From cdb9ba84191ce72e86346fb8b1d906e7cd930ea2 Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Fri, 31 Jan 2025 12:16:30 -0500 Subject: [PATCH] assert: Add test for CVE-2025-0395 Use the __progname symbol to override the program name to induce the failure that CVE-2025-0395 describes. This is related to BZ #32582 Signed-off-by: Siddhesh Poyarekar Reviewed-by: Adhemerval Zanella --- assert/Makefile | 1 + assert/tst-assert-sa-2025-0001.c | 92 ++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 assert/tst-assert-sa-2025-0001.c diff --git a/assert/Makefile b/assert/Makefile index 65b9d0768e..8d106d8752 100644 --- a/assert/Makefile +++ b/assert/Makefile @@ -39,6 +39,7 @@ tests := \ test-assert-perr \ tst-assert-c++ \ tst-assert-g++ \ + tst-assert-sa-2025-0001 \ # tests ifeq ($(have-cxx-thread_local),yes) diff --git a/assert/tst-assert-sa-2025-0001.c b/assert/tst-assert-sa-2025-0001.c new file mode 100644 index 0000000000..102cb0078d --- /dev/null +++ b/assert/tst-assert-sa-2025-0001.c @@ -0,0 +1,92 @@ +/* Test for CVE-2025-0395. + Copyright The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* Test that a large enough __progname does not result in a buffer overflow + when printing an assertion failure. This was CVE-2025-0395. */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +extern const char *__progname; + +int +do_test (int argc, char **argv) +{ + + support_need_proc ("Reads /proc/self/maps to add guards to writable maps."); + ignore_stderr (); + + /* XXX assumes that the assert is on a 2 digit line number. */ + const char *prompt = ": %s:99: do_test: Assertion `argc < 1' failed.\n"; + + int ret = fprintf (stderr, prompt, __FILE__); + if (ret < 0) + FAIL_EXIT1 ("fprintf failed: %m\n"); + + size_t pagesize = getpagesize (); + size_t namesize = pagesize - 1 - ret; + + /* Alter the progname so that the assert message fills the entire page. */ + char progname[namesize]; + memset (progname, 'A', namesize - 1); + progname[namesize - 1] = '\0'; + __progname = progname; + + FILE *f = xfopen ("/proc/self/maps", "r"); + char *line = NULL; + size_t len = 0; + uintptr_t prev_to = 0; + + /* Pad the beginning of every writable mapping with a PROT_NONE map. This + ensures that the mmap in the assert_fail path never ends up below a + writable map and will terminate immediately in case of a buffer + overflow. */ + while (xgetline (&line, &len, f)) + { + uintptr_t from, to; + char perm[4]; + + sscanf (line, "%" SCNxPTR "-%" SCNxPTR " %c%c%c%c ", + &from, &to, + &perm[0], &perm[1], &perm[2], &perm[3]); + + bool writable = (memchr (perm, 'w', 4) != NULL); + + if (prev_to != 0 && from - prev_to > pagesize && writable) + xmmap ((void *) from - pagesize, pagesize, PROT_NONE, + MAP_ANONYMOUS | MAP_PRIVATE, 0); + + prev_to = to; + } + + xfclose (f); + + assert (argc < 1); + return 0; +} + +#define EXPECTED_SIGNAL SIGABRT +#define TEST_FUNCTION_ARGV do_test +#include