packages/glibc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
glibc/backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch
nicholastao 02a9369f23 fix CVE-2025-0395
2025-02-25 10:49:40 +08:00

97 lines
3.3 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From df4e1f4a5096b385c9bcc94424cf2eaa227b3761 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 22 Jan 2025 17:22:02 +0100
Subject: [PATCH] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
Include the space needed to store the length of the message itself, in
addition to the message string. This resolves BZ #32582.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org>
(cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after
backtrace removal.
Reference:https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=df4e1f4a5096b385c9bcc94424cf2eaa227b3761
Conflict:NEWS
---
NEWS | 6 ++++++
assert/assert.c | 4 +++-
sysdeps/posix/libc_fatal.c | 5 +++--
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/NEWS b/NEWS
index aabb21e86c..192bf1374f 100644
--- a/NEWS
+++ b/NEWS
@@ -60,6 +60,11 @@ Security related changes:
corresponds to the / directory through an unprivileged mount
namespace. Reported by Qualys.
+ CVE-2025-0395: When the assert() function fails, it does not allocate
+ enough space for the assertion failure message string and size
+ information, which may lead to a buffer overflow if the message string
+ size aligns to page size.
+
The following bugs are resolved with this release:
[12889] nptl: Fix race between pthread_kill and thread exit
@@ -172,6 +177,7 @@ The following bugs are resolved with this release:
cancellation and with cancellation disabled
[29097] time: fchmodat does not handle 64 bit time_t for
AT_SYMLINK_NOFOLLOW
+ [32582] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
Version 2.34
diff --git a/assert/assert.c b/assert/assert.c
index 8a277dce00..cbc8238061 100644
--- a/assert/assert.c
+++ b/assert/assert.c
@@ -18,6 +18,7 @@
#include <assert.h>
#include <atomic.h>
#include <ldsodefs.h>
+#include <libc-pointer-arith.h>
#include <libintl.h>
#include <stdio.h>
#include <stdlib.h>
@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
(void) __fxprintf (NULL, "%s", str);
(void) fflush (stderr);
- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+ GLRO(dl_pagesize));
struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -1, 0);
if (__glibc_likely (buf != MAP_FAILED))
diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
index 6d24bee613..7c47b0cfb5 100644
--- a/sysdeps/posix/libc_fatal.c
+++ b/sysdeps/posix/libc_fatal.c
@@ -20,6 +20,7 @@
#include <errno.h>
#include <fcntl.h>
#include <ldsodefs.h>
+#include <libc-pointer-arith.h>
#include <paths.h>
#include <stdarg.h>
#include <stdbool.h>
@@ -125,8 +126,8 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...)
if ((action & do_abort))
{
- total = ((total + 1 + GLRO(dl_pagesize) - 1)
- & ~(GLRO(dl_pagesize) - 1));
+ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+ GLRO(dl_pagesize));
struct abort_msg_s *buf = __mmap (NULL, total,
PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -1, 0);
--
2.43.5
Reference in New Issue View Git Blame Copy Permalink