summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2020-01-17 19:14:30 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-01-28 11:15:01 +0000
commitdbd22b6cd75dd607e1e47bf12da4d54b574c9a8f (patch)
tree8ef5348735922f14f7afd91fd0883ba763b2c8f1
parent707e2b9d7d1e4969a609900faf9eac1849e56e0c (diff)
downloadpoky-dbd22b6cd75dd607e1e47bf12da4d54b574c9a8f.tar.gz
nasm: fix CVE-2018-19755
(From OE-Core rev: 021c8ae8e115ff6bab167146d97a340d4945118d) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch116
-rw-r--r--meta/recipes-devtools/nasm/nasm_2.14.02.bb4
2 files changed, 119 insertions, 1 deletions
diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch
new file mode 100644
index 0000000000..6e3f909d0f
--- /dev/null
+++ b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch
@@ -0,0 +1,116 @@
1From 3079f7966dbed4497e36d5067cbfd896a90358cb Mon Sep 17 00:00:00 2001
2From: Cyrill Gorcunov <gorcunov@gmail.com>
3Date: Wed, 14 Nov 2018 10:03:42 +0300
4Subject: [PATCH] preproc: Fix malformed parameter count
5
6readnum returns 64bit number which may become
7a negative integer upon conversion which in
8turn lead to out of bound array access.
9
10Fix it by explicit conversion with bounds check
11
12 | POC6:2: error: parameter count `2222222222' is out of bounds [0; 2147483647]
13
14https://bugzilla.nasm.us/show_bug.cgi?id=3392528
15
16Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
17
18Upstream-Status: Backport
19CVE: CVE-2018-19755
20Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
21---
22 asm/preproc.c | 43 +++++++++++++++++++++----------------------
23 1 file changed, 21 insertions(+), 22 deletions(-)
24
25diff --git a/asm/preproc.c b/asm/preproc.c
26index b6afee3..e5ad05a 100644
27--- a/asm/preproc.c
28+++ b/asm/preproc.c
29@@ -1650,6 +1650,23 @@ smacro_defined(Context * ctx, const char *name, int nparam, SMacro ** defn,
30 return false;
31 }
32
33+/* param should be a natural number [0; INT_MAX] */
34+static int read_param_count(const char *str)
35+{
36+ int result;
37+ bool err;
38+
39+ result = readnum(str, &err);
40+ if (result < 0 || result > INT_MAX) {
41+ result = 0;
42+ nasm_error(ERR_NONFATAL, "parameter count `%s' is out of bounds [%d; %d]",
43+ str, 0, INT_MAX);
44+ } else if (err) {
45+ nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'", str);
46+ }
47+ return result;
48+}
49+
50 /*
51 * Count and mark off the parameters in a multi-line macro call.
52 * This is called both from within the multi-line macro expansion
53@@ -1871,11 +1888,7 @@ static bool if_condition(Token * tline, enum preproc_token ct)
54 pp_directives[ct]);
55 } else {
56 searching.nparam_min = searching.nparam_max =
57- readnum(tline->text, &j);
58- if (j)
59- nasm_error(ERR_NONFATAL,
60- "unable to parse parameter count `%s'",
61- tline->text);
62+ read_param_count(tline->text);
63 }
64 if (tline && tok_is_(tline->next, "-")) {
65 tline = tline->next->next;
66@@ -1886,11 +1899,7 @@ static bool if_condition(Token * tline, enum preproc_token ct)
67 "`%s' expects a parameter count after `-'",
68 pp_directives[ct]);
69 else {
70- searching.nparam_max = readnum(tline->text, &j);
71- if (j)
72- nasm_error(ERR_NONFATAL,
73- "unable to parse parameter count `%s'",
74- tline->text);
75+ searching.nparam_max = read_param_count(tline->text);
76 if (searching.nparam_min > searching.nparam_max) {
77 nasm_error(ERR_NONFATAL,
78 "minimum parameter count exceeds maximum");
79@@ -2079,8 +2088,6 @@ static void undef_smacro(Context *ctx, const char *mname)
80 */
81 static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive)
82 {
83- bool err;
84-
85 tline = tline->next;
86 skip_white_(tline);
87 tline = expand_id(tline);
88@@ -2103,11 +2110,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive)
89 if (!tok_type_(tline, TOK_NUMBER)) {
90 nasm_error(ERR_NONFATAL, "`%s' expects a parameter count", directive);
91 } else {
92- def->nparam_min = def->nparam_max =
93- readnum(tline->text, &err);
94- if (err)
95- nasm_error(ERR_NONFATAL,
96- "unable to parse parameter count `%s'", tline->text);
97+ def->nparam_min = def->nparam_max = read_param_count(tline->text);
98 }
99 if (tline && tok_is_(tline->next, "-")) {
100 tline = tline->next->next;
101@@ -2117,11 +2120,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive)
102 nasm_error(ERR_NONFATAL,
103 "`%s' expects a parameter count after `-'", directive);
104 } else {
105- def->nparam_max = readnum(tline->text, &err);
106- if (err) {
107- nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'",
108- tline->text);
109- }
110+ def->nparam_max = read_param_count(tline->text);
111 if (def->nparam_min > def->nparam_max) {
112 nasm_error(ERR_NONFATAL, "minimum parameter count exceeds maximum");
113 def->nparam_max = def->nparam_min;
114--
1152.10.5.GIT
116
diff --git a/meta/recipes-devtools/nasm/nasm_2.14.02.bb b/meta/recipes-devtools/nasm/nasm_2.14.02.bb
index ecec78d8ec..e4f964ce93 100644
--- a/meta/recipes-devtools/nasm/nasm_2.14.02.bb
+++ b/meta/recipes-devtools/nasm/nasm_2.14.02.bb
@@ -3,7 +3,9 @@ SECTION = "devel"
3LICENSE = "BSD-2-Clause" 3LICENSE = "BSD-2-Clause"
4LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" 4LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe"
5 5
6SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2" 6SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
7 file://CVE-2018-19755.patch \
8 "
7 9
8SRC_URI[md5sum] = "3f489aa48ad2aa1f967dc5e293bbd06f" 10SRC_URI[md5sum] = "3f489aa48ad2aa1f967dc5e293bbd06f"
9SRC_URI[sha256sum] = "34fd26c70a277a9fdd54cb5ecf389badedaf48047b269d1008fbc819b24e80bc" 11SRC_URI[sha256sum] = "34fd26c70a277a9fdd54cb5ecf389badedaf48047b269d1008fbc819b24e80bc"