diff mbox series

[v3] assert: Add test for CVE-2025-0395

Message ID 20250206002655.103683-1-siddhesh@sourceware.org (mailing list archive)
State New
Headers
Series [v3] assert: Add test for CVE-2025-0395 |

Checks

Context Check Description
redhat-pt-bot/TryBot-apply_patch success Patch applied to master at the time it was sent
linaro-tcwg-bot/tcwg_glibc_build--master-arm success Build passed
linaro-tcwg-bot/tcwg_glibc_check--master-arm success Test passed
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 success Build passed
redhat-pt-bot/TryBot-32bit success Build for i686
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 success Test passed
redhat-pt-bot/TryBot-still_applies warning Patch no longer applies to master

Commit Message

Siddhesh Poyarekar Feb. 6, 2025, 12:26 a.m. UTC 
  Use the __progname symbol to override the program name to induce the
failure that CVE-2025-0395 describes.

This is related to BZ #32582

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
Changes from v2:
- Add trailing backslash to test entry in Makefile.

Changes from v1:
- Account for 32-bit pointers

 assert/Makefile                  |  1 +
 assert/tst-assert-sa-2025-0001.c | 91 ++++++++++++++++++++++++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 assert/tst-assert-sa-2025-0001.c

Comments

Adhemerval Zanella Netto Feb. 11, 2025, 4:59 p.m. UTC | #1 
On 05/02/25 21:26, Siddhesh Poyarekar wrote:
> Use the __progname symbol to override the program name to induce the
> failure that CVE-2025-0395 describes.
> 
> This is related to BZ #32582
> 
> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

LGTM, thanks.  Just a suggestion below.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

> ---
> Changes from v2:
> - Add trailing backslash to test entry in Makefile.
> 
> Changes from v1:
> - Account for 32-bit pointers
> 
>  assert/Makefile                  |  1 +
>  assert/tst-assert-sa-2025-0001.c | 91 ++++++++++++++++++++++++++++++++
>  2 files changed, 92 insertions(+)
>  create mode 100644 assert/tst-assert-sa-2025-0001.c
> 
> diff --git a/assert/Makefile b/assert/Makefile
> index 65b9d0768e..8d106d8752 100644
> --- a/assert/Makefile
> +++ b/assert/Makefile
> @@ -39,6 +39,7 @@ tests := \
>    test-assert-perr \
>    tst-assert-c++ \
>    tst-assert-g++ \
> +  tst-assert-sa-2025-0001 \
>    # tests
>  
>  ifeq ($(have-cxx-thread_local),yes)
> diff --git a/assert/tst-assert-sa-2025-0001.c b/assert/tst-assert-sa-2025-0001.c
> new file mode 100644
> index 0000000000..48a1921621
> --- /dev/null
> +++ b/assert/tst-assert-sa-2025-0001.c
> @@ -0,0 +1,91 @@
> +/* Test for CVE-2025-0395.
> +   Copyright The GNU Toolchain Authors.
> +   This file is part of the GNU C Library.
> +
> +   The GNU C Library is free software; you can redistribute it and/or
> +   modify it under the terms of the GNU Lesser General Public
> +   License as published by the Free Software Foundation; either
> +   version 2.1 of the License, or (at your option) any later version.
> +
> +   The GNU C Library is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +   Lesser General Public License for more details.
> +
> +   You should have received a copy of the GNU Lesser General Public
> +   License along with the GNU C Library; if not, see
> +   <https://www.gnu.org/licenses/>.  */
> +
> +/* Test that a large enough __progname does not result in a buffer overflow
> +   when printing an assertion failure.  This was CVE-2025-0395.  */
> +#include <assert.h>
> +#include <inttypes.h>
> +#include <signal.h>
> +#include <stdbool.h>
> +#include <string.h>
> +#include <sys/mman.h>
> +#include <support/check.h>
> +#include <support/support.h>
> +#include <support/xstdio.h>
> +#include <support/xunistd.h>
> +
> +extern const char *__progname;
> +
> +int
> +do_test (int argc, char **argv)
> +{
> +

Add a support_need_proc() check since it requires to read the maps
file.

> +  ignore_stderr ();
> +
> +  /* XXX assumes that the assert is on a 2 digit line number.  */
> +  const char *prompt = ": %s:99: do_test: Assertion `argc < 1' failed.\n";
> +
> +  int ret = fprintf (stderr, prompt, __FILE__);
> +  if (ret < 0)
> +    FAIL_EXIT1 ("fprintf failed: %m\n");
> +
> +  size_t pagesize = getpagesize ();
> +  size_t namesize = pagesize - 1 - ret;
> +
> +  /* Alter the progname so that the assert message fills the entire page.  */
> +  char progname[namesize];
> +  memset (progname, 'A', namesize - 1);
> +  progname[namesize - 1] = '\0';
> +  __progname = progname;
> +
> +  FILE *f = xfopen ("/proc/self/maps", "r");
> +  char *line = NULL;
> +  size_t len = 0;
> +  uintptr_t prev_to = 0;
> +
> +  /* Pad the beginning of every writable mapping with a PROT_NONE map.  This
> +     ensures that the mmap in the assert_fail path never ends up below a
> +     writable map and will terminate immediately in case of a buffer
> +     overflow.  */
> +  while (xgetline (&line, &len, f))
> +    {
> +      uintptr_t from, to;
> +      char perm[4];
> +
> +      sscanf (line, "%" SCNxPTR "-%" SCNxPTR " %c%c%c%c ",
> +	      &from, &to,
> +	      &perm[0], &perm[1], &perm[2], &perm[3]);
> +
> +      bool writable = (memchr (perm, 'w', 4) != NULL);
> +
> +      if (prev_to != 0 && from - prev_to > pagesize && writable)
> +	xmmap ((void *) from - pagesize, pagesize, PROT_NONE,
> +	       MAP_ANONYMOUS | MAP_PRIVATE, 0);
> +
> +      prev_to = to;
> +    }
> +
> +  xfclose (f);
> +
> +  assert (argc < 1);
> +  return 0;
> +}
> +
> +#define EXPECTED_SIGNAL SIGABRT
> +#define TEST_FUNCTION_ARGV do_test
> +#include <support/test-driver.c>
Siddhesh Poyarekar Feb. 13, 2025, 5:34 p.m. UTC | #2 
On 2025-02-11 11:59, Adhemerval Zanella Netto wrote:
> On 05/02/25 21:26, Siddhesh Poyarekar wrote:
>> Use the __progname symbol to override the program name to induce the
>> failure that CVE-2025-0395 describes.
>>
>> This is related to BZ #32582
>>
>> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> 
> LGTM, thanks.  Just a suggestion below.
> 
> Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
> 

Thank you, fixed up and pushed.

Sid
diff mbox series

Patch

diff --git a/assert/Makefile b/assert/Makefile
index 65b9d0768e..8d106d8752 100644
--- a/assert/Makefile
+++ b/assert/Makefile
@@ -39,6 +39,7 @@  tests := \
   test-assert-perr \
   tst-assert-c++ \
   tst-assert-g++ \
+  tst-assert-sa-2025-0001 \
   # tests
 
 ifeq ($(have-cxx-thread_local),yes)
diff --git a/assert/tst-assert-sa-2025-0001.c b/assert/tst-assert-sa-2025-0001.c
new file mode 100644
index 0000000000..48a1921621
--- /dev/null
+++ b/assert/tst-assert-sa-2025-0001.c
@@ -0,0 +1,91 @@ 
+/* Test for CVE-2025-0395.
+   Copyright The GNU Toolchain Authors.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* Test that a large enough __progname does not result in a buffer overflow
+   when printing an assertion failure.  This was CVE-2025-0395.  */
+#include <assert.h>
+#include <inttypes.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <support/check.h>
+#include <support/support.h>
+#include <support/xstdio.h>
+#include <support/xunistd.h>
+
+extern const char *__progname;
+
+int
+do_test (int argc, char **argv)
+{
+
+  ignore_stderr ();
+
+  /* XXX assumes that the assert is on a 2 digit line number.  */
+  const char *prompt = ": %s:99: do_test: Assertion `argc < 1' failed.\n";
+
+  int ret = fprintf (stderr, prompt, __FILE__);
+  if (ret < 0)
+    FAIL_EXIT1 ("fprintf failed: %m\n");
+
+  size_t pagesize = getpagesize ();
+  size_t namesize = pagesize - 1 - ret;
+
+  /* Alter the progname so that the assert message fills the entire page.  */
+  char progname[namesize];
+  memset (progname, 'A', namesize - 1);
+  progname[namesize - 1] = '\0';
+  __progname = progname;
+
+  FILE *f = xfopen ("/proc/self/maps", "r");
+  char *line = NULL;
+  size_t len = 0;
+  uintptr_t prev_to = 0;
+
+  /* Pad the beginning of every writable mapping with a PROT_NONE map.  This
+     ensures that the mmap in the assert_fail path never ends up below a
+     writable map and will terminate immediately in case of a buffer
+     overflow.  */
+  while (xgetline (&line, &len, f))
+    {
+      uintptr_t from, to;
+      char perm[4];
+
+      sscanf (line, "%" SCNxPTR "-%" SCNxPTR " %c%c%c%c ",
+	      &from, &to,
+	      &perm[0], &perm[1], &perm[2], &perm[3]);
+
+      bool writable = (memchr (perm, 'w', 4) != NULL);
+
+      if (prev_to != 0 && from - prev_to > pagesize && writable)
+	xmmap ((void *) from - pagesize, pagesize, PROT_NONE,
+	       MAP_ANONYMOUS | MAP_PRIVATE, 0);
+
+      prev_to = to;
+    }
+
+  xfclose (f);
+
+  assert (argc < 1);
+  return 0;
+}
+
+#define EXPECTED_SIGNAL SIGABRT
+#define TEST_FUNCTION_ARGV do_test
+#include <support/test-driver.c>