From patchwork Thu Feb  6 00:26:55 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Siddhesh Poyarekar <siddhesh@sourceware.org>
X-Patchwork-Id: 106058
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 4C67B385841F
	for <patchwork@sourceware.org>; Thu,  6 Feb 2025 00:27:48 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4C67B385841F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1738801668;
	bh=+BbpLYI8E4H2avrVayxr5OS/RPwkUUo6FAxWuWvPuDc=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From;
	b=SsJx+Wv/EA54GLBbKHdltYLj3L9+PtgRKJUldVHitYk+WATV8NsgP1VmJqAakmgJZ
	 lTByGKKpCcCg+fSnylnqHr/gkosLDt811BaVDLw/AdeRcH79NsfqY3pbYu7w1zFs3+
	 sKN2pl7ghq+/UFrGlLJyTM0fxSXemlTWQNnqtTUU=
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from skyblue.cherry.relay.mailchannels.net
 (skyblue.cherry.relay.mailchannels.net [23.83.223.167])
 by sourceware.org (Postfix) with ESMTPS id 7A9D33858C51
 for <libc-alpha@sourceware.org>; Thu,  6 Feb 2025 00:27:00 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7A9D33858C51
Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none)
 header.from=sourceware.org
Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 7A9D33858C51
Authentication-Results: server2.sourceware.org;
 arc=pass smtp.remote-ip=23.83.223.167
ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1738801620; cv=pass;
 b=Qy0vt7gTwMRFyqpuK+q0DtIVbpzwDWZ4o5CRZ7U595+tKh44OafYo6lTijxGOSE8Z+F1qHY6nD7XqCbkOf0c2+hzHhUZ58itryvqO07oVBY6ZNjZC5Ia28SQVIOzYULyuFMeU+TDSjyQYwhRGBRq029rlKB5+VJm372iHAemR2c=
ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key;
 t=1738801620; c=relaxed/simple;
 bh=a48pLeExuMfthpGL3Vkhc4+ZGq7w+f9pOgY0WfImVeM=;
 h=From:To:Subject:Date:Message-ID:MIME-Version;
 b=Px8OjzBn2jQ7iWhVKSlbxeK2+GT86X2uivZaxeeXELQ2dBuGxh5OGOAI6sxl9MD7h3YqPcgYtQLZeKYA9+tjYR5AJy7/nDcyHVZuasJYM6MJja5YDKeuNQU/ra0eY40T4yPZWKWFQPCs2unr3ybQHHAmnWtbZnLWHmZqBAK3aoM=
ARC-Authentication-Results: i=2; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7A9D33858C51
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id 304AE8A45FD;
 Thu,  6 Feb 2025 00:26:59 +0000 (UTC)
Received: from pdx1-sub0-mail-a240.dreamhost.com
 (trex-7.trex.outbound.svc.cluster.local [100.127.240.120])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id 940288A491A;
 Thu,  6 Feb 2025 00:26:58 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1738801618; a=rsa-sha256;
 cv=none;
 b=KFzO/lsEafjpCAmMOjt3vW4TMoLmcMHHqyTFiT3V/V4xrJsoGMSZqwm3AOrRM7Kc24e9lO
 HmAVl/iTFvYvxMkSnJ5ClMBktM2uJP6JGoaikhSDwyCwQYoawoGwGkQqO91l5RyPuiyAHe
 CBFXdr9GXS2klL79jKehUefuibuAY/gxVGlu/BD/bisRWgdby5pxU6MkGdxs9akGBysE14
 cP8HCCqEZb1YXaPnRstM/BE76TMVCAvgKobbRGL3vsglw4xjhFN4CmCdXZbndoRqvtA6Vt
 Hw0i0kMTDtxAsOT3rUti+MeYj62ZTjEPEetyAGl+6MWjRQ/mO7QySv7DOcNEEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net; s=arc-2022; t=1738801618;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=+BbpLYI8E4H2avrVayxr5OS/RPwkUUo6FAxWuWvPuDc=;
 b=i/Xa22V4olNwAxbaN1aIspLAllwrE+6xzXxWEpG4iBw2Dm1hAx/6ejBY+xu45XRrjibHpy
 KErtMQJwZvsHDnRV26On5DNbMuXwQhvjbBgy8OOo9dFM8JUOege8Ch0HZ3+N4KQ2eSIO4N
 o4nW1j61AFbIl7gFPStm0aKJRfmbwiXEom81LmH6xV2pyIgNjPKb//9htFOwyDr7EcLO8R
 Tor7tqcrAWQMztna0lxCeNEvkf8vO9vy6K1IFrLxvimbu/byzSUnYb/nVW5XPCWM92sIu1
 YOrY1mbMS/REYL3yeZon2C9fxhOIJ+9rKUMu68Nucpv0xwBaMnCpf1zdzrYZMw==
ARC-Authentication-Results: i=1; rspamd-8586946c78-8wxc7;
 auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Relation-Cure: 3e41769b69742073_1738801618817_2379311391
X-MC-Loop-Signature: 1738801618816:821188124
X-MC-Ingress-Time: 1738801618816
Received: from pdx1-sub0-mail-a240.dreamhost.com (pop.dreamhost.com
 [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
 by 100.127.240.120 (trex/7.0.2); Thu, 06 Feb 2025 00:26:58 +0000
Received: from fedora.redhat.com (unknown [38.23.181.90])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 (Authenticated sender: siddhesh@gotplt.org)
 by pdx1-sub0-mail-a240.dreamhost.com (Postfix) with ESMTPSA id 4YpHwf18gjz6W;
 Wed,  5 Feb 2025 16:26:58 -0800 (PST)
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: libc-alpha@sourceware.org
Cc: adhemerval.zanella@linaro.org
Subject: [PATCH v3] assert: Add test for CVE-2025-0395
Date: Wed,  5 Feb 2025 19:26:55 -0500
Message-ID: <20250206002655.103683-1-siddhesh@sourceware.org>
X-Mailer: git-send-email 2.48.1
In-Reply-To: <20250131173402.341657-1-siddhesh@sourceware.org>
References: <20250131173402.341657-1-siddhesh@sourceware.org>
MIME-Version: 1.0
X-Spam-Status: No, score=-1167.0 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_SHORT, LOCAL_AUTHENTICATION_FAIL_DMARC,
 LOCAL_AUTHENTICATION_FAIL_SPF, RCVD_IN_DNSWL_NONE, RCVD_IN_HOSTKARMA_W,
 RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_SOFTFAIL,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

Use the __progname symbol to override the program name to induce the
failure that CVE-2025-0395 describes.

This is related to BZ #32582

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---
Changes from v2:
- Add trailing backslash to test entry in Makefile.

Changes from v1:
- Account for 32-bit pointers

 assert/Makefile                  |  1 +
 assert/tst-assert-sa-2025-0001.c | 91 ++++++++++++++++++++++++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 assert/tst-assert-sa-2025-0001.c

diff --git a/assert/Makefile b/assert/Makefile
index 65b9d0768e..8d106d8752 100644
--- a/assert/Makefile
+++ b/assert/Makefile
@@ -39,6 +39,7 @@ tests := \
   test-assert-perr \
   tst-assert-c++ \
   tst-assert-g++ \
+  tst-assert-sa-2025-0001 \
   # tests
 
 ifeq ($(have-cxx-thread_local),yes)
diff --git a/assert/tst-assert-sa-2025-0001.c b/assert/tst-assert-sa-2025-0001.c
new file mode 100644
index 0000000000..48a1921621
--- /dev/null
+++ b/assert/tst-assert-sa-2025-0001.c
@@ -0,0 +1,91 @@
+/* Test for CVE-2025-0395.
+   Copyright The GNU Toolchain Authors.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* Test that a large enough __progname does not result in a buffer overflow
+   when printing an assertion failure.  This was CVE-2025-0395.  */
+#include <assert.h>
+#include <inttypes.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <support/check.h>
+#include <support/support.h>
+#include <support/xstdio.h>
+#include <support/xunistd.h>
+
+extern const char *__progname;
+
+int
+do_test (int argc, char **argv)
+{
+
+  ignore_stderr ();
+
+  /* XXX assumes that the assert is on a 2 digit line number.  */
+  const char *prompt = ": %s:99: do_test: Assertion `argc < 1' failed.\n";
+
+  int ret = fprintf (stderr, prompt, __FILE__);
+  if (ret < 0)
+    FAIL_EXIT1 ("fprintf failed: %m\n");
+
+  size_t pagesize = getpagesize ();
+  size_t namesize = pagesize - 1 - ret;
+
+  /* Alter the progname so that the assert message fills the entire page.  */
+  char progname[namesize];
+  memset (progname, 'A', namesize - 1);
+  progname[namesize - 1] = '\0';
+  __progname = progname;
+
+  FILE *f = xfopen ("/proc/self/maps", "r");
+  char *line = NULL;
+  size_t len = 0;
+  uintptr_t prev_to = 0;
+
+  /* Pad the beginning of every writable mapping with a PROT_NONE map.  This
+     ensures that the mmap in the assert_fail path never ends up below a
+     writable map and will terminate immediately in case of a buffer
+     overflow.  */
+  while (xgetline (&line, &len, f))
+    {
+      uintptr_t from, to;
+      char perm[4];
+
+      sscanf (line, "%" SCNxPTR "-%" SCNxPTR " %c%c%c%c ",
+	      &from, &to,
+	      &perm[0], &perm[1], &perm[2], &perm[3]);
+
+      bool writable = (memchr (perm, 'w', 4) != NULL);
+
+      if (prev_to != 0 && from - prev_to > pagesize && writable)
+	xmmap ((void *) from - pagesize, pagesize, PROT_NONE,
+	       MAP_ANONYMOUS | MAP_PRIVATE, 0);
+
+      prev_to = to;
+    }
+
+  xfclose (f);
+
+  assert (argc < 1);
+  return 0;
+}
+
+#define EXPECTED_SIGNAL SIGABRT
+#define TEST_FUNCTION_ARGV do_test
+#include <support/test-driver.c>