From 0679f901faf3e96e68dc98b07e91c4798173aad9 Mon Sep 17 00:00:00 2001
From: nicholastao <taoyuxiang2@huawei.com>
Date: Wed, 26 Mar 2025 14:50:46 +0800
Subject: [PATCH] fix CVE-2025-0395

---
 ...nderallocation-of-abort_msg_s-struct.patch | 96 +++++++++++++++++++
 glibc.spec                                    |  9 +-
 2 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch

diff --git a/backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch b/backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch
new file mode 100644
index 0000000..ec934d1
--- /dev/null
+++ b/backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch
@@ -0,0 +1,96 @@
+From df4e1f4a5096b385c9bcc94424cf2eaa227b3761 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Wed, 22 Jan 2025 17:22:02 +0100
+Subject: [PATCH] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
+
+Include the space needed to store the length of the message itself, in
+addition to the message string.  This resolves BZ #32582.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+(cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
+
+Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after
+backtrace removal.
+
+Reference:https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=df4e1f4a5096b385c9bcc94424cf2eaa227b3761
+Conflict:NEWS
+---
+ NEWS                       | 6 ++++++
+ assert/assert.c            | 4 +++-
+ sysdeps/posix/libc_fatal.c | 6 +++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index aabb21e86c..192bf1374f 100644
+--- a/NEWS
++++ b/NEWS
+@@ -60,6 +60,11 @@ Security related changes:
+   buffer size.  The resulting larger than expected output could result
+   in a buffer overflow in the printf family of functions.
+ 
++  CVE-2025-0395: When the assert() function fails, it does not allocate
++  enough space for the assertion failure message string and size
++  information, which may lead to a buffer overflow if the message string
++  size aligns to page size.
++
+ The following bugs are resolved with this release:
+ 
+   [178] string: Please add strlcpy and strlcat (attached)
+@@ -372,6 +377,7 @@ The following bugs are resolved with this release:
+   [30555] string: strerror can incorrectly return NULL
+   [30579] malloc: trim_threshold in realloc lead to high memory usage
+   [30662] nscd: Group and password cache use errno in place of errval
++  [32582] Fix underallocation of abort_msg_s struct (CVE-2025-0395)
+ 
+ Version 2.37
+ 
+diff --git a/assert/assert.c b/assert/assert.c
+index 8a277dce00..cbc8238061 100644
+--- a/assert/assert.c
++++ b/assert/assert.c
+@@ -18,6 +18,7 @@
+ #include <assert.h>
+ #include <atomic.h>
+ #include <ldsodefs.h>
++#include <libc-pointer-arith.h>
+ #include <libintl.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
+       (void) __fxprintf (NULL, "%s", str);
+       (void) fflush (stderr);
+ 
+-      total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
++      total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
++			GLRO(dl_pagesize));
+       struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
+ 					MAP_ANON | MAP_PRIVATE, -1, 0);
+       if (__glibc_likely (buf != MAP_FAILED))
+diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c
+index 6d24bee613..7c47b0cfb5 100644
+--- a/sysdeps/posix/libc_fatal.c
++++ b/sysdeps/posix/libc_fatal.c
+@@ -20,6 +20,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <ldsodefs.h>
++#include <libc-pointer-arith.h>
+ #include <paths.h>
+ #include <stdarg.h>
+ #include <stdbool.h>
+@@ -125,7 +126,8 @@ __libc_message (enum __libc_message_action action, const char *fmt, ...)
+ 
+       WRITEV_FOR_FATAL (fd, iov, nlist, total);
+ 
+-      total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
++      total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
++                        GLRO(dl_pagesize));
+       struct abort_msg_s *buf = __mmap (NULL, total,
+ 					PROT_READ | PROT_WRITE,
+ 					MAP_ANON | MAP_PRIVATE, -1, 0);
+-- 
+2.43.5
+
+
+
diff --git a/glibc.spec b/glibc.spec
index 181eccd..6153c73 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -67,7 +67,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.38
-Release: 	56
+Release: 	57
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -278,6 +278,7 @@ Patch188: backport-x86-Disable-non-temporal-memset-on-Skylake-Server.patch
 Patch189: backport-Use-Avoid_Non_Temporal_Memset-to-control-non-tem.patch
 Patch190: backport-Add-Avoid_STOSB-tunable-to-allow-NT-memset-witho.patch
 Patch191: backport-x86-Enable-non-temporal-memset-for-Hygon-processors.patch 
+Patch192: backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch
 
 #openEuler patch list
 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
@@ -1502,6 +1503,12 @@ fi
 %endif
 
 %changelog
+* Wed Mar 26 2025 taoyuxiang <taoyuxiang2@huawei.com> - 2.38-57
+- Type:CVE
+- CVE:CVE-2025-0395
+- SUG:NA
+- DESC:fix CVE-2025-0395
+
 * Wed Mar 12 2025 xiajimei  <xiejiamei@hygon.cn> - 2.38-56
 - x86: Enable non-temporal memset for Hygon processors
 - x86: Add `Avoid_STOSB` tunable to allow NT memset without ERMS
-- 
Gitee