Bug 32582 (CVE-2025-0395)

Summary: Insufficient allocation for abort_msg_s (CVE-2025-0395)
Product: glibc Reporter: Siddhesh Poyarekar <siddhesh>
Component: libcAssignee: Siddhesh Poyarekar <siddhesh>
Status: RESOLVED FIXED    
Severity: normal CC: drepper.fsp
Priority: P2 Flags: siddhesh: security+
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Project(s) to access: ssh public key:

Description Siddhesh Poyarekar 2025-01-22 13:08:29 UTC 
The allocation for abort_msg_s does not account for the integer in the struct to store the message length, because of which at some lengths of messages (at multiples of page size) this may result in a buffer overflow.  Fix coming up.

Thanks to Qualys for reporting this.
Comment 1 Sourceware Commits 2025-01-22 13:26:26 UTC 
The master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578

commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Jan 21 16:11:06 2025 -0500

    Fix underallocation of abort_msg_s struct (CVE-2025-0395)
    
    Include the space needed to store the length of the message itself, in
    addition to the message string.  This resolves BZ #32582.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Comment 2 Siddhesh Poyarekar 2025-01-22 13:29:48 UTC 
Fixed on trunk.
Comment 3 Sourceware Commits 2025-01-22 14:22:50 UTC 
The release/2.40/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c

commit 7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Jan 21 16:11:06 2025 -0500

    Fix underallocation of abort_msg_s struct (CVE-2025-0395)
    
    Include the space needed to store the length of the message itself, in
    addition to the message string.  This resolves BZ #32582.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
Comment 4 Sourceware Commits 2025-01-22 17:29:14 UTC 
The release/2.39/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=808a84a8b81468b517a4d721fdc62069cb8c211f

commit 808a84a8b81468b517a4d721fdc62069cb8c211f
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Jan 21 16:11:06 2025 -0500

    Fix underallocation of abort_msg_s struct (CVE-2025-0395)
    
    Include the space needed to store the length of the message itself, in
    addition to the message string.  This resolves BZ #32582.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
Comment 5 Sourceware Commits 2025-01-22 17:29:34 UTC 
The release/2.38/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c32fd59314c343db88c3ea4a203870481d33c3d2

commit c32fd59314c343db88c3ea4a203870481d33c3d2
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Jan 21 16:11:06 2025 -0500

    Fix underallocation of abort_msg_s struct (CVE-2025-0395)
    
    Include the space needed to store the length of the message itself, in
    addition to the message string.  This resolves BZ #32582.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
Comment 6 Sourceware Commits 2025-01-22 17:29:58 UTC 
The release/2.37/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a3d7865b098a3a67c44f7812208d9ce4718873ba

commit a3d7865b098a3a67c44f7812208d9ce4718873ba
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Jan 21 16:11:06 2025 -0500

    Fix underallocation of abort_msg_s struct (CVE-2025-0395)
    
    Include the space needed to store the length of the message itself, in
    addition to the message string.  This resolves BZ #32582.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
Comment 7 Sourceware Commits 2025-01-22 17:31:13 UTC 
The release/2.36/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7971add7ee4171fdd8dfd17e7c04c4ed77a18845

commit 7971add7ee4171fdd8dfd17e7c04c4ed77a18845
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jan 22 17:22:02 2025 +0100

    Fix underallocation of abort_msg_s struct (CVE-2025-0395)
    
    Include the space needed to store the length of the message itself, in
    addition to the message string.  This resolves BZ #32582.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
    
    Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after
    backtrace removal.
Comment 8 Sourceware Commits 2025-01-22 17:31:40 UTC 
The release/2.35/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8b5d4be762419c4f6176261c6fea40ac559b88dc

commit 8b5d4be762419c4f6176261c6fea40ac559b88dc
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jan 22 17:22:02 2025 +0100

    Fix underallocation of abort_msg_s struct (CVE-2025-0395)
    
    Include the space needed to store the length of the message itself, in
    addition to the message string.  This resolves BZ #32582.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
    
    Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after
    backtrace removal.
Comment 9 Sourceware Commits 2025-01-22 17:32:11 UTC 
The release/2.34/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=df4e1f4a5096b385c9bcc94424cf2eaa227b3761

commit df4e1f4a5096b385c9bcc94424cf2eaa227b3761
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jan 22 17:22:02 2025 +0100

    Fix underallocation of abort_msg_s struct (CVE-2025-0395)
    
    Include the space needed to store the length of the message itself, in
    addition to the message string.  This resolves BZ #32582.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
    
    Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after
    backtrace removal.
Comment 10 Sourceware Commits 2025-02-13 17:34:21 UTC 
The master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cdb9ba84191ce72e86346fb8b1d906e7cd930ea2

commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 31 12:16:30 2025 -0500

    assert: Add test for CVE-2025-0395
    
    Use the __progname symbol to override the program name to induce the
    failure that CVE-2025-0395 describes.
    
    This is related to BZ #32582
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
Comment 11 Sourceware Commits 2025-02-13 17:46:34 UTC 
The release/2.41/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=69fda28279b497bd405fdd442a6d8e4d3d5f681b

commit 69fda28279b497bd405fdd442a6d8e4d3d5f681b
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 31 12:16:30 2025 -0500

    assert: Add test for CVE-2025-0395
    
    Use the __progname symbol to override the program name to induce the
    failure that CVE-2025-0395 describes.
    
    This is related to BZ #32582
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
Comment 12 Sourceware Commits 2025-02-13 17:53:55 UTC 
The release/2.40/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d6c156c326999f144cb5b73d29982108d549ad8a

commit d6c156c326999f144cb5b73d29982108d549ad8a
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 31 12:16:30 2025 -0500

    assert: Add test for CVE-2025-0395
    
    Use the __progname symbol to override the program name to induce the
    failure that CVE-2025-0395 describes.
    
    This is related to BZ #32582
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
Comment 13 Sourceware Commits 2025-02-13 18:02:08 UTC 
The release/2.39/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f6d48470aef9264d2d56f4c4533eb76db7f9c2e4

commit f6d48470aef9264d2d56f4c4533eb76db7f9c2e4
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 31 12:16:30 2025 -0500

    assert: Add test for CVE-2025-0395
    
    Use the __progname symbol to override the program name to induce the
    failure that CVE-2025-0395 describes.
    
    This is related to BZ #32582
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
Comment 14 Sourceware Commits 2025-02-13 18:12:36 UTC 
The release/2.38/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f984e2d7e8299726891a1a497a3c36cd5542a0bf

commit f984e2d7e8299726891a1a497a3c36cd5542a0bf
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 31 12:16:30 2025 -0500

    assert: Add test for CVE-2025-0395
    
    Use the __progname symbol to override the program name to induce the
    failure that CVE-2025-0395 describes.
    
    This is related to BZ #32582
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
Comment 15 Sourceware Commits 2025-02-13 18:30:10 UTC 
The release/2.37/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b989519fe1683c204ac24ec92830e3fe3bfaccad

commit b989519fe1683c204ac24ec92830e3fe3bfaccad
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 31 12:16:30 2025 -0500

    assert: Add test for CVE-2025-0395
    
    Use the __progname symbol to override the program name to induce the
    failure that CVE-2025-0395 describes.
    
    This is related to BZ #32582
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
Comment 16 Sourceware Commits 2025-02-13 18:41:24 UTC 
The release/2.36/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0487893d5c5bc6710d83d7c3152d888a0339559e

commit 0487893d5c5bc6710d83d7c3152d888a0339559e
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 31 12:16:30 2025 -0500

    assert: Add test for CVE-2025-0395
    
    Use the __progname symbol to override the program name to induce the
    failure that CVE-2025-0395 describes.
    
    This is related to BZ #32582
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
Comment 17 Sourceware Commits 2025-02-13 18:50:58 UTC 
The release/2.35/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8b3d09dc0d350191985f9d291cc30ce96f034b49

commit 8b3d09dc0d350191985f9d291cc30ce96f034b49
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 31 12:16:30 2025 -0500

    assert: Add test for CVE-2025-0395
    
    Use the __progname symbol to override the program name to induce the
    failure that CVE-2025-0395 describes.
    
    This is related to BZ #32582
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)
Comment 18 Sourceware Commits 2025-02-13 18:58:36 UTC 
The release/2.34/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=31eb872cb21449832ab47ad5db83281d240e1d03

commit 31eb872cb21449832ab47ad5db83281d240e1d03
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Fri Jan 31 12:16:30 2025 -0500

    assert: Add test for CVE-2025-0395
    
    Use the __progname symbol to override the program name to induce the
    failure that CVE-2025-0395 describes.
    
    This is related to BZ #32582
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    (cherry picked from commit cdb9ba84191ce72e86346fb8b1d906e7cd930ea2)