[oe-commits] [openembedded-core] 14/29: nasm: fix CVE-2018-19755
git at git.openembedded.org
git at git.openembedded.org
Tue Jan 28 11:51:56 UTC 2020
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch warrior
in repository openembedded-core.
commit 021c8ae8e115ff6bab167146d97a340d4945118d
Author: Anuj Mittal <anuj.mittal at intel.com>
AuthorDate: Fri Jan 17 19:14:30 2020 +0200
nasm: fix CVE-2018-19755
Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk at stusta.de>
---
.../nasm/nasm/CVE-2018-19755.patch | 116 +++++++++++++++++++++
meta/recipes-devtools/nasm/nasm_2.14.02.bb | 4 +-
2 files changed, 119 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch
new file mode 100644
index 0000000..6e3f909
--- /dev/null
+++ b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch
@@ -0,0 +1,116 @@
+From 3079f7966dbed4497e36d5067cbfd896a90358cb Mon Sep 17 00:00:00 2001
+From: Cyrill Gorcunov <gorcunov at gmail.com>
+Date: Wed, 14 Nov 2018 10:03:42 +0300
+Subject: [PATCH] preproc: Fix malformed parameter count
+
+readnum returns 64bit number which may become
+a negative integer upon conversion which in
+turn lead to out of bound array access.
+
+Fix it by explicit conversion with bounds check
+
+ | POC6:2: error: parameter count `2222222222' is out of bounds [0; 2147483647]
+
+https://bugzilla.nasm.us/show_bug.cgi?id=3392528
+
+Signed-off-by: Cyrill Gorcunov <gorcunov at gmail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2018-19755
+Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
+---
+ asm/preproc.c | 43 +++++++++++++++++++++----------------------
+ 1 file changed, 21 insertions(+), 22 deletions(-)
+
+diff --git a/asm/preproc.c b/asm/preproc.c
+index b6afee3..e5ad05a 100644
+--- a/asm/preproc.c
++++ b/asm/preproc.c
+@@ -1650,6 +1650,23 @@ smacro_defined(Context * ctx, const char *name, int nparam, SMacro ** defn,
+ return false;
+ }
+
++/* param should be a natural number [0; INT_MAX] */
++static int read_param_count(const char *str)
++{
++ int result;
++ bool err;
++
++ result = readnum(str, &err);
++ if (result < 0 || result > INT_MAX) {
++ result = 0;
++ nasm_error(ERR_NONFATAL, "parameter count `%s' is out of bounds [%d; %d]",
++ str, 0, INT_MAX);
++ } else if (err) {
++ nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'", str);
++ }
++ return result;
++}
++
+ /*
+ * Count and mark off the parameters in a multi-line macro call.
+ * This is called both from within the multi-line macro expansion
+@@ -1871,11 +1888,7 @@ static bool if_condition(Token * tline, enum preproc_token ct)
+ pp_directives[ct]);
+ } else {
+ searching.nparam_min = searching.nparam_max =
+- readnum(tline->text, &j);
+- if (j)
+- nasm_error(ERR_NONFATAL,
+- "unable to parse parameter count `%s'",
+- tline->text);
++ read_param_count(tline->text);
+ }
+ if (tline && tok_is_(tline->next, "-")) {
+ tline = tline->next->next;
+@@ -1886,11 +1899,7 @@ static bool if_condition(Token * tline, enum preproc_token ct)
+ "`%s' expects a parameter count after `-'",
+ pp_directives[ct]);
+ else {
+- searching.nparam_max = readnum(tline->text, &j);
+- if (j)
+- nasm_error(ERR_NONFATAL,
+- "unable to parse parameter count `%s'",
+- tline->text);
++ searching.nparam_max = read_param_count(tline->text);
+ if (searching.nparam_min > searching.nparam_max) {
+ nasm_error(ERR_NONFATAL,
+ "minimum parameter count exceeds maximum");
+@@ -2079,8 +2088,6 @@ static void undef_smacro(Context *ctx, const char *mname)
+ */
+ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive)
+ {
+- bool err;
+-
+ tline = tline->next;
+ skip_white_(tline);
+ tline = expand_id(tline);
+@@ -2103,11 +2110,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive)
+ if (!tok_type_(tline, TOK_NUMBER)) {
+ nasm_error(ERR_NONFATAL, "`%s' expects a parameter count", directive);
+ } else {
+- def->nparam_min = def->nparam_max =
+- readnum(tline->text, &err);
+- if (err)
+- nasm_error(ERR_NONFATAL,
+- "unable to parse parameter count `%s'", tline->text);
++ def->nparam_min = def->nparam_max = read_param_count(tline->text);
+ }
+ if (tline && tok_is_(tline->next, "-")) {
+ tline = tline->next->next;
+@@ -2117,11 +2120,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive)
+ nasm_error(ERR_NONFATAL,
+ "`%s' expects a parameter count after `-'", directive);
+ } else {
+- def->nparam_max = readnum(tline->text, &err);
+- if (err) {
+- nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'",
+- tline->text);
+- }
++ def->nparam_max = read_param_count(tline->text);
+ if (def->nparam_min > def->nparam_max) {
+ nasm_error(ERR_NONFATAL, "minimum parameter count exceeds maximum");
+ def->nparam_max = def->nparam_min;
+--
+2.10.5.GIT
+
diff --git a/meta/recipes-devtools/nasm/nasm_2.14.02.bb b/meta/recipes-devtools/nasm/nasm_2.14.02.bb
index ecec78d..e4f964c 100644
--- a/meta/recipes-devtools/nasm/nasm_2.14.02.bb
+++ b/meta/recipes-devtools/nasm/nasm_2.14.02.bb
@@ -3,7 +3,9 @@ SECTION = "devel"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe"
-SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2"
+SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
+ file://CVE-2018-19755.patch \
+ "
SRC_URI[md5sum] = "3f489aa48ad2aa1f967dc5e293bbd06f"
SRC_URI[sha256sum] = "34fd26c70a277a9fdd54cb5ecf389badedaf48047b269d1008fbc819b24e80bc"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list