fix CVE-2025-0395

backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch

@@ -0,0 +1,96 @@
+From df4e1f4a5096b385c9bcc94424cf2eaa227b3761 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Wed, 22 Jan 2025 17:22:02 +0100
+Subject: [PATCH] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
+
+Include the space needed to store the length of the message itself, in
+addition to the message string.  This resolves BZ #32582.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+(cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
+
+Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after
+backtrace removal.
+
+Reference:https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=df4e1f4a5096b385c9bcc94424cf2eaa227b3761
+Conflict:NEWS
+---
+ NEWS                       | 6 ++++++
+ assert/assert.c            | 4 +++-
+ sysdeps/posix/libc_fatal.c | 5 +++--
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index aabb21e86c..192bf1374f 100644
+--- a/NEWS
++++ b/NEWS
+@@ -60,6 +60,11 @@ Security related changes:
+   corresponds to the / directory through an unprivileged mount
+   namespace.  Reported by Qualys.
+
++  CVE-2025-0395: When the assert() function fails, it does not allocate
++  enough space for the assertion failure message string and size
++  information, which may lead to a buffer overflow if the message string
++  size aligns to page size.
++
+ The following bugs are resolved with this release:
+
+   [12889] nptl: Fix race between pthread_kill and thread exit
+@@ -172,6 +177,7 @@ The following bugs are resolved with this release:
+     cancellation and with cancellation disabled
+   [29097] time: fchmodat does not handle 64 bit time_t for
+     AT_SYMLINK_NOFOLLOW
++  [32582] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
+ 
+ 
+ Version 2.34
+diff --git a/assert/assert.c b/assert/assert.c
+index 8a277dce00..cbc8238061 100644
+--- a/assert/assert.c
++++ b/assert/assert.c
+@@ -18,6 +18,7 @@
+ #include <assert.h>
+ #include <atomic.h>
+ #include <ldsodefs.h>
++#include <libc-pointer-arith.h>
+ #include <libintl.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
+       (void) __fxprintf (NULL, "%s", str);
+       (void) fflush (stderr);
+ 
+-      total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
++      total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
++			GLRO(dl_pagesize));
+       struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
+ 					MAP_ANON | MAP_PRIVATE, -1, 0);
+       if (__glibc_likely (buf != MAP_FAILED))
+diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
+index 6d24bee613..7c47b0cfb5 100644
+--- a/sysdeps/posix/libc_fatal.c
++++ b/sysdeps/posix/libc_fatal.c
+@@ -20,6 +20,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <ldsodefs.h>
++#include <libc-pointer-arith.h>
+ #include <paths.h>
+ #include <stdarg.h>
+ #include <stdbool.h>
+@@ -125,8 +126,8 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...)
+ 
+       if ((action & do_abort))
+ 	{
+-	  total = ((total + 1 + GLRO(dl_pagesize) - 1)
+-		   & ~(GLRO(dl_pagesize) - 1));
++	  total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
++			    GLRO(dl_pagesize));
+ 	  struct abort_msg_s *buf = __mmap (NULL, total,
+ 					    PROT_READ | PROT_WRITE,
+ 					    MAP_ANON | MAP_PRIVATE, -1, 0);
+-- 
+2.43.5
+
+

glibc.spec

@@ -71,7 +71,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.34
-Release: 	165
+Release: 	166
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -317,6 +317,7 @@ Patch225: backport-elf-Handle-static-PIE-with-non-zero-load-address-BZ-.patch
 Patch226: backport-elf-Introduce-_dl_relocate_object_no_relro.patch
 Patch227: backport-elf-Switch-to-main-malloc-after-final-ld.so-self-rel.patch
 Patch228: AArch64-Optimize-memcmp.patch
+Patch229: backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch
 
 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch 
@@ -1547,6 +1548,12 @@ fi
 %endif
 
 %changelog
+* Tue Feb 25 2025 taoyuxiang <taoyuxiang2@huawei.com> - 2.34-166
+- Type:CVE
+- CVE:CVE-2025-0395
+- SUG:NA
+- DESC:fix CVE-2025-0395
+
 * Mon Feb 10 2025 mayuhang <mayuhang@huawei.com> - 2.34-165
 - AArch64: Optimize memcmp