diff options
| author |   Anuj Mittal <anuj.mittal@intel.com> | 2020-01-17 19:14:30 +0200 |
|---|---|---|
| committer |   Armin Kuster <akuster808@gmail.com> | 2020-01-22 18:14:57 -0800 |
| commit | 021c8ae8e115ff6bab167146d97a340d4945118d (patch) | |
| tree | f0954c8d0e7c69ad6863317f5003c8d106eead9e | |
| parent | 9c4d7a92f4f6e4070102b12de44d9bfe6f944735 (diff) | |
| download | openembedded-core-contrib-021c8ae8e115ff6bab167146d97a340d4945118d.tar.gz | |
nasm: fix CVE-2018-19755
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
| -rw-r--r-- | meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch | 116 | ||||
| -rw-r--r-- | meta/recipes-devtools/nasm/nasm_2.14.02.bb | 4 |
2 files changed, 119 insertions, 1 deletions
diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch new file mode 100644 index 0000000000..6e3f909d0f --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch @@ -0,0 +1,116 @@ +From 3079f7966dbed4497e36d5067cbfd896a90358cb Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov <gorcunov@gmail.com> +Date: Wed, 14 Nov 2018 10:03:42 +0300 +Subject: [PATCH] preproc: Fix malformed parameter count + +readnum returns 64bit number which may become +a negative integer upon conversion which in +turn lead to out of bound array access. + +Fix it by explicit conversion with bounds check + + | POC6:2: error: parameter count `2222222222' is out of bounds [0; 2147483647] + +https://bugzilla.nasm.us/show_bug.cgi?id=3392528 + +Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> + +Upstream-Status: Backport +CVE: CVE-2018-19755 +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + asm/preproc.c | 43 +++++++++++++++++++++---------------------- + 1 file changed, 21 insertions(+), 22 deletions(-) + +diff --git a/asm/preproc.c b/asm/preproc.c +index b6afee3..e5ad05a 100644 +--- a/asm/preproc.c ++++ b/asm/preproc.c +@@ -1650,6 +1650,23 @@ smacro_defined(Context * ctx, const char *name, int nparam, SMacro ** defn, + return false; + } + ++/* param should be a natural number [0; INT_MAX] */ ++static int read_param_count(const char *str) ++{ ++ int result; ++ bool err; ++ ++ result = readnum(str, &err); ++ if (result < 0 || result > INT_MAX) { ++ result = 0; ++ nasm_error(ERR_NONFATAL, "parameter count `%s' is out of bounds [%d; %d]", ++ str, 0, INT_MAX); ++ } else if (err) { ++ nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'", str); ++ } ++ return result; ++} ++ + /* + * Count and mark off the parameters in a multi-line macro call. + * This is called both from within the multi-line macro expansion +@@ -1871,11 +1888,7 @@ static bool if_condition(Token * tline, enum preproc_token ct) + pp_directives[ct]); + } else { + searching.nparam_min = searching.nparam_max = +- readnum(tline->text, &j); +- if (j) +- nasm_error(ERR_NONFATAL, +- "unable to parse parameter count `%s'", +- tline->text); ++ read_param_count(tline->text); + } + if (tline && tok_is_(tline->next, "-")) { + tline = tline->next->next; +@@ -1886,11 +1899,7 @@ static bool if_condition(Token * tline, enum preproc_token ct) + "`%s' expects a parameter count after `-'", + pp_directives[ct]); + else { +- searching.nparam_max = readnum(tline->text, &j); +- if (j) +- nasm_error(ERR_NONFATAL, +- "unable to parse parameter count `%s'", +- tline->text); ++ searching.nparam_max = read_param_count(tline->text); + if (searching.nparam_min > searching.nparam_max) { + nasm_error(ERR_NONFATAL, + "minimum parameter count exceeds maximum"); +@@ -2079,8 +2088,6 @@ static void undef_smacro(Context *ctx, const char *mname) + */ + static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive) + { +- bool err; +- + tline = tline->next; + skip_white_(tline); + tline = expand_id(tline); +@@ -2103,11 +2110,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive) + if (!tok_type_(tline, TOK_NUMBER)) { + nasm_error(ERR_NONFATAL, "`%s' expects a parameter count", directive); + } else { +- def->nparam_min = def->nparam_max = +- readnum(tline->text, &err); +- if (err) +- nasm_error(ERR_NONFATAL, +- "unable to parse parameter count `%s'", tline->text); ++ def->nparam_min = def->nparam_max = read_param_count(tline->text); + } + if (tline && tok_is_(tline->next, "-")) { + tline = tline->next->next; +@@ -2117,11 +2120,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive) + nasm_error(ERR_NONFATAL, + "`%s' expects a parameter count after `-'", directive); + } else { +- def->nparam_max = readnum(tline->text, &err); +- if (err) { +- nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'", +- tline->text); +- } ++ def->nparam_max = read_param_count(tline->text); + if (def->nparam_min > def->nparam_max) { + nasm_error(ERR_NONFATAL, "minimum parameter count exceeds maximum"); + def->nparam_max = def->nparam_min; +-- +2.10.5.GIT + diff --git a/meta/recipes-devtools/nasm/nasm_2.14.02.bb b/meta/recipes-devtools/nasm/nasm_2.14.02.bb index ecec78d8ec..e4f964ce93 100644 --- a/meta/recipes-devtools/nasm/nasm_2.14.02.bb +++ b/meta/recipes-devtools/nasm/nasm_2.14.02.bb @@ -3,7 +3,9 @@ SECTION = "devel" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" -SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2" +SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ + file://CVE-2018-19755.patch \ + " SRC_URI[md5sum] = "3f489aa48ad2aa1f967dc5e293bbd06f" SRC_URI[sha256sum] = "34fd26c70a277a9fdd54cb5ecf389badedaf48047b269d1008fbc819b24e80bc" |