From 4be883f34d8906bd907dcf0ddb17d47dad5357d3 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Mon, 8 Sep 2025 17:06:52 -0500 Subject: [PATCH 01/14] Add release text --- release_docs/RELEASE.txt | 10 ++++++++++ src/H5Omessage.c | 4 ++++ 2 files changed, 14 insertions(+) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 4eeb18a8ea9..80364b1613b 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -841,6 +841,16 @@ Bug Fixes since HDF5-2.0.0 release Fixes GitHub issue #4952 + - Fixed messages being able to be modified to shared when they are + not sharable + + The message flags field can be modified such that a message that is + not sharable according to the share_flags field in H5O_msg_class_t + can be treated as sharable. A check has been added to make sure + messages that are not sharable can't be modified so that they + indicate they can be shared. + + Fixes GitHub issue #5329 Java Library ------------ diff --git a/src/H5Omessage.c b/src/H5Omessage.c index 9b536c56116..df34d85609f 100644 --- a/src/H5Omessage.c +++ b/src/H5Omessage.c @@ -354,6 +354,10 @@ H5O__msg_write_real(H5F_t *f, H5O_t *oh, const H5O_msg_class_t *type, unsigned m */ assert(!(mesg_flags & H5O_MSG_FLAG_DONTSHARE)); + /* Check to see if the type is not sharable */ + if (!(type->share_flags & H5O_SHARE_IS_SHARABLE)) + HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message is not sharable"); + /* Remove the old message from the SOHM index */ /* (It would be more efficient to try to share the message first, then * delete it (avoiding thrashing the index in the case the ref. From a7ea70fdb571aff105cce5478ee57896bfd14204 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Tue, 16 Sep 2025 16:07:48 -0500 Subject: [PATCH 02/14] Add change to release note --- release_docs/RELEASE.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 80364b1613b..b722db8dc7c 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -844,7 +844,7 @@ Bug Fixes since HDF5-2.0.0 release - Fixed messages being able to be modified to shared when they are not sharable - The message flags field can be modified such that a message that is + The message flags field could be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t can be treated as sharable. A check has been added to make sure messages that are not sharable can't be modified so that they From 1bd996b6dcf79d5e4343220d5c7fe49b304c66dc Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Thu, 25 Sep 2025 12:26:44 -0500 Subject: [PATCH 03/14] Move fix to H5O__chunk_deserialize --- src/H5Ocache.c | 6 +++--- src/H5Omessage.c | 5 ++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/src/H5Ocache.c b/src/H5Ocache.c index 7c24851e753..8664f9aebb9 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -1403,11 +1403,11 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t else { /* Check for message of unshareable class marked as "shareable" */ - if ((flags & H5O_MSG_FLAG_SHAREABLE) && H5O_msg_class_g[id] && - !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) + if (((flags & H5O_MSG_FLAG_SHARED) || (flags & H5O_MSG_FLAG_SHAREABLE)) && + H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message of unshareable class flagged as shareable"); - + /* Set message class for "known" messages */ mesg->type = H5O_msg_class_g[id]; } diff --git a/src/H5Omessage.c b/src/H5Omessage.c index df34d85609f..021d3a10fc4 100644 --- a/src/H5Omessage.c +++ b/src/H5Omessage.c @@ -354,9 +354,8 @@ H5O__msg_write_real(H5F_t *f, H5O_t *oh, const H5O_msg_class_t *type, unsigned m */ assert(!(mesg_flags & H5O_MSG_FLAG_DONTSHARE)); - /* Check to see if the type is not sharable */ - if (!(type->share_flags & H5O_SHARE_IS_SHARABLE)) - HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message is not sharable"); + /* Sanity check to see if the type is not sharable */ + assert(type->share_flags & H5O_SHARE_IS_SHARABLE); /* Remove the old message from the SOHM index */ /* (It would be more efficient to try to share the message first, then From 635f534ec3adcbe7f86f9fa6757679b89892ef06 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 25 Sep 2025 17:28:40 +0000 Subject: [PATCH 04/14] Committing clang-format changes --- src/H5Ocache.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/H5Ocache.c b/src/H5Ocache.c index 8664f9aebb9..577d5c778db 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -1403,11 +1403,11 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t else { /* Check for message of unshareable class marked as "shareable" */ - if (((flags & H5O_MSG_FLAG_SHARED) || (flags & H5O_MSG_FLAG_SHAREABLE)) && + if (((flags & H5O_MSG_FLAG_SHARED) || (flags & H5O_MSG_FLAG_SHAREABLE)) && H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message of unshareable class flagged as shareable"); - + /* Set message class for "known" messages */ mesg->type = H5O_msg_class_g[id]; } From f16ccea62c4640df9f298148b05847a6cad3fc4e Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Thu, 25 Sep 2025 12:33:12 -0500 Subject: [PATCH 05/14] Fix merge conflict in release_archive.txt --- release_docs/release_archive.txt | 11 +++++++++++ src/H5Omessage.c | 4 ++++ 2 files changed, 15 insertions(+) diff --git a/release_docs/release_archive.txt b/release_docs/release_archive.txt index d7082a87139..eb37f057985 100644 --- a/release_docs/release_archive.txt +++ b/release_docs/release_archive.txt @@ -920,6 +920,17 @@ Bug Fixes since HDF5-2.0.0 release H5HL__fl_deserialize to ensure no overflow can occur. Fixes GitHub issue #5382 + + - Fixed messages being able to be modified to shared when they are + not sharable + + The message flags field can be modified such that a message that is + not sharable according to the share_flags field in H5O_msg_class_t + can be treated as sharable. A check has been added to make sure + messages that are not sharable can't be modified so that they + indicate they can be shared. + + Fixes GitHub issue #5329 Java Library ------------ diff --git a/src/H5Omessage.c b/src/H5Omessage.c index 9b536c56116..df34d85609f 100644 --- a/src/H5Omessage.c +++ b/src/H5Omessage.c @@ -354,6 +354,10 @@ H5O__msg_write_real(H5F_t *f, H5O_t *oh, const H5O_msg_class_t *type, unsigned m */ assert(!(mesg_flags & H5O_MSG_FLAG_DONTSHARE)); + /* Check to see if the type is not sharable */ + if (!(type->share_flags & H5O_SHARE_IS_SHARABLE)) + HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message is not sharable"); + /* Remove the old message from the SOHM index */ /* (It would be more efficient to try to share the message first, then * delete it (avoiding thrashing the index in the case the ref. From 4f76ac0e1a0973b1d18c768771d28b90fe96d7f6 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Tue, 16 Sep 2025 16:07:48 -0500 Subject: [PATCH 06/14] Add change to release note --- release_docs/release_archive.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/release_docs/release_archive.txt b/release_docs/release_archive.txt index dd2e53e6262..819937efd39 100644 --- a/release_docs/release_archive.txt +++ b/release_docs/release_archive.txt @@ -917,6 +917,7 @@ Bug Fixes since HDF5-2.0.0 release not sharable The message flags field could be modified such that a message that is +<<<<<<< HEAD:release_docs/release_archive.txt not sharable according to the share_flags field in H5O_msg_class_t can be treated as sharable. A check has been added to make sure messages that are not sharable can't be modified so that they @@ -936,6 +937,8 @@ Bug Fixes since HDF5-2.0.0 release not sharable The message flags field can be modified such that a message that is +======= +>>>>>>> a7ea70fdb5 (Add change to release note):release_docs/RELEASE.txt not sharable according to the share_flags field in H5O_msg_class_t can be treated as sharable. A check has been added to make sure messages that are not sharable can't be modified so that they From 6e4106912f77b67dd0b56642b6f99e8968b393fc Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Thu, 25 Sep 2025 12:26:44 -0500 Subject: [PATCH 07/14] Move fix to H5O__chunk_deserialize --- src/H5Ocache.c | 2 +- src/H5Omessage.c | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/H5Ocache.c b/src/H5Ocache.c index 577d5c778db..5d8aff9caca 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -1407,7 +1407,7 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message of unshareable class flagged as shareable"); - + /* Set message class for "known" messages */ mesg->type = H5O_msg_class_g[id]; } diff --git a/src/H5Omessage.c b/src/H5Omessage.c index df34d85609f..021d3a10fc4 100644 --- a/src/H5Omessage.c +++ b/src/H5Omessage.c @@ -354,9 +354,8 @@ H5O__msg_write_real(H5F_t *f, H5O_t *oh, const H5O_msg_class_t *type, unsigned m */ assert(!(mesg_flags & H5O_MSG_FLAG_DONTSHARE)); - /* Check to see if the type is not sharable */ - if (!(type->share_flags & H5O_SHARE_IS_SHARABLE)) - HGOTO_ERROR(H5E_OHDR, H5E_BADVALUE, FAIL, "message is not sharable"); + /* Sanity check to see if the type is not sharable */ + assert(type->share_flags & H5O_SHARE_IS_SHARABLE); /* Remove the old message from the SOHM index */ /* (It would be more efficient to try to share the message first, then From 8b2b82e1fcf9bcdc2867a09a379c5e93a9e6c60d Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Thu, 25 Sep 2025 12:42:47 -0500 Subject: [PATCH 08/14] Fix release_docs --- release_docs/CHANGELOG.md | 4 ++++ release_docs/release_archive.txt | 3 --- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index 1a9617a1115..300afd6476e 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -495,6 +495,10 @@ Simple example programs showing how to use complex number datatypes have been ad ## Library +### Fixed security issue CVE-2025-2153 + + The message flags field could be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t can be treated as sharable. An assert has been added in H5O__msg_write_real to make sure messages that are not sharable can't be modified to shared. Additionally, the check in H5O__chunk_deserialize that catche unsharable messages being marked as sharable has been improved. + ### Fixed security issue CVE-2025-6857 An HDF5 file had a corrupted v1 B-tree that would result in a stack overflow when performing a lookup on it. This has been fixed with additional integrity checks. diff --git a/release_docs/release_archive.txt b/release_docs/release_archive.txt index 819937efd39..dd2e53e6262 100644 --- a/release_docs/release_archive.txt +++ b/release_docs/release_archive.txt @@ -917,7 +917,6 @@ Bug Fixes since HDF5-2.0.0 release not sharable The message flags field could be modified such that a message that is -<<<<<<< HEAD:release_docs/release_archive.txt not sharable according to the share_flags field in H5O_msg_class_t can be treated as sharable. A check has been added to make sure messages that are not sharable can't be modified so that they @@ -937,8 +936,6 @@ Bug Fixes since HDF5-2.0.0 release not sharable The message flags field can be modified such that a message that is -======= ->>>>>>> a7ea70fdb5 (Add change to release note):release_docs/RELEASE.txt not sharable according to the share_flags field in H5O_msg_class_t can be treated as sharable. A check has been added to make sure messages that are not sharable can't be modified so that they From 1a6214c7253e23bc694dfcc1fbf85d69f1fe836d Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Thu, 25 Sep 2025 12:43:33 -0500 Subject: [PATCH 09/14] Remove duplicate entry --- release_docs/release_archive.txt | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/release_docs/release_archive.txt b/release_docs/release_archive.txt index dd2e53e6262..a070e5f0032 100644 --- a/release_docs/release_archive.txt +++ b/release_docs/release_archive.txt @@ -931,18 +931,6 @@ Bug Fixes since HDF5-2.0.0 release H5HL__fl_deserialize to ensure no overflow can occur. Fixes GitHub issue #5382 - - - Fixed messages being able to be modified to shared when they are - not sharable - - The message flags field can be modified such that a message that is - not sharable according to the share_flags field in H5O_msg_class_t - can be treated as sharable. A check has been added to make sure - messages that are not sharable can't be modified so that they - indicate they can be shared. - - Fixes GitHub issue #5329 - Java Library ------------ From 5c502e4b387e0bfe7b165bdcfad71367acca2546 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Thu, 25 Sep 2025 12:47:25 -0500 Subject: [PATCH 10/14] Add github issue number to changelog entry --- release_docs/CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index 300afd6476e..a800d85f932 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -499,6 +499,8 @@ Simple example programs showing how to use complex number datatypes have been ad The message flags field could be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t can be treated as sharable. An assert has been added in H5O__msg_write_real to make sure messages that are not sharable can't be modified to shared. Additionally, the check in H5O__chunk_deserialize that catche unsharable messages being marked as sharable has been improved. + Fixes GitHub issue #5329 + ### Fixed security issue CVE-2025-6857 An HDF5 file had a corrupted v1 B-tree that would result in a stack overflow when performing a lookup on it. This has been fixed with additional integrity checks. From e4906f769f22e05484125bb322705167cc7ea0e1 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 25 Sep 2025 20:32:25 +0000 Subject: [PATCH 11/14] Committing clang-format changes --- src/H5Ocache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/H5Ocache.c b/src/H5Ocache.c index 5d8aff9caca..577d5c778db 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -1407,7 +1407,7 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message of unshareable class flagged as shareable"); - + /* Set message class for "known" messages */ mesg->type = H5O_msg_class_g[id]; } From 2b39e4619ccf5728833187276c1536eb0928cec1 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Fri, 3 Oct 2025 12:46:48 -0500 Subject: [PATCH 12/14] Make small changes for Neil --- release_docs/release_archive.txt | 11 ----------- src/H5Ocache.c | 1 - 2 files changed, 12 deletions(-) diff --git a/release_docs/release_archive.txt b/release_docs/release_archive.txt index a070e5f0032..d7082a87139 100644 --- a/release_docs/release_archive.txt +++ b/release_docs/release_archive.txt @@ -913,17 +913,6 @@ Bug Fixes since HDF5-2.0.0 release Fixes GitHub issue #4952 - - Fixed messages being able to be modified to shared when they are - not sharable - - The message flags field could be modified such that a message that is - not sharable according to the share_flags field in H5O_msg_class_t - can be treated as sharable. A check has been added to make sure - messages that are not sharable can't be modified so that they - indicate they can be shared. - - Fixes GitHub issue #5329 - - Check for overflow in decoded heap block addresses Currently, we do not check for overflow when decoding addresses from diff --git a/src/H5Ocache.c b/src/H5Ocache.c index 5d8aff9caca..23ee199b184 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -1407,7 +1407,6 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message of unshareable class flagged as shareable"); - /* Set message class for "known" messages */ mesg->type = H5O_msg_class_g[id]; } From 6b4f0028027216ed130c14a7917b71b6c02b077b Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Mon, 6 Oct 2025 13:01:51 -0500 Subject: [PATCH 13/14] Fix typo --- release_docs/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release_docs/CHANGELOG.md b/release_docs/CHANGELOG.md index a800d85f932..7bb3f496b91 100644 --- a/release_docs/CHANGELOG.md +++ b/release_docs/CHANGELOG.md @@ -497,7 +497,7 @@ Simple example programs showing how to use complex number datatypes have been ad ### Fixed security issue CVE-2025-2153 - The message flags field could be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t can be treated as sharable. An assert has been added in H5O__msg_write_real to make sure messages that are not sharable can't be modified to shared. Additionally, the check in H5O__chunk_deserialize that catche unsharable messages being marked as sharable has been improved. + The message flags field could be modified such that a message that is not sharable according to the share_flags field in H5O_msg_class_t can be treated as sharable. An assert has been added in H5O__msg_write_real to make sure messages that are not sharable can't be modified to shared. Additionally, the check in H5O__chunk_deserialize that catches unsharable messages being marked as sharable has been improved. Fixes GitHub issue #5329 From eaa1ee642e40c897a206676da7ab711c6b99bec4 Mon Sep 17 00:00:00 2001 From: Glenn Song Date: Mon, 6 Oct 2025 13:03:29 -0500 Subject: [PATCH 14/14] Add back line --- src/H5Ocache.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/H5Ocache.c b/src/H5Ocache.c index 23ee199b184..577d5c778db 100644 --- a/src/H5Ocache.c +++ b/src/H5Ocache.c @@ -1407,6 +1407,7 @@ H5O__chunk_deserialize(H5O_t *oh, haddr_t addr, size_t chunk_size, const uint8_t H5O_msg_class_g[id] && !(H5O_msg_class_g[id]->share_flags & H5O_SHARE_IS_SHARABLE)) HGOTO_ERROR(H5E_OHDR, H5E_CANTLOAD, FAIL, "message of unshareable class flagged as shareable"); + /* Set message class for "known" messages */ mesg->type = H5O_msg_class_g[id]; }