From 7de5dcc17c2b2b5f772a1dc746eb1387c2b841e7 Mon Sep 17 00:00:00 2001 From: Arjun Shankar Date: Fri, 14 Mar 2025 16:10:04 +0100 Subject: [PATCH] assert: Add test for CVE-2025-0395 (RHEL-83527) Resolves: RHEL-83527 --- glibc-RHEL-83527-1.patch | 24 ++++++++ glibc-RHEL-83527-2.patch | 124 +++++++++++++++++++++++++++++++++++++++ glibc.spec | 7 ++- 3 files changed, 154 insertions(+), 1 deletion(-) create mode 100644 glibc-RHEL-83527-1.patch create mode 100644 glibc-RHEL-83527-2.patch diff --git a/glibc-RHEL-83527-1.patch b/glibc-RHEL-83527-1.patch new file mode 100644 index 0000000..93983a5 --- /dev/null +++ b/glibc-RHEL-83527-1.patch @@ -0,0 +1,24 @@ +commit 265e13d33c470446043a3d2033984a1197151e09 +Author: H.J. Lu +Date: Sun Dec 22 05:55:39 2024 +0800 + + assert: Sort tests in Makefile + + Signed-off-by: H.J. Lu + +diff --git a/assert/Makefile b/assert/Makefile +index 85358fad51367b49..9fa016c472eb67b1 100644 +--- a/assert/Makefile ++++ b/assert/Makefile +@@ -35,10 +35,10 @@ routines := \ + + tests := \ + test-assert \ ++ test-assert-2 \ + test-assert-perr \ + tst-assert-c++ \ + tst-assert-g++ \ +- test-assert-2 \ + # tests + + ifeq ($(have-cxx-thread_local),yes) diff --git a/glibc-RHEL-83527-2.patch b/glibc-RHEL-83527-2.patch new file mode 100644 index 0000000..535b4ac --- /dev/null +++ b/glibc-RHEL-83527-2.patch @@ -0,0 +1,124 @@ +commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2 +Author: Siddhesh Poyarekar +Date: Fri Jan 31 12:16:30 2025 -0500 + + assert: Add test for CVE-2025-0395 + + Use the __progname symbol to override the program name to induce the + failure that CVE-2025-0395 describes. + + This is related to BZ #32582 + + Signed-off-by: Siddhesh Poyarekar + Reviewed-by: Adhemerval Zanella + +diff --git a/assert/Makefile b/assert/Makefile +index 9fa016c472eb67b1..80f5fad9f52378db 100644 +--- a/assert/Makefile ++++ b/assert/Makefile +@@ -39,6 +39,7 @@ tests := \ + test-assert-perr \ + tst-assert-c++ \ + tst-assert-g++ \ ++ tst-assert-sa-2025-0001 \ + # tests + + ifeq ($(have-cxx-thread_local),yes) +diff --git a/assert/tst-assert-sa-2025-0001.c b/assert/tst-assert-sa-2025-0001.c +new file mode 100644 +index 0000000000000000..102cb0078dafa9c1 +--- /dev/null ++++ b/assert/tst-assert-sa-2025-0001.c +@@ -0,0 +1,92 @@ ++/* Test for CVE-2025-0395. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++/* Test that a large enough __progname does not result in a buffer overflow ++ when printing an assertion failure. This was CVE-2025-0395. */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++extern const char *__progname; ++ ++int ++do_test (int argc, char **argv) ++{ ++ ++ support_need_proc ("Reads /proc/self/maps to add guards to writable maps."); ++ ignore_stderr (); ++ ++ /* XXX assumes that the assert is on a 2 digit line number. */ ++ const char *prompt = ": %s:99: do_test: Assertion `argc < 1' failed.\n"; ++ ++ int ret = fprintf (stderr, prompt, __FILE__); ++ if (ret < 0) ++ FAIL_EXIT1 ("fprintf failed: %m\n"); ++ ++ size_t pagesize = getpagesize (); ++ size_t namesize = pagesize - 1 - ret; ++ ++ /* Alter the progname so that the assert message fills the entire page. */ ++ char progname[namesize]; ++ memset (progname, 'A', namesize - 1); ++ progname[namesize - 1] = '\0'; ++ __progname = progname; ++ ++ FILE *f = xfopen ("/proc/self/maps", "r"); ++ char *line = NULL; ++ size_t len = 0; ++ uintptr_t prev_to = 0; ++ ++ /* Pad the beginning of every writable mapping with a PROT_NONE map. This ++ ensures that the mmap in the assert_fail path never ends up below a ++ writable map and will terminate immediately in case of a buffer ++ overflow. */ ++ while (xgetline (&line, &len, f)) ++ { ++ uintptr_t from, to; ++ char perm[4]; ++ ++ sscanf (line, "%" SCNxPTR "-%" SCNxPTR " %c%c%c%c ", ++ &from, &to, ++ &perm[0], &perm[1], &perm[2], &perm[3]); ++ ++ bool writable = (memchr (perm, 'w', 4) != NULL); ++ ++ if (prev_to != 0 && from - prev_to > pagesize && writable) ++ xmmap ((void *) from - pagesize, pagesize, PROT_NONE, ++ MAP_ANONYMOUS | MAP_PRIVATE, 0); ++ ++ prev_to = to; ++ } ++ ++ xfclose (f); ++ ++ assert (argc < 1); ++ return 0; ++} ++ ++#define EXPECTED_SIGNAL SIGABRT ++#define TEST_FUNCTION_ARGV do_test ++#include diff --git a/glibc.spec b/glibc.spec index e5cfcec..8519255 100644 --- a/glibc.spec +++ b/glibc.spec @@ -157,7 +157,7 @@ end \ Summary: The GNU libc libraries Name: glibc Version: %{glibcversion} -Release: 178%{?dist} +Release: 179%{?dist} # In general, GPLv2+ is used by programs, LGPLv2+ is used for # libraries. @@ -1150,6 +1150,8 @@ Patch842: glibc-RHEL-56627-7.patch Patch843: glibc-RHEL-56627-8.patch Patch844: glibc-RHEL-28119.patch Patch845: glibc-RHEL-61561.patch +Patch846: glibc-RHEL-83527-1.patch +Patch847: glibc-RHEL-83527-2.patch ############################################################################## # Continued list of core "glibc" package information: @@ -3143,6 +3145,9 @@ update_gconv_modules_cache () %endif %changelog +* Fri Mar 14 2025 Arjun Shankar - 2.34-179 +- assert: Add test for CVE-2025-0395 (RHEL-83527) + * Fri Mar 14 2025 Arjun Shankar - 2.34-178 - nptl: extend test coverage for sched_yield (RHEL-61561)