packages/glibc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
glibc/Fix-underallocation-of-abort_msg_s-struct-CVE-2025-0.patch

90 lines
3.2 KiB
Diff
Raw Normal View History

backport form glibc upstream 2.38 branch, this include below patches: - stdlib: Test using setenv with updated environ [BZ #32588] - Fix underallocation of abort_msg_s struct (CVE-2025-0395) - elf: Support recursive use of dynamic TLS in interposed malloc - elf: Avoid some free (NULL) calls in _dl_update_slotinfo - x86/string: Fixup alignment of main loop in str{n}cmp-evex [BZ #32212] - x86: Improve large memset perf with non-temporal stores [RHEL-29312] - x86_64: Fix missing wcsncat function definition without multiarch (x86-64-v4) - sysdeps/x86/Makefile: Split and sort tests - x86: Only align destination to 1x VEC_SIZE in memset 4x loop - elf: Fix slow tls access after dlopen [BZ #19924] - x86: Check the lower byte of EAX of CPUID leaf 2 [BZ #30643] - x86_64: Add log1p with FMA - x86_64: Add expm1 with FMA - x86_64: Add log2 with FMA - x86_64: Sort fpu/multiarch/Makefile (cherry picked from commit d5576a8feda207f06e46bcbcc1bdb566f0fd460a)
2025-01-26 10:05:30 +08:00
From c32fd59314c343db88c3ea4a203870481d33c3d2 Mon Sep 17 00:00:00 2001
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Tue, 21 Jan 2025 16:11:06 -0500
Subject: [PATCH] Fix underallocation of abort_msg_s struct
(CVE-2025-0395)
Include the space needed to store the length of the message itself, in
addition to the message string. This resolves BZ #32582.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org>
(cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
---
NEWS | 6 ++++++
assert/assert.c | 4 +++-
sysdeps/posix/libc_fatal.c | 4 +++-
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/NEWS b/NEWS
index d0815514e0..3e511d6de4 100644
--- a/NEWS
+++ b/NEWS
@@ -34,6 +34,11 @@ Security related changes:
buffer overflow, which could be exploited to achieve escalated
privileges. This flaw was introduced in glibc 2.34.
+ CVE-2025-0395: When the assert() function fails, it does not allocate
+ enough space for the assertion failure message string and size
+ information, which may lead to a buffer overflow if the message string
+ size aligns to page size.
+
The following bugs are resolved with this release:
[27821] ungetc: Fix backup buffer leak on program exit
@@ -61,6 +66,7 @@ The following bugs are resolved with this release:
[32137] libio: Attempt wide backup free only for non-legacy code
[32231] elf: Change ldconfig auxcache magic number
[32470] x86: Avoid integer truncation with large cache sizes
+ [32582] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
Version 2.38
diff --git a/assert/assert.c b/assert/assert.c
index b7c7a4a1ba..65a9fedf0d 100644
--- a/assert/assert.c
+++ b/assert/assert.c
@@ -18,6 +18,7 @@
#include <assert.h>
#include <atomic.h>
#include <ldsodefs.h>
+#include <libc-pointer-arith.h>
#include <libintl.h>
#include <stdio.h>
#include <stdlib.h>
@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
(void) __fxprintf (NULL, "%s", str);
(void) fflush (stderr);
- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+ GLRO(dl_pagesize));
struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -1, 0);
if (__glibc_likely (buf != MAP_FAILED))
diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
index 70edcc10c1..5b9e4b7918 100644
--- a/sysdeps/posix/libc_fatal.c
+++ b/sysdeps/posix/libc_fatal.c
@@ -20,6 +20,7 @@
#include <errno.h>
#include <fcntl.h>
#include <ldsodefs.h>
+#include <libc-pointer-arith.h>
#include <paths.h>
#include <stdarg.h>
#include <stdbool.h>
@@ -123,7 +124,8 @@ __libc_message (const char *fmt, ...)
WRITEV_FOR_FATAL (fd, iov, nlist, total);
- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+ GLRO(dl_pagesize));
struct abort_msg_s *buf = __mmap (NULL, total,
PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -1, 0);
--
2.27.0
Reference in New Issue Copy Permalink