diff options
Diffstat (limited to 'meta/recipes-devtools/nasm')
| -rw-r--r-- | meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch | 116 | ||||
| -rw-r--r-- | meta/recipes-devtools/nasm/nasm/CVE-2019-14248.patch | 43 | ||||
| -rw-r--r-- | meta/recipes-devtools/nasm/nasm_2.14.02.bb | 5 |
3 files changed, 163 insertions, 1 deletions
diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch new file mode 100644 index 0000000000..6e3f909d0f --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/CVE-2018-19755.patch @@ -0,0 +1,116 @@ +From 3079f7966dbed4497e36d5067cbfd896a90358cb Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov <gorcunov@gmail.com> +Date: Wed, 14 Nov 2018 10:03:42 +0300 +Subject: [PATCH] preproc: Fix malformed parameter count + +readnum returns 64bit number which may become +a negative integer upon conversion which in +turn lead to out of bound array access. + +Fix it by explicit conversion with bounds check + + | POC6:2: error: parameter count `2222222222' is out of bounds [0; 2147483647] + +https://bugzilla.nasm.us/show_bug.cgi?id=3392528 + +Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> + +Upstream-Status: Backport +CVE: CVE-2018-19755 +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + asm/preproc.c | 43 +++++++++++++++++++++---------------------- + 1 file changed, 21 insertions(+), 22 deletions(-) + +diff --git a/asm/preproc.c b/asm/preproc.c +index b6afee3..e5ad05a 100644 +--- a/asm/preproc.c ++++ b/asm/preproc.c +@@ -1650,6 +1650,23 @@ smacro_defined(Context * ctx, const char *name, int nparam, SMacro ** defn, + return false; + } + ++/* param should be a natural number [0; INT_MAX] */ ++static int read_param_count(const char *str) ++{ ++ int result; ++ bool err; ++ ++ result = readnum(str, &err); ++ if (result < 0 || result > INT_MAX) { ++ result = 0; ++ nasm_error(ERR_NONFATAL, "parameter count `%s' is out of bounds [%d; %d]", ++ str, 0, INT_MAX); ++ } else if (err) { ++ nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'", str); ++ } ++ return result; ++} ++ + /* + * Count and mark off the parameters in a multi-line macro call. + * This is called both from within the multi-line macro expansion +@@ -1871,11 +1888,7 @@ static bool if_condition(Token * tline, enum preproc_token ct) + pp_directives[ct]); + } else { + searching.nparam_min = searching.nparam_max = +- readnum(tline->text, &j); +- if (j) +- nasm_error(ERR_NONFATAL, +- "unable to parse parameter count `%s'", +- tline->text); ++ read_param_count(tline->text); + } + if (tline && tok_is_(tline->next, "-")) { + tline = tline->next->next; +@@ -1886,11 +1899,7 @@ static bool if_condition(Token * tline, enum preproc_token ct) + "`%s' expects a parameter count after `-'", + pp_directives[ct]); + else { +- searching.nparam_max = readnum(tline->text, &j); +- if (j) +- nasm_error(ERR_NONFATAL, +- "unable to parse parameter count `%s'", +- tline->text); ++ searching.nparam_max = read_param_count(tline->text); + if (searching.nparam_min > searching.nparam_max) { + nasm_error(ERR_NONFATAL, + "minimum parameter count exceeds maximum"); +@@ -2079,8 +2088,6 @@ static void undef_smacro(Context *ctx, const char *mname) + */ + static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive) + { +- bool err; +- + tline = tline->next; + skip_white_(tline); + tline = expand_id(tline); +@@ -2103,11 +2110,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive) + if (!tok_type_(tline, TOK_NUMBER)) { + nasm_error(ERR_NONFATAL, "`%s' expects a parameter count", directive); + } else { +- def->nparam_min = def->nparam_max = +- readnum(tline->text, &err); +- if (err) +- nasm_error(ERR_NONFATAL, +- "unable to parse parameter count `%s'", tline->text); ++ def->nparam_min = def->nparam_max = read_param_count(tline->text); + } + if (tline && tok_is_(tline->next, "-")) { + tline = tline->next->next; +@@ -2117,11 +2120,7 @@ static bool parse_mmacro_spec(Token *tline, MMacro *def, const char *directive) + nasm_error(ERR_NONFATAL, + "`%s' expects a parameter count after `-'", directive); + } else { +- def->nparam_max = readnum(tline->text, &err); +- if (err) { +- nasm_error(ERR_NONFATAL, "unable to parse parameter count `%s'", +- tline->text); +- } ++ def->nparam_max = read_param_count(tline->text); + if (def->nparam_min > def->nparam_max) { + nasm_error(ERR_NONFATAL, "minimum parameter count exceeds maximum"); + def->nparam_max = def->nparam_min; +-- +2.10.5.GIT + diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2019-14248.patch b/meta/recipes-devtools/nasm/nasm/CVE-2019-14248.patch new file mode 100644 index 0000000000..d45d2cb465 --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/CVE-2019-14248.patch @@ -0,0 +1,43 @@ +From 93d41d82963b2cfd0b24c906f5a8daf53281b559 Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin (Intel)" <hpa@zytor.com> +Date: Fri, 16 Aug 2019 01:12:54 -0700 +Subject: [PATCH] BR 3392576: don't segfault on a bad %pragma limit + +Don't segfault on a bad %pragma limit. Instead treat a NULL pointer as +an empty string. + +Reported-by: Ren Kimura <rkx1209dev@gmail.com> +Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com> + +CVE: CVE-2019-14248 +Upstream-Status: Backport [https://repo.or.cz/nasm.git/commit/93d41d82963b2cfd0b24c906f5a8daf53281b559] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + asm/nasm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/asm/nasm.c b/asm/nasm.c +index c84d675..65116ab 100644 +--- a/asm/nasm.c ++++ b/asm/nasm.c +@@ -212,6 +212,11 @@ nasm_set_limit(const char *limit, const char *valstr) + bool rn_error; + int errlevel; + ++ if (!limit) ++ limit = ""; ++ if (!valstr) ++ valstr = ""; ++ + for (i = 0; i <= LIMIT_MAX; i++) { + if (!nasm_stricmp(limit, limit_info[i].name)) + break; +@@ -204,7 +209,7 @@ nasm_set_limit(const char *limit, const char *valstr) + errlevel = ERR_WARNING|ERR_NOFILE|ERR_USAGE; + else + errlevel = ERR_WARNING|ERR_PASS1|WARN_UNKNOWN_PRAGMA; +- nasm_error(errlevel, "unknown limit: `%s'", limit); ++ nasm_error(errlevel, "invalid limit value: `%s'", valstr); + return DIRR_ERROR; + } + diff --git a/meta/recipes-devtools/nasm/nasm_2.14.02.bb b/meta/recipes-devtools/nasm/nasm_2.14.02.bb index ecec78d8ec..bd4ecea8b6 100644 --- a/meta/recipes-devtools/nasm/nasm_2.14.02.bb +++ b/meta/recipes-devtools/nasm/nasm_2.14.02.bb @@ -3,7 +3,10 @@ SECTION = "devel" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" -SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2" +SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ + file://CVE-2018-19755.patch \ + file://CVE-2019-14248.patch \ + " SRC_URI[md5sum] = "3f489aa48ad2aa1f967dc5e293bbd06f" SRC_URI[sha256sum] = "34fd26c70a277a9fdd54cb5ecf389badedaf48047b269d1008fbc819b24e80bc" |