fix CVE-2025-0395

2025-02-25 15:55:54 +08:00 · 2025-02-25 15:55:54 +08:00 · 731364ea66
commit 731364ea66
parent 56203f62c9
2 changed files with 105 additions and 1 deletions
--- a/backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch
+++ b/backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch
@ -0,0 +1,97 @@
+From df4e1f4a5096b385c9bcc94424cf2eaa227b3761 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Wed, 22 Jan 2025 17:22:02 +0100
+Subject: [PATCH] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
+
+Include the space needed to store the length of the message itself, in
+addition to the message string.  This resolves BZ #32582.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+(cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
+
+Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after
+backtrace removal.
+
+Reference:https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=df4e1f4a5096b385c9bcc94424cf2eaa227b3761
+Conflict:NEWS
+---
+ NEWS                       | 6 ++++++
+ assert/assert.c            | 4 +++-
+ sysdeps/posix/libc_fatal.c | 5 +++--
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index aabb21e86c..192bf1374f 100644
+--- a/NEWS
+++ b/NEWS
+@@ -60,6 +60,11 @@ Security related changes:
+   corruption when they were passed a pseudo-zero argument.  Reported by Guido
+   Vranken / ForAllSecure Mayhem.
+ 
+  CVE-2025-0395: When the assert() function fails, it does not allocate
+  enough space for the assertion failure message string and size
+  information, which may lead to a buffer overflow if the message string
+  size aligns to page size.
+
+ The following bugs are resolved with this release:
+ 
+   [18035] Fix pldd hang
+@@ -172,6 +177,7 @@ The following bugs are resolved with this release:
+   [23459] libc: COMMON_CPUID_INDEX_80000001 isn't populated for Intel
+     processors
+   [23467] dynamic-link: x86/CET: A property note parser bug
+  [32582] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
+ 
+ 
+ Version 2.27
+diff --git a/assert/assert.c b/assert/assert.c
+index 8a277dce00..cbc8238061 100644
+--- a/assert/assert.c
+++ b/assert/assert.c
+@@ -18,6 +18,7 @@
+ #include <assert.h>
+ #include <atomic.h>
+ #include <ldsodefs.h>
+#include <libc-pointer-arith.h>
+ #include <libintl.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
+       (void) __fxprintf (NULL, "%s", str);
+       (void) fflush (stderr);
+ 
+-      total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+      total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+			GLRO(dl_pagesize));
+       struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
+ 					MAP_ANON | MAP_PRIVATE, -1, 0);
+       if (__glibc_likely (buf != MAP_FAILED))
+diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
+index 6d24bee613..7c47b0cfb5 100644
+--- a/sysdeps/posix/libc_fatal.c
+++ b/sysdeps/posix/libc_fatal.c
+@@ -20,6 +20,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <ldsodefs.h>
+#include <libc-pointer-arith.h>
+ #include <paths.h>
+ #include <stdarg.h>
+ #include <stdbool.h>
+@@ -125,8 +126,8 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...)
+ 
+       if ((action & do_abort))
+ 	{
+-	  total = ((total + 1 + GLRO(dl_pagesize) - 1)
+-		   & ~(GLRO(dl_pagesize) - 1));
+	  total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+			    GLRO(dl_pagesize));
+ 	  struct abort_msg_s *buf = __mmap (NULL, total,
+ 					    PROT_READ | PROT_WRITE,
+ 					    MAP_ANON | MAP_PRIVATE, -1, 0);
+-- 
+2.43.5
+
+
+
--- a/glibc.spec
+++ b/glibc.spec
@ -62,7 +62,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.28
-Release: 	103
+Release: 	104
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@ -170,6 +170,7 @@ Patch83: backport-Skip-unusable-entries-in-first-pass-in-prune_cache.patch
 Patch84: backport-Reversing-calculation-of-__x86_shared_non_t.patch
 Patch85: backport-x86-Optimizing-memcpy-for-AMD-Zen-architect.patch
 Patch86: backport-x86-Add-Hygon-support.patch
+Patch87: backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch

 Provides: ldconfig rtld(GNU_HASH) bundled(gnulib)

@ -1286,6 +1287,12 @@ fi
 %endif

 %changelog
+* Tue Feb 25 2025 taoyuxiang <taoyuxiang2@huawei.com> - 2.28-104
+- Type:CVE
+- CVE:CVE-2025-0395
+- SUG:NA
+- DESC:fix CVE-2025-0395
+
 * Wed Dec 25 2024 taoyuxiang <taoyuxiang2@huawei.com> - 2.28-103
 - Change Inner-Net to Inner-Net-2.0
 - Change GFDL to GFDL-1.3-only