diff options
| author | Hongxu Jia <hongxu.jia@windriver.com> | 2018-08-21 14:30:27 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-08-23 07:32:53 +0100 |
| commit | 10a52e436d2f9a40c04271bc8aeb04c75fb11383 (patch) | |
| tree | 20c139d609ff653ebed254cb10db7cbbcca8cc98 | |
| parent | 4c499a1b10a0c2647b6a753b8f9cd934ae4ad0da (diff) | |
| download | openembedded-core-10a52e436d2f9a40c04271bc8aeb04c75fb11383.tar.gz openembedded-core-10a52e436d2f9a40c04271bc8aeb04c75fb11383.tar.bz2 openembedded-core-10a52e436d2f9a40c04271bc8aeb04c75fb11383.zip | |
nasm: fix CVE-2018-8883 & CVE-2018-8882 & CVE-2018-10316
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
4 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-devtools/nasm/nasm/0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch b/meta/recipes-devtools/nasm/nasm/0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch new file mode 100644 index 0000000000..a56a08b5a8 --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch @@ -0,0 +1,65 @@ +From c5785fdf1d660eaefb9711284414262d0cfe8843 Mon Sep 17 00:00:00 2001 +From: Adam Majer <amajer@suse.de> +Date: Fri, 17 Aug 2018 14:48:17 +0800 +Subject: [PATCH] Verify that we are not reading past end of a buffer + +Simple reproducer is just, + + ret &d:ep + +which triggers a buffer overread due to parsing of an invalid +segment override. + +Signed-off-by: Adam Majer <amajer@suse.de> + +Upstream-Status: Submitted [https://bugzilla.nasm.us/show_bug.cgi?id=3392447] +CVE: CVE-2018-8883 +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + include/opflags.h | 2 +- + include/tables.h | 1 + + x86/regs.pl | 3 ++- + 3 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/opflags.h b/include/opflags.h +index ef2838c1..8d4b6b1e 100644 +--- a/include/opflags.h ++++ b/include/opflags.h +@@ -166,7 +166,7 @@ + #define REG_CLASS_BND GEN_REG_CLASS(9) + + #define is_class(class, op) (!((opflags_t)(class) & ~(opflags_t)(op))) +-#define is_reg_class(class, reg) is_class((class), nasm_reg_flags[(reg)]) ++#define is_reg_class(class, reg) is_class((class), ((reg) < nasm_reg_flags_size ? nasm_reg_flags[(reg)] : 0)) + + #define IS_SREG(reg) is_reg_class(REG_SREG, (reg)) + #define IS_FSGS(reg) is_reg_class(REG_FSGS, (reg)) +diff --git a/include/tables.h b/include/tables.h +index 24a665e2..458752ce 100644 +--- a/include/tables.h ++++ b/include/tables.h +@@ -64,6 +64,7 @@ extern const char * const nasm_reg_names[]; + typedef uint64_t opflags_t; + typedef uint16_t decoflags_t; + extern const opflags_t nasm_reg_flags[]; ++extern const size_t nasm_reg_flags_size; + /* regvals.c */ + extern const int nasm_regvals[]; + +diff --git a/x86/regs.pl b/x86/regs.pl +index 3a1b56f5..cb5cea68 100755 +--- a/x86/regs.pl ++++ b/x86/regs.pl +@@ -158,7 +158,8 @@ if ( $fmt eq 'h' ) { + printf " %-15s /* %-5s */\n", + $regs{$reg}.',', $reg; + } +- print "};\n"; ++ print "};\n\n"; ++ print "const size_t nasm_reg_flags_size = sizeof(nasm_reg_flags) / sizeof(opflags_t);\n"; + } elsif ( $fmt eq 'vc' ) { + # Output regvals.c + print "/* automatically generated from $file - do not edit */\n\n"; +-- +2.17.1 + diff --git a/meta/recipes-devtools/nasm/nasm/0001-assemble-Check-global-line-limit.patch b/meta/recipes-devtools/nasm/nasm/0001-assemble-Check-global-line-limit.patch new file mode 100644 index 0000000000..682d4c7277 --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/0001-assemble-Check-global-line-limit.patch @@ -0,0 +1,50 @@ +From 7a46d6b9e3a1d8a0ab0d816ef1bf194ad285e082 Mon Sep 17 00:00:00 2001 +From: "Chang S. Bae" <chang.seok.bae@intel.com> +Date: Fri, 17 Aug 2018 14:26:03 +0800 +Subject: [PATCH] assemble: Check global line limit + +Without the limit, the while loop opens to semi-infinite +that will exhaustively consume the heap space. Also, the +index value gets into the garbage. + +https://bugzilla.nasm.us/show_bug.cgi?id=3392474 + +Reported-by : Dongliang Mu <mudongliangabcd@gmail.com> +Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com> +Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> + +Upstream-Status: Backport from upstream [http://repo.or.cz/nasm.git] +CVE: CVE-2018-10316 +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + asm/nasm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/asm/nasm.c b/asm/nasm.c +index 8497ec9..81f6cee 100644 +--- a/asm/nasm.c ++++ b/asm/nasm.c +@@ -99,6 +99,8 @@ static char outname[FILENAME_MAX]; + static char listname[FILENAME_MAX]; + static char errname[FILENAME_MAX]; + static int globallineno; /* for forward-reference tracking */ ++#define GLOBALLINENO_MAX INT32_MAX ++ + /* static int pass = 0; */ + const struct ofmt *ofmt = &OF_DEFAULT; + const struct ofmt_alias *ofmt_alias = NULL; +@@ -1360,7 +1362,10 @@ static void assemble_file(char *fname, StrList **depend_ptr) + location.offset = offs = get_curr_offs(); + + while ((line = preproc->getline())) { +- globallineno++; ++ if (globallineno++ == GLOBALLINENO_MAX) ++ nasm_error(ERR_FATAL, ++ "overall line number reaches the maximum %d\n", ++ GLOBALLINENO_MAX); + + /* + * Here we parse our directives; this is not handled by the +-- +2.7.4 + diff --git a/meta/recipes-devtools/nasm/nasm/0001-fix-CVE-2018-8882.patch b/meta/recipes-devtools/nasm/nasm/0001-fix-CVE-2018-8882.patch new file mode 100644 index 0000000000..bc706c3f15 --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/0001-fix-CVE-2018-8882.patch @@ -0,0 +1,30 @@ +From 33438037e00ec750bff020578b1a5b6f75f60555 Mon Sep 17 00:00:00 2001 +From: Adam Majer <amajer@suse.de> +Date: Fri, 17 Aug 2018 14:41:02 +0800 +Subject: [PATCH] fix CVE-2018-8882 + +https://bugzilla.nasm.us/show_bug.cgi?id=3392445 + +Upstream-Status: Submitted [https://bugzilla.nasm.us/show_bug.cgi?id=3392445] +CVE: CVE-2018-8882 +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + asm/float.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/asm/float.c b/asm/float.c +index dcf69fea..2965d3db 100644 +--- a/asm/float.c ++++ b/asm/float.c +@@ -608,6 +608,8 @@ static void ieee_shr(fp_limb *mant, int i) + if (offs) + for (j = MANT_LIMBS-1; j >= offs; j--) + mant[j] = mant[j-offs]; ++ } else if (MANT_LIMBS-1-offs < 0) { ++ j = MANT_LIMBS-1; + } else { + n = mant[MANT_LIMBS-1-offs] >> sr; + for (j = MANT_LIMBS-1; j > offs; j--) { +-- +2.17.1 + diff --git a/meta/recipes-devtools/nasm/nasm_2.13.03.bb b/meta/recipes-devtools/nasm/nasm_2.13.03.bb index 236d7e5e36..6a02df4854 100644 --- a/meta/recipes-devtools/nasm/nasm_2.13.03.bb +++ b/meta/recipes-devtools/nasm/nasm_2.13.03.bb @@ -5,6 +5,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ file://0001-asmlib-Drop-pure-function-attribute-from-seg_init.patch \ + file://0001-assemble-Check-global-line-limit.patch \ + file://0001-fix-CVE-2018-8882.patch \ + file://0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch \ " SRC_URI[md5sum] = "0c581d482f39d5111879ca9601938f74" |