nasm: fix CVE-2018-19755

(From OE-Core rev: 4a46516256c24cb30bc9629371816f893693b488) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2019-07-17 08:49:37 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-17 19:25:02 +0100
commit: 28688a277050f248d6cee73e3b77f791606e59b3 (patch)
tree: 37741a5734208ba70e63bd2606fb99a6beb73b4e
parent: 897483147f307aae627cf200d492aaff3b4bbef4 (diff)
download: poky-28688a277050f248d6cee73e3b77f791606e59b3.tar.gz
2 files changed, 119 insertions, 1 deletions
diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch
new file mode 100644
index 0000000000..6e3f909d0f
--- /dev/null
+++ b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch
@@ -0,0 +1,116 @@
+From 3079f7966dbed4497e36d5067cbfd896a90358cb Mon Sep 17 00:00:00 2001
+From: Cyrill Gorcunov <gorcunov@gmail.com>
+Date: Wed, 14 Nov 2018 10:03:42 +0300
+Subject: [PATCH] preproc: Fix malformed parameter count
+readnum returns 64bit number which may become
+a negative integer upon conversion which in
+turn lead to out of bound array access.
+Fix it by explicit conversion with bounds check
+ | POC6:2: error: parameter count `2222222222' is out of bounds [0; 2147483647]
+https://bugzilla.nasm.us/show_bug.cgi?id=3392528
+Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Upstream-Status: Backport
+CVE: CVE-2018-19755
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ asm/preproc.c | 43 +++++++++++++++++++++----------------------
+ 1 file changed, 21 insertions(+), 22 deletions(-)
+diff --git a/asm/preproc.c b/asm/preproc.c
+index b6afee3..e5ad05a 100644
+--- a/asm/preproc.c
+++ b/asm/preproc.c
+@@ -1650,6 +1650,23 @@ smacro_defined(Context * ctx, const char *name, int nparam, SMacro ** defn,
+     return false;
+ }
+ 
+/* param should be a natural number [0; INT_MAX] */
+static int read_param_count(const char *str)
+{
+    int result;
+    bool err;
+
+    result = readnum(str, &err);
+    if (result < 0 || result > INT_MAX) {
+        result = 0;
+        nasm_error(ERR_NONFATAL, "parameter count `%s' is out of bounds [%d; %d]",
+                   str, 0, INT_MAX);
+    } else if (err) {
+        nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'", str);
+    }
+    return result;
+}
+
+ /*
+  * Count and mark off the parameters in a multi-line macro call.
+  * This is called both from within the multi-line macro expansion
+@@ -1871,11 +1888,7 @@ static bool if_condition(Token * tline, enum preproc_token ct)
+                   pp_directives[ct]);
+         } else {
+             searching.nparam_min = searching.nparam_max =
+-                readnum(tline->text, &j);
+-            if (j)
+-                nasm_error(ERR_NONFATAL,
+-                      "unable to parse parameter count `%s'",
+-                      tline->text);
+                read_param_count(tline->text);
+         }
+         if (tline && tok_is_(tline->next, "-")) {
+             tline = tline->next->next;
+@@ -1886,11 +1899,7 @@ static bool if_condition(Token * tline, enum preproc_token ct)
+                       "`%s' expects a parameter count after `-'",
+                       pp_directives[ct]);
+             else {
+-                searching.nparam_max = readnum(tline->text, &j);
+-                if (j)
+-                    nasm_error(ERR_NONFATAL,
+-                          "unable to parse parameter count `%s'",
+-                          tline->text);
+                searching.nparam_max = read_param_count(tline->text);
+                 if (searching.nparam_min > searching.nparam_max) {
+                     nasm_error(ERR_NONFATAL,
+                           "minimum parameter count exceeds maximum");
+@@ -2079,8 +2088,6 @@ static void undef_smacro(Context *ctx, const char *mname)
+  */
+ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive)
+ {
+-    bool err;
+-
+     tline = tline->next;
+     skip_white_(tline);
+     tline = expand_id(tline);
+@@ -2103,11 +2110,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive)
+     if (!tok_type_(tline, TOK_NUMBER)) {
+         nasm_error(ERR_NONFATAL, "`%s' expects a parameter count", directive);
+     } else {
+-        def->nparam_min = def->nparam_max =
+-            readnum(tline->text, &err);
+-        if (err)
+-            nasm_error(ERR_NONFATAL,
+-                  "unable to parse parameter count `%s'", tline->text);
+        def->nparam_min = def->nparam_max = read_param_count(tline->text);
+     }
+     if (tline && tok_is_(tline->next, "-")) {
+         tline = tline->next->next;
+@@ -2117,11 +2120,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive)
+             nasm_error(ERR_NONFATAL,
+                   "`%s' expects a parameter count after `-'", directive);
+         } else {
+-            def->nparam_max = readnum(tline->text, &err);
+-            if (err) {
+-                nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'",
+-                      tline->text);
+-            }
+            def->nparam_max = read_param_count(tline->text);
+             if (def->nparam_min > def->nparam_max) {
+                 nasm_error(ERR_NONFATAL, "minimum parameter count exceeds maximum");
+                 def->nparam_max = def->nparam_min;
+-- 
+2.10.5.GIT
diff --git a/meta/recipes-devtools/nasm/nasm_2.14.02.bb b/meta/recipes-devtools/nasm/nasm_2.14.02.bb
index ecec78d8ec..e4f964ce93 100644
--- a/meta/recipes-devtools/nasm/nasm_2.14.02.bb
+++ b/meta/recipes-devtools/nasm/nasm_2.14.02.bb
@@ -3,7 +3,9 @@ SECTION = "devel"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe"
-SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2"
+SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
+           file://CVE-2018-19755.patch \
+           "
 SRC_URI[md5sum] = "3f489aa48ad2aa1f967dc5e293bbd06f"
 SRC_URI[sha256sum] = "34fd26c70a277a9fdd54cb5ecf389badedaf48047b269d1008fbc819b24e80bc"
author	Anuj Mittal <anuj.mittal@intel.com>	2019-07-17 08:49:37 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-17 19:25:02 +0100
commit	28688a277050f248d6cee73e3b77f791606e59b3 (patch)
tree	37741a5734208ba70e63bd2606fb99a6beb73b4e
parent	897483147f307aae627cf200d492aaff3b4bbef4 (diff)
download	poky-28688a277050f248d6cee73e3b77f791606e59b3.tar.gz

diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch new file mode 100644 index 0000000000..6e3f909d0f --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch
@@ -0,0 +1,116 @@
		1	From 3079f7966dbed4497e36d5067cbfd896a90358cb Mon Sep 17 00:00:00 2001
		2	From: Cyrill Gorcunov <gorcunov@gmail.com>
		3	Date: Wed, 14 Nov 2018 10:03:42 +0300
		4	Subject: [PATCH] preproc: Fix malformed parameter count
		5
		6	readnum returns 64bit number which may become
		7	a negative integer upon conversion which in
		8	turn lead to out of bound array access.
		9
		10	Fix it by explicit conversion with bounds check
		11
		12	\| POC6:2: error: parameter count `2222222222' is out of bounds [0; 2147483647]
		13
		14	https://bugzilla.nasm.us/show_bug.cgi?id=3392528
		15
		16	Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2018-19755
		20	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		21	---
		22	asm/preproc.c \| 43 +++++++++++++++++++++----------------------
		23	1 file changed, 21 insertions(+), 22 deletions(-)
		24
		25	diff --git a/asm/preproc.c b/asm/preproc.c
		26	index b6afee3..e5ad05a 100644
		27	--- a/asm/preproc.c
		28	+++ b/asm/preproc.c
		29	@@ -1650,6 +1650,23 @@ smacro_defined(Context * ctx, const char name, int nparam, SMacro * defn,
		30	return false;
		31	}
		32
		33	+/* param should be a natural number [0; INT_MAX] */
		34	+static int read_param_count(const char *str)
		35	+{
		36	+ int result;
		37	+ bool err;
		38	+
		39	+ result = readnum(str, &err);
		40	+ if (result < 0 \|\| result > INT_MAX) {
		41	+ result = 0;
		42	+ nasm_error(ERR_NONFATAL, "parameter count `%s' is out of bounds [%d; %d]",
		43	+ str, 0, INT_MAX);
		44	+ } else if (err) {
		45	+ nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'", str);
		46	+ }
		47	+ return result;
		48	+}
		49	+
		50	/*
		51	* Count and mark off the parameters in a multi-line macro call.
		52	* This is called both from within the multi-line macro expansion
		53	@@ -1871,11 +1888,7 @@ static bool if_condition(Token * tline, enum preproc_token ct)
		54	pp_directives[ct]);
		55	} else {
		56	searching.nparam_min = searching.nparam_max =
		57	- readnum(tline->text, &j);
		58	- if (j)
		59	- nasm_error(ERR_NONFATAL,
		60	- "unable to parse parameter count `%s'",
		61	- tline->text);
		62	+ read_param_count(tline->text);
		63	}
		64	if (tline && tok_is_(tline->next, "-")) {
		65	tline = tline->next->next;
		66	@@ -1886,11 +1899,7 @@ static bool if_condition(Token * tline, enum preproc_token ct)
		67	"`%s' expects a parameter count after `-'",
		68	pp_directives[ct]);
		69	else {
		70	- searching.nparam_max = readnum(tline->text, &j);
		71	- if (j)
		72	- nasm_error(ERR_NONFATAL,
		73	- "unable to parse parameter count `%s'",
		74	- tline->text);
		75	+ searching.nparam_max = read_param_count(tline->text);
		76	if (searching.nparam_min > searching.nparam_max) {
		77	nasm_error(ERR_NONFATAL,
		78	"minimum parameter count exceeds maximum");
		79	@@ -2079,8 +2088,6 @@ static void undef_smacro(Context ctx, const char mname)
		80	*/
		81	static bool parse_mmacro_spec(Token tline, MMacro def, const char *directive)
		82	{
		83	- bool err;
		84	-
		85	tline = tline->next;
		86	skip_white_(tline);
		87	tline = expand_id(tline);
		88	@@ -2103,11 +2110,7 @@ static bool parse_mmacro_spec(Token tline, MMacro def, const char *directive)
		89	if (!tok_type_(tline, TOK_NUMBER)) {
		90	nasm_error(ERR_NONFATAL, "`%s' expects a parameter count", directive);
		91	} else {
		92	- def->nparam_min = def->nparam_max =
		93	- readnum(tline->text, &err);
		94	- if (err)
		95	- nasm_error(ERR_NONFATAL,
		96	- "unable to parse parameter count `%s'", tline->text);
		97	+ def->nparam_min = def->nparam_max = read_param_count(tline->text);
		98	}
		99	if (tline && tok_is_(tline->next, "-")) {
		100	tline = tline->next->next;
		101	@@ -2117,11 +2120,7 @@ static bool parse_mmacro_spec(Token tline, MMacro def, const char *directive)
		102	nasm_error(ERR_NONFATAL,
		103	"`%s' expects a parameter count after `-'", directive);
		104	} else {
		105	- def->nparam_max = readnum(tline->text, &err);
		106	- if (err) {
		107	- nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'",
		108	- tline->text);
		109	- }
		110	+ def->nparam_max = read_param_count(tline->text);
		111	if (def->nparam_min > def->nparam_max) {
		112	nasm_error(ERR_NONFATAL, "minimum parameter count exceeds maximum");
		113	def->nparam_max = def->nparam_min;
		114	--
		115	2.10.5.GIT
		116


diff --git a/meta/recipes-devtools/nasm/nasm_2.14.02.bb b/meta/recipes-devtools/nasm/nasm_2.14.02.bb index ecec78d8ec..e4f964ce93 100644 --- a/meta/recipes-devtools/nasm/nasm_2.14.02.bb +++ b/meta/recipes-devtools/nasm/nasm_2.14.02.bb
@@ -3,7 +3,9 @@ SECTION = "devel"
3	LICENSE = "BSD-2-Clause"	3	LICENSE = "BSD-2-Clause"
4	LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe"	4	LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe"
5		5
6	SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2"	6	SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
		7	file://CVE-2018-19755.patch \
		8	"
7		9
8	SRC_URI[md5sum] = "3f489aa48ad2aa1f967dc5e293bbd06f"	10	SRC_URI[md5sum] = "3f489aa48ad2aa1f967dc5e293bbd06f"
9	SRC_URI[sha256sum] = "34fd26c70a277a9fdd54cb5ecf389badedaf48047b269d1008fbc819b24e80bc"	11	SRC_URI[sha256sum] = "34fd26c70a277a9fdd54cb5ecf389badedaf48047b269d1008fbc819b24e80bc"