Fix underallocation of abort_msg_s struct (CVE-2025-0395)

Include the space needed to store the length of the message itself, in
addition to the message string.  This resolves BZ #32582.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
(cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)

diff --git a/NEWS b/NEWS
index d0815514e09cc5cd38aa30d3bc30de7fa8475b56..3e511d6de4e376584ef2965bd3bbe0bea8f93e53 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -34,6 +34,11 @@ Security related changes:
   buffer overflow, which could be exploited to achieve escalated
   privileges.  This flaw was introduced in glibc 2.34.
 
+  CVE-2025-0395: When the assert() function fails, it does not allocate
+  enough space for the assertion failure message string and size
+  information, which may lead to a buffer overflow if the message string
+  size aligns to page size.
+
 The following bugs are resolved with this release:
 
   [27821] ungetc: Fix backup buffer leak on program exit
@@ -61,6 +66,7 @@ The following bugs are resolved with this release:
   [32137] libio: Attempt wide backup free only for non-legacy code
   [32231] elf: Change ldconfig auxcache magic number
   [32470] x86: Avoid integer truncation with large cache sizes
+  [32582] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
 \f
 Version 2.38
 

diff --git a/assert/assert.c b/assert/assert.c
index b7c7a4a1ba31087ad3d0c33bc7edff27d513914c..65a9fedf0d82e1fa3cd57027ce1be55b16683b13 100644 (file)
--- a/assert/assert.c
+++ b/assert/assert.c
@@ -18,6 +18,7 @@
 #include <assert.h>
 #include <atomic.h>
 #include <ldsodefs.h>
+#include <libc-pointer-arith.h>
 #include <libintl.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
       (void) __fxprintf (NULL, "%s", str);
       (void) fflush (stderr);
 
-      total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+      total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+                       GLRO(dl_pagesize));
       struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
                                        MAP_ANON | MAP_PRIVATE, -1, 0);
       if (__glibc_likely (buf != MAP_FAILED))

diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
index 70edcc10c15c0dc45a965d4979c36487f1fedb79..5b9e4b7918694a7aa164286d0a403314ff613a18 100644 (file)
--- a/sysdeps/posix/libc_fatal.c
+++ b/sysdeps/posix/libc_fatal.c
@@ -20,6 +20,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <ldsodefs.h>
+#include <libc-pointer-arith.h>
 #include <paths.h>
 #include <stdarg.h>
 #include <stdbool.h>
@@ -123,7 +124,8 @@ __libc_message (const char *fmt, ...)
 
       WRITEV_FOR_FATAL (fd, iov, nlist, total);
 
-      total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+      total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+                       GLRO(dl_pagesize));
       struct abort_msg_s *buf = __mmap (NULL, total,
                                        PROT_READ | PROT_WRITE,
                                        MAP_ANON | MAP_PRIVATE, -1, 0);