Fix underallocation of abort_msg_s struct (CVE-2025-0395)

Include the space needed to store the length of the message itself, in
addition to the message string.  This resolves BZ #32582.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
(cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)

Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after
backtrace removal.

diff --git a/NEWS b/NEWS
index 32cba994c9329e2662378b30fbb9f26e3eb7c169..96ff2c8a2059f6762f5e189c60d139b3eec565a2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -46,6 +46,11 @@ Security related changes:
   buffer overflow, which could be exploited to achieve escalated
   privileges.  This flaw was introduced in glibc 2.34.
 
+  CVE-2025-0395: When the assert() function fails, it does not allocate
+  enough space for the assertion failure message string and size
+  information, which may lead to a buffer overflow if the message string
+  size aligns to page size.
+
 The following bugs are resolved with this release:
 
   [12154] Do not fail DNS resolution for CNAMEs which are not host names
@@ -107,6 +112,7 @@ The following bugs are resolved with this release:
   [32137] libio: Attempt wide backup free only for non-legacy code
   [32231] elf: Change ldconfig auxcache magic number
   [32470] x86: Avoid integer truncation with large cache sizes
+  [32582] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
 \f
 Version 2.36
 

diff --git a/assert/assert.c b/assert/assert.c
index 133a183bc337075e06447e4c8e5cfba180aaf7bf..9e55eeb473399bd8e9c9490275f1cd5249af772f 100644 (file)
--- a/assert/assert.c
+++ b/assert/assert.c
@@ -18,6 +18,7 @@
 #include <assert.h>
 #include <atomic.h>
 #include <ldsodefs.h>
+#include <libc-pointer-arith.h>
 #include <libintl.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
       (void) __fxprintf (NULL, "%s", str);
       (void) fflush (stderr);
 
-      total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+      total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+                       GLRO(dl_pagesize));
       struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
                                        MAP_ANON | MAP_PRIVATE, -1, 0);
       if (__glibc_likely (buf != MAP_FAILED))

diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
index 2ee0010b8dbee26dcc10d5cffab1b410c0446b31..dfa07805140cabc8d0332ae15153841f8d997f61 100644 (file)
--- a/sysdeps/posix/libc_fatal.c
+++ b/sysdeps/posix/libc_fatal.c
@@ -20,6 +20,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <ldsodefs.h>
+#include <libc-pointer-arith.h>
 #include <paths.h>
 #include <stdarg.h>
 #include <stdbool.h>
@@ -125,8 +126,8 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...)
 
       if ((action & do_abort))
        {
-         total = ((total + 1 + GLRO(dl_pagesize) - 1)
-                  & ~(GLRO(dl_pagesize) - 1));
+         total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+                           GLRO(dl_pagesize));
          struct abort_msg_s *buf = __mmap (NULL, total,
                                            PROT_READ | PROT_WRITE,
                                            MAP_ANON | MAP_PRIVATE, -1, 0);