From: Harish Sadineni <harish.sadin...@windriver.com> Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c]
Signed-off-by: Harish Sadineni <harish.sadin...@windriver.com> --- .../glibc/glibc/0025-CVE-2025-0395.patch | 67 +++++++++++++++++++ meta/recipes-core/glibc/glibc_2.40.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0025-CVE-2025-0395.patch diff --git a/meta/recipes-core/glibc/glibc/0025-CVE-2025-0395.patch b/meta/recipes-core/glibc/glibc/0025-CVE-2025-0395.patch new file mode 100644 index 0000000000..a7f9cc8bad --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0025-CVE-2025-0395.patch @@ -0,0 +1,67 @@ +From 7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddh...@sourceware.org> +Date: Tue, 21 Jan 2025 16:11:06 -0500 +Subject: [PATCH] Fix underallocation of abort_msg_s struct (CVE-2025-0395) + +Include the space needed to store the length of the message itself, in +addition to the message string. This resolves BZ #32582. + +Signed-off-by: Siddhesh Poyarekar <siddh...@sourceware.org> +Reviewed: Adhemerval Zanella <adhemerval.zane...@linaro.org> +(cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578) + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c] +CVE: CVE-2025-0395 + +Signed-off-by: Harish Sadineni <harish.sadin...@windriver.com> +--- + assert/assert.c | 4 +++- + sysdeps/posix/libc_fatal.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/assert/assert.c b/assert/assert.c +index c29629f5f6..b6e37d694c 100644 +--- a/assert/assert.c ++++ b/assert/assert.c +@@ -18,6 +18,7 @@ + #include <assert.h> + #include <atomic.h> + #include <ldsodefs.h> ++#include <libc-pointer-arith.h> + #include <libintl.h> + #include <stdio.h> + #include <stdlib.h> +@@ -65,7 +66,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file, + (void) __fxprintf (NULL, "%s", str); + (void) fflush (stderr); + +- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1); ++ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1, ++ GLRO(dl_pagesize)); + struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE, + MAP_ANON | MAP_PRIVATE, -1, 0); + if (__glibc_likely (buf != MAP_FAILED)) +diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c +index f9e3425e04..089c47b04b 100644 +--- a/sysdeps/posix/libc_fatal.c ++++ b/sysdeps/posix/libc_fatal.c +@@ -20,6 +20,7 @@ + #include <errno.h> + #include <fcntl.h> + #include <ldsodefs.h> ++#include <libc-pointer-arith.h> + #include <paths.h> + #include <stdarg.h> + #include <stdbool.h> +@@ -105,7 +106,8 @@ __libc_message_impl (const char *fmt, ...) + { + WRITEV_FOR_FATAL (fd, iov, iovcnt, total); + +- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1); ++ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1, ++ GLRO(dl_pagesize)); + struct abort_msg_s *buf = __mmap (NULL, total, + PROT_READ | PROT_WRITE, + MAP_ANON | MAP_PRIVATE, -1, 0); +-- +2.43.5 diff --git a/meta/recipes-core/glibc/glibc_2.40.bb b/meta/recipes-core/glibc/glibc_2.40.bb index 3e855b19d8..48a1e03585 100644 --- a/meta/recipes-core/glibc/glibc_2.40.bb +++ b/meta/recipes-core/glibc/glibc_2.40.bb @@ -54,6 +54,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \ file://0023-tests-Skip-2-qemu-tests-that-can-hang-in-oe-selftest.patch \ file://0024-Fix-missing-randomness-in-__gen_tempname-bug-32214.patch \ + file://0025-CVE-2025-0395.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#210314): https://lists.openembedded.org/g/openembedded-core/message/210314 Mute This Topic: https://lists.openembedded.org/mt/110856368/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
