2 files changed, 53 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2925-5739.patch b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2925-5739.patch
new file mode 100644
index 0000000000..7a0afba423
--- /dev/null
+++ b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2925-5739.patch
@@ -0,0 +1,52 @@
+From ad959fdac99810ea64504d7bdfc7724c5ca25e21 Mon Sep 17 00:00:00 2001
+From: Glenn Song <43005495+glennsong09@users.noreply.github.com>
+Date: Thu, 9 Oct 2025 14:48:55 -0500
+Subject: [PATCH] Fix CVE-2025-2925 (#5739)
+This PR fixes issue #5383, which was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being 0. When realloc was called, it freed image, but gets sent to done before new_image can be assigned to image. Because the pointer for image isn't null, it attempts to free it here again, causing the double free to occur. This PR addresses Quincey's concern and fixes the issue while preserving new_image and image.
+The bug was first reproduced using the fuzzer and the POC file from #5383. With this change, the double free no longer occurs.
+CVE: CVE-2025-2925
+Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/4310c19608455c17a213383d07715efb2918defc]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/H5Centry.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/src/H5Centry.c b/src/H5Centry.c
+index 1ca7479..77bc00d 100644
+--- a/src/H5Centry.c
+++ b/src/H5Centry.c
+@@ -1051,9 +1051,14 @@ H5C__load_entry(H5F_t *f,
+          */
+         do {
+             if (actual_len != len) {
+                /* Verify that the length isn't a bad value  */
+                if (len == 0)
+                    HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "len is a bad value");
+
+                 if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE)))
+                     HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
+                 image = (uint8_t *)new_image;
+
+ #if H5C_DO_MEMORY_SANITY_CHECKS
+                 H5MM_memcpy(image + len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
+ #endif        /* H5C_DO_MEMORY_SANITY_CHECKS */
+@@ -1104,10 +1109,15 @@ H5C__load_entry(H5F_t *f,
+                     if (H5C__verify_len_eoa(f, type, addr, &actual_len, true) < 0)
+                         HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA");
+ 
+                    /* Verify that the length isn't 0  */
+                    if (actual_len == 0)
+                        HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value");
+
+                     /* Expand buffer to new size */
+                     if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE)))
+                         HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
+                     image = (uint8_t *)new_image;
+
+ #if H5C_DO_MEMORY_SANITY_CHECKS
+                     H5MM_memcpy(image + actual_len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
+ #endif /* H5C_DO_MEMORY_SANITY_CHECKS */
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
index 39326d3072..3ff96d7301 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${
           file://0001-Fix-CVE-2025-2310-5872.patch \
           file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \
           file://0001-Fix-CVE-2025-2924-5814.patch \
+           file://0001-Fix-CVE-2025-2925-5739.patch \
           "
 SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"

diff --git a/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2925-5739.patch b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2925-5739.patch new file mode 100644 index 0000000000..7a0afba423 --- /dev/null +++ b/meta-oe/recipes-support/hdf5/files/0001-Fix-CVE-2025-2925-5739.patch
@@ -0,0 +1,52 @@
		1	From ad959fdac99810ea64504d7bdfc7724c5ca25e21 Mon Sep 17 00:00:00 2001
		2	From: Glenn Song <43005495+glennsong09@users.noreply.github.com>
		3	Date: Thu, 9 Oct 2025 14:48:55 -0500
		4	Subject: [PATCH] Fix CVE-2025-2925 (#5739)
		5
		6	This PR fixes issue #5383, which was occurring due to actual_len + H5C_IMAGE_EXTRA_SPACE being 0. When realloc was called, it freed image, but gets sent to done before new_image can be assigned to image. Because the pointer for image isn't null, it attempts to free it here again, causing the double free to occur. This PR addresses Quincey's concern and fixes the issue while preserving new_image and image.
		7
		8	The bug was first reproduced using the fuzzer and the POC file from #5383. With this change, the double free no longer occurs.
		9
		10	CVE: CVE-2025-2925
		11	Upstream-Status: Backport [https://github.com/HDFGroup/hdf5/commit/4310c19608455c17a213383d07715efb2918defc]
		12
		13	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		14	---
		15	src/H5Centry.c \| 10 ++++++++++
		16	1 file changed, 10 insertions(+)
		17
		18	diff --git a/src/H5Centry.c b/src/H5Centry.c
		19	index 1ca7479..77bc00d 100644
		20	--- a/src/H5Centry.c
		21	+++ b/src/H5Centry.c
		22	@@ -1051,9 +1051,14 @@ H5C__load_entry(H5F_t *f,
		23	*/
		24	do {
		25	if (actual_len != len) {
		26	+ /* Verify that the length isn't a bad value */
		27	+ if (len == 0)
		28	+ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "len is a bad value");
		29	+
		30	if (NULL == (new_image = H5MM_realloc(image, len + H5C_IMAGE_EXTRA_SPACE)))
		31	HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
		32	image = (uint8_t *)new_image;
		33	+
		34	#if H5C_DO_MEMORY_SANITY_CHECKS
		35	H5MM_memcpy(image + len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
		36	#endif /* H5C_DO_MEMORY_SANITY_CHECKS */
		37	@@ -1104,10 +1109,15 @@ H5C__load_entry(H5F_t *f,
		38	if (H5C__verify_len_eoa(f, type, addr, &actual_len, true) < 0)
		39	HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len exceeds EOA");
		40
		41	+ /* Verify that the length isn't 0 */
		42	+ if (actual_len == 0)
		43	+ HGOTO_ERROR(H5E_CACHE, H5E_BADVALUE, NULL, "actual_len is a bad value");
		44	+
		45	/* Expand buffer to new size */
		46	if (NULL == (new_image = H5MM_realloc(image, actual_len + H5C_IMAGE_EXTRA_SPACE)))
		47	HGOTO_ERROR(H5E_CACHE, H5E_CANTALLOC, NULL, "image null after H5MM_realloc()");
		48	image = (uint8_t *)new_image;
		49	+
		50	#if H5C_DO_MEMORY_SANITY_CHECKS
		51	H5MM_memcpy(image + actual_len, H5C_IMAGE_SANITY_VALUE, H5C_IMAGE_EXTRA_SPACE);
		52	#endif /* H5C_DO_MEMORY_SANITY_CHECKS */


diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb index 39326d3072..3ff96d7301 100644 --- a/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb +++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.6.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://support.hdfgroup.org/releases/hdf5/v1_14/v1_14_6/downloads/${
18	file://0001-Fix-CVE-2025-2310-5872.patch \	18	file://0001-Fix-CVE-2025-2310-5872.patch \
19	file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \	19	file://0001-Refix-of-the-attempts-in-PR-5209-5722.patch \
20	file://0001-Fix-CVE-2025-2924-5814.patch \	20	file://0001-Fix-CVE-2025-2924-5814.patch \
		21	file://0001-Fix-CVE-2025-2925-5739.patch \
21	"	22	"
22	SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"	23	SRC_URI[sha256sum] = "e4defbac30f50d64e1556374aa49e574417c9e72c6b1de7a4ff88c4b1bea6e9b"
23		24