packages/glibc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!1001 fix CVE-2025-0395

Browse Source 
From: @nicholastao 
Reviewed-by: @liqingqing_1229 
Signed-off-by: @liqingqing_1229
This commit is contained in:
openeuler-ci-bot 2025-02-25 06:14:47 +00:00 committed by Gitee
commit 6aa742cd6e
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 104 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch Normal file
View File

@ -0,0 +1,96 @@
From df4e1f4a5096b385c9bcc94424cf2eaa227b3761 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 22 Jan 2025 17:22:02 +0100
Subject: [PATCH] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
Include the space needed to store the length of the message itself, in
addition to the message string. This resolves BZ #32582.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org>
(cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after
backtrace removal.
Reference:https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=df4e1f4a5096b385c9bcc94424cf2eaa227b3761
Conflict:NEWS
---
NEWS | 6 ++++++
assert/assert.c | 4 +++-
sysdeps/posix/libc_fatal.c | 5 +++--
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/NEWS b/NEWS
index aabb21e86c..192bf1374f 100644
--- a/NEWS
+++ b/NEWS
@@ -60,6 +60,11 @@ Security related changes:
corresponds to the / directory through an unprivileged mount
namespace. Reported by Qualys.
+ CVE-2025-0395: When the assert() function fails, it does not allocate
+ enough space for the assertion failure message string and size
+ information, which may lead to a buffer overflow if the message string
+ size aligns to page size.
+
The following bugs are resolved with this release:
[12889] nptl: Fix race between pthread_kill and thread exit
@@ -172,6 +177,7 @@ The following bugs are resolved with this release:
cancellation and with cancellation disabled
[29097] time: fchmodat does not handle 64 bit time_t for
AT_SYMLINK_NOFOLLOW
+ [32582] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
Version 2.34
diff --git a/assert/assert.c b/assert/assert.c
index 8a277dce00..cbc8238061 100644
--- a/assert/assert.c
+++ b/assert/assert.c
@@ -18,6 +18,7 @@
#include <assert.h>
#include <atomic.h>
#include <ldsodefs.h>
+#include <libc-pointer-arith.h>
#include <libintl.h>
#include <stdio.h>
#include <stdlib.h>
@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
(void) __fxprintf (NULL, "%s", str);
(void) fflush (stderr);
- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+ GLRO(dl_pagesize));
struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -1, 0);
if (__glibc_likely (buf != MAP_FAILED))
diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
index 6d24bee613..7c47b0cfb5 100644
--- a/sysdeps/posix/libc_fatal.c
+++ b/sysdeps/posix/libc_fatal.c
@@ -20,6 +20,7 @@
#include <errno.h>
#include <fcntl.h>
#include <ldsodefs.h>
+#include <libc-pointer-arith.h>
#include <paths.h>
#include <stdarg.h>
#include <stdbool.h>
@@ -125,8 +126,8 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...)
if ((action & do_abort))
{
- total = ((total + 1 + GLRO(dl_pagesize) - 1)
- & ~(GLRO(dl_pagesize) - 1));
+ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+ GLRO(dl_pagesize));
struct abort_msg_s *buf = __mmap (NULL, total,
PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -1, 0);
--
2.43.5

9
glibc.spec
View File

@ -71,7 +71,7 @@
############################################################################## ##############################################################################
Name: glibc Name: glibc
Version: 2.34 Version: 2.34
Release: 165 Release: 166
Summary: The GNU libc libraries Summary: The GNU libc libraries
License: %{all_license} License: %{all_license}
URL: http://www.gnu.org/software/glibc/ URL: http://www.gnu.org/software/glibc/
@ -317,6 +317,7 @@ Patch225: backport-elf-Handle-static-PIE-with-non-zero-load-address-BZ-.patch
Patch226: backport-elf-Introduce-_dl_relocate_object_no_relro.patch Patch226: backport-elf-Introduce-_dl_relocate_object_no_relro.patch
Patch227: backport-elf-Switch-to-main-malloc-after-final-ld.so-self-rel.patch Patch227: backport-elf-Switch-to-main-malloc-after-final-ld.so-self-rel.patch
Patch228: AArch64-Optimize-memcmp.patch Patch228: AArch64-Optimize-memcmp.patch
Patch229: backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch
Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch
@ -1547,6 +1548,12 @@ fi
%endif %endif
%changelog %changelog
* Tue Feb 25 2025 taoyuxiang <taoyuxiang2@huawei.com> - 2.34-166
- Type:CVE
- CVE:CVE-2025-0395
- SUG:NA
- DESC:fix CVE-2025-0395
* Mon Feb 10 2025 mayuhang <mayuhang@huawei.com> - 2.34-165 * Mon Feb 10 2025 mayuhang <mayuhang@huawei.com> - 2.34-165
- AArch64: Optimize memcmp - AArch64: Optimize memcmp