CVE-2025-2153 #5795
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
glennsong09
requested review from
byrnHDF,
derobins,
fortnern,
jhendersonHDF,
lrknox,
qkoziol and
vchoi-hdfgroup
as code owners
glennsong09
requested review from
bmribler,
brtnfld and
mattjala
as code owners
vchoi-hdfgroup
added
the
Component - C Library
vchoi-hdfgroup
previously approved these changes
Sep 8, 2025
mattjala
reviewed
Sep 9, 2025
release_docs/RELEASE.txt
Outdated
| - Fixed messages being able to be modified to shared when they are | ||
| not sharable | ||
|
|
||
| The message flags field can be modified such that a message that is |
There was a problem hiding this comment.
can be modified -> could be modified to indicate past tense.
mattjala
previously approved these changes
Sep 9, 2025
lrknox
dismissed stale reviews from mattjala and vchoi-hdfgroup
via
0ed7ab1
derobins
reviewed
Sep 17, 2025
| /* Check to see if the type is not sharable */ | ||
| if (!(type->share_flags & H5O_SHARE_IS_SHARABLE)) | ||
| HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message is not sharable"); | ||
|
|
There was a problem hiding this comment.
Would it also be worth switching the assert statements above into real error checks?
fortnern
requested changes
Sep 19, 2025
github-project-automation
bot
moved this from To be triaged
to In progress
in HDF5 - TRIAGE & TRACK
glennsong09
force-pushed
the
issue5329
branch
from
7e919f0 to
6e41069
Compare
fortnern
reviewed
Sep 25, 2025
src/H5Ocache.c
Outdated
| HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, | ||
| "message of unshareable class flagged as shareable"); | ||
|
|
||
There was a problem hiding this comment.
Trailing whitespace (why wasn't this picked up by the formatter?)
fortnern
reviewed
Sep 25, 2025
release_docs/release_archive.txt
Outdated
|
|
||
| Fixes GitHub issue #4952 | ||
|
|
||
| - Fixed messages being able to be modified to shared when they are |
There was a problem hiding this comment.
We shouldn't add new notes to release_archive.txt, just Changelog.md
fortnern
reviewed
Sep 25, 2025
fortnern
reviewed
Oct 3, 2025
| H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) | ||
| HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, | ||
| "message of unshareable class flagged as shareable"); | ||
|
|
There was a problem hiding this comment.
I didn't mean to delete the line, just the blank spaces in it
fortnern
reviewed
Oct 3, 2025
release_docs/CHANGELOG.md
Outdated
|
|
||
| ### Fixed security issue CVE-2025-2153 | ||
|
|
||
| The message flags field could be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t can be treated as sharable. An assert has been added in H5O__msg_write_real to make sure messages that are not sharable can't be modified to shared. Additionally, the check in H5O__chunk_deserialize that catche unsharable messages being marked as sharable has been improved. |
There was a problem hiding this comment.
that catche -> that catches? that caught? for?
added 2 commits
October 6, 2025 13:01
fortnern
approved these changes
Oct 7, 2025
byrnHDF
approved these changes
Oct 9, 2025
lrknox
approved these changes
Oct 9, 2025
github-project-automation
bot
moved this from In progress
to Done
in HDF5 - TRIAGE & TRACK
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes #5329. Previously, the message flags field was able to be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t could be treated as sharable. A check has been added to make sure messages that are not sharable can't be modified so that they indicate they can be shared.
The bug was first reproduced using the fuzzer and the POC file from #5329. With this change, the heap based buffer overflow no longer occurs.
Important
Fixes CVE-2025-2153 by preventing non-sharable messages from being modified to appear sharable in
H5O__msg_write_real().H5O__msg_write_real()inH5Omessage.cto prevent non-sharable messages from being modified to appear sharable, addressing CVE-2025-2153.RELEASE.txtto include details of the fix for GitHub issue Heap-based Buffer Overflow in H5SM_delete #5329.This description was created by
for 4be883f. You can customize this summary. It will automatically update as commits are pushed.