assert: Add test for CVE-2025-0395 (RHEL-83527)

Resolves: RHEL-83527
2025-03-14 16:10:04 +01:00 · 2025-03-14 16:10:04 +01:00 · 7de5dcc17c
commit 7de5dcc17c
parent efcdbdd0a0
3 changed files with 154 additions and 1 deletions
--- a/glibc-RHEL-83527-1.patch
+++ b/glibc-RHEL-83527-1.patch
@ -0,0 +1,24 @@
 commit 265e13d33c470446043a3d2033984a1197151e09
 Author: H.J. Lu <hjl.tools@gmail.com>
 Date:   Sun Dec 22 05:55:39 2024 +0800
    assert: Sort tests in Makefile
    Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
 diff --git a/assert/Makefile b/assert/Makefile
 index 85358fad51367b49..9fa016c472eb67b1 100644
 --- a/assert/Makefile
 +++ b/assert/Makefile
@@ -35,10 +35,10 @@ routines := \
 tests := \
   test-assert \
 +  test-assert-2 \
   test-assert-perr \
   tst-assert-c++ \
   tst-assert-g++ \
 -  test-assert-2 \
   # tests
 ifeq ($(have-cxx-thread_local),yes)
--- a/glibc-RHEL-83527-2.patch
+++ b/glibc-RHEL-83527-2.patch
@ -0,0 +1,124 @@
 commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2
 Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
 Date:   Fri Jan 31 12:16:30 2025 -0500
    assert: Add test for CVE-2025-0395
    Use the __progname symbol to override the program name to induce the
    failure that CVE-2025-0395 describes.
    This is related to BZ #32582
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 diff --git a/assert/Makefile b/assert/Makefile
 index 9fa016c472eb67b1..80f5fad9f52378db 100644
 --- a/assert/Makefile
 +++ b/assert/Makefile
@@ -39,6 +39,7 @@ tests := \
   test-assert-perr \
   tst-assert-c++ \
   tst-assert-g++ \
 +  tst-assert-sa-2025-0001 \
   # tests
 ifeq ($(have-cxx-thread_local),yes)
 diff --git a/assert/tst-assert-sa-2025-0001.c b/assert/tst-assert-sa-2025-0001.c
 new file mode 100644
 index 0000000000000000..102cb0078dafa9c1
 --- /dev/null
 +++ b/assert/tst-assert-sa-2025-0001.c
@@ -0,0 +1,92 @@
 +/* Test for CVE-2025-0395.
 +   Copyright The GNU Toolchain Authors.
 +   This file is part of the GNU C Library.
 +
 +   The GNU C Library is free software; you can redistribute it and/or
 +   modify it under the terms of the GNU Lesser General Public
 +   License as published by the Free Software Foundation; either
 +   version 2.1 of the License, or (at your option) any later version.
 +
 +   The GNU C Library is distributed in the hope that it will be useful,
 +   but WITHOUT ANY WARRANTY; without even the implied warranty of
 +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +   Lesser General Public License for more details.
 +
 +   You should have received a copy of the GNU Lesser General Public
 +   License along with the GNU C Library; if not, see
 +   <https://www.gnu.org/licenses/>.  */
 +
 +/* Test that a large enough __progname does not result in a buffer overflow
 +   when printing an assertion failure.  This was CVE-2025-0395.  */
 +#include <assert.h>
 +#include <inttypes.h>
 +#include <signal.h>
 +#include <stdbool.h>
 +#include <string.h>
 +#include <sys/mman.h>
 +#include <support/check.h>
 +#include <support/support.h>
 +#include <support/xstdio.h>
 +#include <support/xunistd.h>
 +
 +extern const char *__progname;
 +
 +int
 +do_test (int argc, char **argv)
 +{
 +
 +  support_need_proc ("Reads /proc/self/maps to add guards to writable maps.");
 +  ignore_stderr ();
 +
 +  /* XXX assumes that the assert is on a 2 digit line number.  */
 +  const char *prompt = ": %s:99: do_test: Assertion `argc < 1' failed.\n";
 +
 +  int ret = fprintf (stderr, prompt, __FILE__);
 +  if (ret < 0)
 +    FAIL_EXIT1 ("fprintf failed: %m\n");
 +
 +  size_t pagesize = getpagesize ();
 +  size_t namesize = pagesize - 1 - ret;
 +
 +  /* Alter the progname so that the assert message fills the entire page.  */
 +  char progname[namesize];
 +  memset (progname, 'A', namesize - 1);
 +  progname[namesize - 1] = '\0';
 +  __progname = progname;
 +
 +  FILE *f = xfopen ("/proc/self/maps", "r");
 +  char *line = NULL;
 +  size_t len = 0;
 +  uintptr_t prev_to = 0;
 +
 +  /* Pad the beginning of every writable mapping with a PROT_NONE map.  This
 +     ensures that the mmap in the assert_fail path never ends up below a
 +     writable map and will terminate immediately in case of a buffer
 +     overflow.  */
 +  while (xgetline (&line, &len, f))
 +    {
 +      uintptr_t from, to;
 +      char perm[4];
 +
 +      sscanf (line, "%" SCNxPTR "-%" SCNxPTR " %c%c%c%c ",
 +	      &from, &to,
 +	      &perm[0], &perm[1], &perm[2], &perm[3]);
 +
 +      bool writable = (memchr (perm, 'w', 4) != NULL);
 +
 +      if (prev_to != 0 && from - prev_to > pagesize && writable)
 +	xmmap ((void *) from - pagesize, pagesize, PROT_NONE,
 +	       MAP_ANONYMOUS | MAP_PRIVATE, 0);
 +
 +      prev_to = to;
 +    }
 +
 +  xfclose (f);
 +
 +  assert (argc < 1);
 +  return 0;
 +}
 +
 +#define EXPECTED_SIGNAL SIGABRT
 +#define TEST_FUNCTION_ARGV do_test
 +#include <support/test-driver.c>
--- a/glibc.spec
+++ b/glibc.spec
@ -157,7 +157,7 @@ end \
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 178%{?dist}
+Release: 179%{?dist}
 # In general, GPLv2+ is used by programs, LGPLv2+ is used for
 # libraries.
@ -1150,6 +1150,8 @@ Patch842: glibc-RHEL-56627-7.patch
 Patch843: glibc-RHEL-56627-8.patch
 Patch844: glibc-RHEL-28119.patch
 Patch845: glibc-RHEL-61561.patch
 Patch846: glibc-RHEL-83527-1.patch
 Patch847: glibc-RHEL-83527-2.patch
 ##############################################################################
 # Continued list of core "glibc" package information:
@ -3143,6 +3145,9 @@ update_gconv_modules_cache ()
 %endif
 %changelog
 * Fri Mar 14 2025 Arjun Shankar <arjun@redhat.com> - 2.34-179
 - assert: Add test for CVE-2025-0395 (RHEL-83527)
 * Fri Mar 14 2025 Arjun Shankar <arjun@redhat.com> - 2.34-178
 - nptl: extend test coverage for sched_yield (RHEL-61561)