packages/glibc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
glibc/Fix-underallocation-of-abort_msg_s-struct-CVE-2025-0.patch
Qingqing Li 63c381c3fe backport form glibc upstream 2.38 branch, this include below patches: 
- stdlib: Test using setenv with updated environ [BZ #32588]
- Fix underallocation of abort_msg_s struct (CVE-2025-0395)
- elf: Support recursive use of dynamic TLS in interposed malloc
- elf: Avoid some free (NULL) calls in _dl_update_slotinfo
- x86/string: Fixup alignment of main loop in str{n}cmp-evex [BZ #32212]
- x86: Improve large memset perf with non-temporal stores [RHEL-29312]
- x86_64: Fix missing wcsncat function definition without multiarch (x86-64-v4)
- sysdeps/x86/Makefile: Split and sort tests
- x86: Only align destination to 1x VEC_SIZE in memset 4x loop
- elf: Fix slow tls access after dlopen [BZ #19924]
- x86: Check the lower byte of EAX of CPUID leaf 2 [BZ #30643]
- x86_64: Add log1p with FMA
- x86_64: Add expm1 with FMA
- x86_64: Add log2 with FMA
- x86_64: Sort fpu/multiarch/Makefile

(cherry picked from commit d5576a8feda207f06e46bcbcc1bdb566f0fd460a)
2025-01-27 10:54:52 +08:00

90 lines
3.2 KiB
Diff
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From c32fd59314c343db88c3ea4a203870481d33c3d2 Mon Sep 17 00:00:00 2001
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Tue, 21 Jan 2025 16:11:06 -0500
Subject: [PATCH] Fix underallocation of abort_msg_s struct
(CVE-2025-0395)
Include the space needed to store the length of the message itself, in
addition to the message string. This resolves BZ #32582.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org>
(cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
---
NEWS | 6 ++++++
assert/assert.c | 4 +++-
sysdeps/posix/libc_fatal.c | 4 +++-
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/NEWS b/NEWS
index d0815514e0..3e511d6de4 100644
--- a/NEWS
+++ b/NEWS
@@ -34,6 +34,11 @@ Security related changes:
buffer overflow, which could be exploited to achieve escalated
privileges. This flaw was introduced in glibc 2.34.
+ CVE-2025-0395: When the assert() function fails, it does not allocate
+ enough space for the assertion failure message string and size
+ information, which may lead to a buffer overflow if the message string
+ size aligns to page size.
+
The following bugs are resolved with this release:
[27821] ungetc: Fix backup buffer leak on program exit
@@ -61,6 +66,7 @@ The following bugs are resolved with this release:
[32137] libio: Attempt wide backup free only for non-legacy code
[32231] elf: Change ldconfig auxcache magic number
[32470] x86: Avoid integer truncation with large cache sizes
+ [32582] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
Version 2.38
diff --git a/assert/assert.c b/assert/assert.c
index b7c7a4a1ba..65a9fedf0d 100644
--- a/assert/assert.c
+++ b/assert/assert.c
@@ -18,6 +18,7 @@
#include <assert.h>
#include <atomic.h>
#include <ldsodefs.h>
+#include <libc-pointer-arith.h>
#include <libintl.h>
#include <stdio.h>
#include <stdlib.h>
@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
(void) __fxprintf (NULL, "%s", str);
(void) fflush (stderr);
- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+ GLRO(dl_pagesize));
struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -1, 0);
if (__glibc_likely (buf != MAP_FAILED))
diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
index 70edcc10c1..5b9e4b7918 100644
--- a/sysdeps/posix/libc_fatal.c
+++ b/sysdeps/posix/libc_fatal.c
@@ -20,6 +20,7 @@
#include <errno.h>
#include <fcntl.h>
#include <ldsodefs.h>
+#include <libc-pointer-arith.h>
#include <paths.h>
#include <stdarg.h>
#include <stdbool.h>
@@ -123,7 +124,8 @@ __libc_message (const char *fmt, ...)
WRITEV_FOR_FATAL (fd, iov, nlist, total);
- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+ GLRO(dl_pagesize));
struct abort_msg_s *buf = __mmap (NULL, total,
PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -1, 0);
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink