From 98e3dcf5b626a501bc2c04672ccdbfbb006cebef Mon Sep 17 00:00:00 2001 From: shixuantong Date: Wed, 21 May 2025 11:51:31 +0800 Subject: [PATCH] fix CVE-2025-4802 (cherry picked from commit afae58a80580cd9827ab34b8d410171a2ee02251) --- backport-CVE-2025-4802.patch | 96 ++++++++++ ...est-case-for-bug-32976-CVE-2025-4802.patch | 164 ++++++++++++++++++ ...t-Add-support_record_failure_barrier.patch | 49 ++++++ ...t-char-argument-in-support_capture_s.patch | 64 +++++++ glibc.spec | 12 +- 5 files changed, 384 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-4802.patch create mode 100644 backport-elf-Test-case-for-bug-32976-CVE-2025-4802.patch create mode 100644 backport-support-Add-support_record_failure_barrier.patch create mode 100644 backport-support-Use-const-char-argument-in-support_capture_s.patch diff --git a/backport-CVE-2025-4802.patch b/backport-CVE-2025-4802.patch new file mode 100644 index 0000000..169a561 --- /dev/null +++ b/backport-CVE-2025-4802.patch @@ -0,0 +1,96 @@ +From a4a1752edb10c136863cc617cf4f49574c24fcd5 Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella +Date: Mon, 6 Nov 2023 17:25:49 -0300 +Subject: [PATCH 1/4] elf: Ignore LD_LIBRARY_PATH and debug env var for setuid + for static + +It mimics the ld.so behavior. + +Checked on x86_64-linux-gnu. +Reviewed-by: Siddhesh Poyarekar + +(cherry picked from commit 5451fa962cd0a90a0e2ec1d8910a559ace02bba0) + +Changes: + + git/elf/dl-support.c + (missing commit 55f41ef8de4a4d0c5762d78659e11202d3c765d4 + ("elf: Remove LD_PROFILE for static binaries"), + missing removal of tunables support) +--- + elf/dl-support.c | 45 +++++++++++++++++++++------------------------ + 1 file changed, 21 insertions(+), 24 deletions(-) + +diff --git a/elf/dl-support.c b/elf/dl-support.c +index 910bc10552..3167943885 100644 +--- a/elf/dl-support.c ++++ b/elf/dl-support.c +@@ -270,8 +270,6 @@ _dl_non_dynamic_init (void) + _dl_main_map.l_phdr = GL(dl_phdr); + _dl_main_map.l_phnum = GL(dl_phnum); + +- _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1; +- + /* Set up the data structures for the system-supplied DSO early, + so they can influence _dl_init_paths. */ + setup_vdso (NULL, NULL); +@@ -279,6 +277,27 @@ _dl_non_dynamic_init (void) + /* With vDSO setup we can initialize the function pointers. */ + setup_vdso_pointers (); + ++ if (__libc_enable_secure) ++ { ++ static const char unsecure_envvars[] = ++ UNSECURE_ENVVARS ++ ; ++ const char *cp = unsecure_envvars; ++ ++ while (cp < unsecure_envvars + sizeof (unsecure_envvars)) ++ { ++ __unsetenv (cp); ++ cp = strchr (cp, '\0') + 1; ++ } ++ ++#if !HAVE_TUNABLES ++ if (__access ("/etc/suid-debug", F_OK) != 0) ++ __unsetenv ("MALLOC_CHECK_"); ++#endif ++ } ++ ++ _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1; ++ + /* Initialize the data structures for the search paths for shared + objects. */ + _dl_init_paths (getenv ("LD_LIBRARY_PATH"), "LD_LIBRARY_PATH", +@@ -300,28 +319,6 @@ _dl_non_dynamic_init (void) + _dl_profile_output + = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0]; + +- if (__libc_enable_secure) +- { +- static const char unsecure_envvars[] = +- UNSECURE_ENVVARS +-#ifdef EXTRA_UNSECURE_ENVVARS +- EXTRA_UNSECURE_ENVVARS +-#endif +- ; +- const char *cp = unsecure_envvars; +- +- while (cp < unsecure_envvars + sizeof (unsecure_envvars)) +- { +- __unsetenv (cp); +- cp = (const char *) __rawmemchr (cp, '\0') + 1; +- } +- +-#if !HAVE_TUNABLES +- if (__access ("/etc/suid-debug", F_OK) != 0) +- __unsetenv ("MALLOC_CHECK_"); +-#endif +- } +- + #ifdef DL_PLATFORM_INIT + DL_PLATFORM_INIT; + #endif +-- +2.27.0 + diff --git a/backport-elf-Test-case-for-bug-32976-CVE-2025-4802.patch b/backport-elf-Test-case-for-bug-32976-CVE-2025-4802.patch new file mode 100644 index 0000000..3072d88 --- /dev/null +++ b/backport-elf-Test-case-for-bug-32976-CVE-2025-4802.patch @@ -0,0 +1,164 @@ +From f3a37045db96396f8971524d38a2b3abcd402a48 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Tue, 20 May 2025 19:45:06 +0200 +Subject: [PATCH 4/4] elf: Test case for bug 32976 (CVE-2025-4802) + +Check that LD_LIBRARY_PATH is ignored for AT_SECURE statically +linked binaries, using support_capture_subprogram_self_sgid. + +Reviewed-by: Carlos O'Donell +(cherry picked from commit d8f7a79335b0d861c12c42aec94c04cd5bb181e2) +--- + elf/Makefile | 4 ++ + elf/tst-dlopen-sgid-mod.c | 1 + + elf/tst-dlopen-sgid.c | 104 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 109 insertions(+) + create mode 100644 elf/tst-dlopen-sgid-mod.c + create mode 100644 elf/tst-dlopen-sgid.c + +diff --git a/elf/Makefile b/elf/Makefile +index d71406e3..a6609aad 100644 +--- a/elf/Makefile ++++ b/elf/Makefile +@@ -256,6 +256,7 @@ tests-static-normal := \ + tst-array1-static \ + tst-array5-static \ + tst-dl-iter-static \ ++ tst-dlopen-sgid \ + tst-dst-static \ + tst-env-setuid \ + tst-env-setuid-tunables \ +@@ -664,6 +665,7 @@ modules-names = \ + tst-dlmopen-gethostbyname-mod \ + tst-dlmopen-twice-mod1 \ + tst-dlmopen-twice-mod2 \ ++ tst-dlopen-sgid-mod \ + tst-dlopenfaillinkmod \ + tst-dlopenfailmod1 \ + tst-dlopenfailmod2 \ +@@ -2548,3 +2550,5 @@ tst-rtld-no-malloc-audit-ENV = LD_AUDIT=$(objpfx)tst-auditmod1.so + + # Any shared object should do. + tst-rtld-no-malloc-preload-ENV = LD_PRELOAD=$(objpfx)tst-auditmod1.so ++ ++$(objpfx)tst-dlopen-sgid.out: $(objpfx)tst-dlopen-sgid-mod.so +diff --git a/elf/tst-dlopen-sgid-mod.c b/elf/tst-dlopen-sgid-mod.c +new file mode 100644 +index 00000000..5eb79eef +--- /dev/null ++++ b/elf/tst-dlopen-sgid-mod.c +@@ -0,0 +1 @@ ++/* Opening this object should not succeed. */ +diff --git a/elf/tst-dlopen-sgid.c b/elf/tst-dlopen-sgid.c +new file mode 100644 +index 00000000..47829a40 +--- /dev/null ++++ b/elf/tst-dlopen-sgid.c +@@ -0,0 +1,104 @@ ++/* Test case for ignored LD_LIBRARY_PATH in static startug (bug 32976). ++ Copyright (C) 2025 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* This is the name of our test object. Use a custom module for ++ testing, so that this object does not get picked up from the system ++ path. */ ++static const char dso_name[] = "tst-dlopen-sgid-mod.so"; ++ ++/* Used to mark the recursive invocation. */ ++static const char magic_argument[] = "run-actual-test"; ++ ++static int ++do_test (void) ++{ ++/* Pathname of the directory that receives the shared objects this ++ test attempts to load. */ ++ char *libdir = support_create_temp_directory ("tst-dlopen-sgid-"); ++ ++ /* This is supposed to be ignored and stripped. */ ++ TEST_COMPARE (setenv ("LD_LIBRARY_PATH", libdir, 1), 0); ++ ++ /* Copy of libc.so.6. */ ++ { ++ char *from = xasprintf ("%s/%s", support_objdir_root, LIBC_SO); ++ char *to = xasprintf ("%s/%s", libdir, LIBC_SO); ++ add_temp_file (to); ++ support_copy_file (from, to); ++ free (to); ++ free (from); ++ } ++ ++ /* Copy of the test object. */ ++ { ++ char *from = xasprintf ("%s/elf/%s", support_objdir_root, dso_name); ++ char *to = xasprintf ("%s/%s", libdir, dso_name); ++ add_temp_file (to); ++ support_copy_file (from, to); ++ free (to); ++ free (from); ++ } ++ ++ TEST_COMPARE (support_capture_subprogram_self_sgid (magic_argument), 0); ++ ++ free (libdir); ++ ++ return 0; ++} ++ ++static void ++alternative_main (int argc, char **argv) ++{ ++ if (argc == 2 && strcmp (argv[1], magic_argument) == 0) ++ { ++ if (getgid () == getegid ()) ++ /* This can happen if the file system is mounted nosuid. */ ++ FAIL_UNSUPPORTED ("SGID failed: GID and EGID match (%jd)\n", ++ (intmax_t) getgid ()); ++ ++ /* Should be removed due to SGID. */ ++ TEST_COMPARE_STRING (getenv ("LD_LIBRARY_PATH"), NULL); ++ ++ TEST_VERIFY (dlopen (dso_name, RTLD_NOW) == NULL); ++ { ++ const char *message = dlerror (); ++ TEST_COMPARE_STRING (message, ++ "tst-dlopen-sgid-mod.so:" ++ " cannot open shared object file:" ++ " No such file or directory"); ++ } ++ ++ support_record_failure_barrier (); ++ exit (EXIT_SUCCESS); ++ } ++} ++ ++#define PREPARE alternative_main ++#include +-- +2.27.0 + diff --git a/backport-support-Add-support_record_failure_barrier.patch b/backport-support-Add-support_record_failure_barrier.patch new file mode 100644 index 0000000..566ec33 --- /dev/null +++ b/backport-support-Add-support_record_failure_barrier.patch @@ -0,0 +1,49 @@ +From 6e518822a652b4adde6ae234111edf145d23cd00 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 23 Dec 2024 13:57:55 +0100 +Subject: [PATCH 3/4] support: Add support_record_failure_barrier + +This can be used to stop execution after a TEST_COMPARE_BLOB +failure, for example. + +(cherry picked from commit d0b8aa6de4529231fadfe604ac2c434e559c2d9e) +--- + support/check.h | 3 +++ + support/support_record_failure.c | 10 ++++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/support/check.h b/support/check.h +index af5b513cad..2026118fc0 100644 +--- a/support/check.h ++++ b/support/check.h +@@ -192,6 +192,9 @@ void support_record_failure_reset (void); + failures or not. */ + int support_record_failure_is_failed (void); + ++/* Terminate the process if any failures have been encountered so far. */ ++void support_record_failure_barrier (void); ++ + __END_DECLS + + #endif /* SUPPORT_CHECK_H */ +diff --git a/support/support_record_failure.c b/support/support_record_failure.c +index 903da40155..c0bd489637 100644 +--- a/support/support_record_failure.c ++++ b/support/support_record_failure.c +@@ -112,3 +112,13 @@ support_record_failure_is_failed (void) + synchronization for reliable test error reporting anyway. */ + return __atomic_load_n (&state->failed, __ATOMIC_RELAXED); + } ++ ++void ++support_record_failure_barrier (void) ++{ ++ if (__atomic_load_n (&state->failed, __ATOMIC_RELAXED)) ++ { ++ puts ("error: exiting due to previous errors"); ++ exit (1); ++ } ++} +-- +2.27.0 + diff --git a/backport-support-Use-const-char-argument-in-support_capture_s.patch b/backport-support-Use-const-char-argument-in-support_capture_s.patch new file mode 100644 index 0000000..3d5be24 --- /dev/null +++ b/backport-support-Use-const-char-argument-in-support_capture_s.patch @@ -0,0 +1,64 @@ +From 731a88566a40d5766bf2f3666e2d3b1a75d3a32b Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Tue, 20 May 2025 19:36:02 +0200 +Subject: [PATCH 2/4] support: Use const char * argument in + support_capture_subprogram_self_sgid + +The function does not modify the passed-in string, so make this clear +via the prototype. + +Reviewed-by: Carlos O'Donell +(cherry picked from commit f0c09fe61678df6f7f18fe1ebff074e62fa5ca7a) +--- + support/capture_subprocess.h | 3 +-- + support/support_capture_subprocess.c | 6 +++--- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/support/capture_subprocess.h b/support/capture_subprocess.h +index 4be430f099..4229300d4b 100644 +--- a/support/capture_subprocess.h ++++ b/support/capture_subprocess.h +@@ -44,8 +44,7 @@ struct support_capture_subprocess support_capture_subprogram + /* Copy the running program into a setgid binary and run it with CHILD_ID + argument. If execution is successful, return the exit status of the child + program, otherwise return a non-zero failure exit code. */ +-int support_capture_subprogram_self_sgid +- (char *child_id); ++int support_capture_subprogram_self_sgid (const char *child_id); + + /* Deallocate the subprocess data captured by + support_capture_subprocess. */ +diff --git a/support/support_capture_subprocess.c b/support/support_capture_subprocess.c +index 0bacf6dbc2..6e6ac8bbb7 100644 +--- a/support/support_capture_subprocess.c ++++ b/support/support_capture_subprocess.c +@@ -109,7 +109,7 @@ support_capture_subprogram (const char *file, char *const argv[]) + safely make it SGID with the TARGET group ID. Then runs the + executable. */ + static int +-copy_and_spawn_sgid (char *child_id, gid_t gid) ++copy_and_spawn_sgid (const char *child_id, gid_t gid) + { + char *dirname = xasprintf ("%s/tst-tunables-setuid.%jd", + test_dir, (intmax_t) getpid ()); +@@ -172,7 +172,7 @@ copy_and_spawn_sgid (char *child_id, gid_t gid) + ret = 0; + infd = outfd = -1; + +- char * const args[] = {execname, child_id, NULL}; ++ char * const args[] = {execname, (char *) child_id, NULL}; + + status = support_subprogram_wait (args[0], args); + +@@ -199,7 +199,7 @@ err: + } + + int +-support_capture_subprogram_self_sgid (char *child_id) ++support_capture_subprogram_self_sgid (const char *child_id) + { + gid_t target = 0; + const int count = 64; +-- +2.27.0 + diff --git a/glibc.spec b/glibc.spec index eb3c193..ab27942 100644 --- a/glibc.spec +++ b/glibc.spec @@ -71,7 +71,7 @@ ############################################################################## Name: glibc Version: 2.34 -Release: 166 +Release: 167 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -318,6 +318,10 @@ Patch226: backport-elf-Introduce-_dl_relocate_object_no_relro.patch Patch227: backport-elf-Switch-to-main-malloc-after-final-ld.so-self-rel.patch Patch228: AArch64-Optimize-memcmp.patch Patch229: backport-CVE-2025-0395-underallocation-of-abort_msg_s-struct.patch +Patch230: backport-CVE-2025-4802.patch +Patch231: backport-support-Use-const-char-argument-in-support_capture_s.patch +Patch232: backport-support-Add-support_record_failure_barrier.patch +Patch233: backport-elf-Test-case-for-bug-32976-CVE-2025-4802.patch Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch @@ -1548,6 +1552,12 @@ fi %endif %changelog +* Wed May 21 2025 shixuantong - 2.34-167 +- Type:CVE +- CVE:CVE-2025-4802 +- SUG:NA +- DESC:fix CVE-2025-4802 + * Tue Feb 25 2025 taoyuxiang - 2.34-166 - Type:CVE - CVE:CVE-2025-0395 -- Gitee