mirror/glibc
2
0
Fork 0
mirror of git://sourceware.org/git/glibc.git synced 2025-03-01 13:17:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix underallocation of abort_msg_s struct (CVE-2025-0395)

Browse Source 
Include the space needed to store the length of the message itself, in
addition to the message string.  This resolves BZ #32582.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
(cherry picked from commit 68ee0f704c)
This commit is contained in:
Siddhesh Poyarekar 2025-01-21 16:11:06 -05:00 committed by Florian Weimer
parent 549e7f7c5a
commit c32fd59314
3 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
NEWS
View File

@ -34,6 +34,11 @@ Security related changes:
buffer overflow, which could be exploited to achieve escalated buffer overflow, which could be exploited to achieve escalated
privileges. This flaw was introduced in glibc 2.34. privileges. This flaw was introduced in glibc 2.34.
CVE-2025-0395: When the assert() function fails, it does not allocate
enough space for the assertion failure message string and size
information, which may lead to a buffer overflow if the message string
size aligns to page size.
The following bugs are resolved with this release: The following bugs are resolved with this release:
[27821] ungetc: Fix backup buffer leak on program exit [27821] ungetc: Fix backup buffer leak on program exit
@ -61,6 +66,7 @@ The following bugs are resolved with this release:
[32137] libio: Attempt wide backup free only for non-legacy code [32137] libio: Attempt wide backup free only for non-legacy code
[32231] elf: Change ldconfig auxcache magic number [32231] elf: Change ldconfig auxcache magic number
[32470] x86: Avoid integer truncation with large cache sizes [32470] x86: Avoid integer truncation with large cache sizes
[32582] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
Version 2.38 Version 2.38

4
assert/assert.c
View File

@ -18,6 +18,7 @@
#include <assert.h> #include <assert.h>
#include <atomic.h> #include <atomic.h>
#include <ldsodefs.h> #include <ldsodefs.h>
#include <libc-pointer-arith.h>
#include <libintl.h> #include <libintl.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
(void) __fxprintf (NULL, "%s", str); (void) __fxprintf (NULL, "%s", str);
(void) fflush (stderr); (void) fflush (stderr);
total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1); total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
GLRO(dl_pagesize));
struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE, struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -1, 0); MAP_ANON | MAP_PRIVATE, -1, 0);
if (__glibc_likely (buf != MAP_FAILED)) if (__glibc_likely (buf != MAP_FAILED))

4
sysdeps/posix/libc_fatal.c
View File

@ -20,6 +20,7 @@
#include <errno.h> #include <errno.h>
#include <fcntl.h> #include <fcntl.h>
#include <ldsodefs.h> #include <ldsodefs.h>
#include <libc-pointer-arith.h>
#include <paths.h> #include <paths.h>
#include <stdarg.h> #include <stdarg.h>
#include <stdbool.h> #include <stdbool.h>
@ -123,7 +124,8 @@ __libc_message (const char *fmt, ...)
WRITEV_FOR_FATAL (fd, iov, nlist, total); WRITEV_FOR_FATAL (fd, iov, nlist, total);
total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1); total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
GLRO(dl_pagesize));
struct abort_msg_s *buf = __mmap (NULL, total, struct abort_msg_s *buf = __mmap (NULL, total,
PROT_READ | PROT_WRITE, PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE, -1, 0); MAP_ANON | MAP_PRIVATE, -1, 0);