From 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578 Mon Sep 17 00:00:00 2001
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Tue, 21 Jan 2025 16:11:06 -0500
Subject: Fix underallocation of abort_msg_s struct (CVE-2025-0395)

Include the space needed to store the length of the message itself, in
addition to the message string.  This resolves BZ #32582.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---
 assert/assert.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'assert/assert.c')

diff --git a/assert/assert.c b/assert/assert.c
index db90b8d7ef..d21d76fa62 100644
--- a/assert/assert.c
+++ b/assert/assert.c
@@ -17,6 +17,7 @@
 
 #include <intprops.h>
 #include <ldsodefs.h>
+#include <libc-pointer-arith.h>
 #include <libintl.h>
 #include <libio/iolibio.h>
 #include <setvmaname.h>
@@ -60,7 +61,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file,
       (void) __fxprintf (NULL, "%s", str);
       (void) fflush (stderr);
 
-      total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1);
+      total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1,
+			GLRO(dl_pagesize));
       struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE,
 					MAP_ANON | MAP_PRIVATE, -1, 0);
       if (__glibc_likely (buf != MAP_FAILED))
-- 
cgit v1.2.3