Fix CVE-2025-67873 and CVE-2025-68114
Add 4.x-specific patch based on upstream commit 2c7797182a1618be12017d7d41e0b6581d5d529e - CVE-2025-67873: Heap buffer overflow via skipdata callback - CVE-2025-68114: Memory corruption via unchecked vsnprintf return Resolves: RHEL-137760
This commit is contained in:
Jon Maloy
parent
5098d7a339
commit
bc5cd78234
82
CVE-2025-68114-capstone-4.x.patch
Normal file
82
CVE-2025-68114-capstone-4.x.patch
Normal file
@ -0,0 +1,82 @@
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Thu, 12 Mar 2026
|
||||
Subject: [PATCH] Fix CVE-2025-68114 and CVE-2025-67873
|
||||
|
||||
Backport of upstream commit 2c7797182a1618be12017d7d41e0b6581d5d529e
|
||||
to capstone 4.x branch.
|
||||
|
||||
CVE-2025-68114: An unchecked vsnprintf return in SStream_concat lets
|
||||
a malicious cs_opt_mem.vsnprintf drive SStream's index negative or
|
||||
past the end, leading to a stack buffer underflow/overflow.
|
||||
|
||||
CVE-2025-67873: skipdata length is not bounds-checked, allowing a
|
||||
user-provided skipdata callback to write more than 24 bytes into
|
||||
cs_insn.bytes, causing a heap buffer overflow.
|
||||
|
||||
Resolves: CVE-2025-68114, CVE-2025-67873
|
||||
---
|
||||
diff -ruN a/cs.c b/cs.c
|
||||
--- a/cs.c 2020-05-08 06:03:30.000000000 -0400
|
||||
+++ b/cs.c 2026-03-12 20:39:00.815956322 -0400
|
||||
@@ -918,8 +918,8 @@
|
||||
// we have to skip some amount of data, depending on arch & mode
|
||||
insn_cache->id = 0; // invalid ID for this "data" instruction
|
||||
insn_cache->address = offset;
|
||||
- insn_cache->size = (uint16_t)skipdata_bytes;
|
||||
- memcpy(insn_cache->bytes, buffer, skipdata_bytes);
|
||||
+ insn_cache->size = (uint16_t)(skipdata_bytes > sizeof(insn_cache->bytes) ? sizeof(insn_cache->bytes) : skipdata_bytes);
|
||||
+ memcpy(insn_cache->bytes, buffer, skipdata_bytes > sizeof(insn_cache->bytes) ? sizeof(insn_cache->bytes) : skipdata_bytes);
|
||||
#ifdef CAPSTONE_DIET
|
||||
insn_cache->mnemonic[0] = '\0';
|
||||
insn_cache->op_str[0] = '\0';
|
||||
@@ -1128,12 +1128,12 @@
|
||||
// we have to skip some amount of data, depending on arch & mode
|
||||
insn->id = 0; // invalid ID for this "data" instruction
|
||||
insn->address = *address;
|
||||
- insn->size = (uint16_t)skipdata_bytes;
|
||||
+ insn->size = (uint16_t)(skipdata_bytes > sizeof(insn->bytes) ? sizeof(insn->bytes) : skipdata_bytes);
|
||||
#ifdef CAPSTONE_DIET
|
||||
insn->mnemonic[0] = '\0';
|
||||
insn->op_str[0] = '\0';
|
||||
#else
|
||||
- memcpy(insn->bytes, *code, skipdata_bytes);
|
||||
+ memcpy(insn->bytes, *code, skipdata_bytes > sizeof(insn->bytes) ? sizeof(insn->bytes) : skipdata_bytes);
|
||||
strncpy(insn->mnemonic, handle->skipdata_setup.mnemonic,
|
||||
sizeof(insn->mnemonic) - 1);
|
||||
skipdata_opstr(insn->op_str, *code, skipdata_bytes);
|
||||
diff -ruN a/SStream.c b/SStream.c
|
||||
--- a/SStream.c 2020-05-08 06:03:30.000000000 -0400
|
||||
+++ b/SStream.c 2026-03-12 20:39:00.809664584 -0400
|
||||
@@ -48,6 +48,10 @@
|
||||
va_start(ap, fmt);
|
||||
ret = cs_vsnprintf(ss->buffer + ss->index, sizeof(ss->buffer) - (ss->index + 1), fmt, ap);
|
||||
va_end(ap);
|
||||
+ if (ret < 0) {
|
||||
+ return;
|
||||
+ }
|
||||
+ SSTREAM_OVERFLOW_CHECK(ss, ret);
|
||||
ss->index += ret;
|
||||
#endif
|
||||
}
|
||||
diff -ruN a/SStream.h b/SStream.h
|
||||
--- a/SStream.h 2020-05-08 06:03:30.000000000 -0400
|
||||
+++ b/SStream.h 2026-03-12 20:39:00.808249452 -0400
|
||||
@@ -8,9 +8,17 @@
|
||||
|
||||
typedef struct SStream {
|
||||
char buffer[512];
|
||||
- int index;
|
||||
+ size_t index;
|
||||
} SStream;
|
||||
|
||||
+#define SSTREAM_OVERFLOW_CHECK(ss, n) \
|
||||
+ do { \
|
||||
+ if ((ss)->index + (n) >= sizeof((ss)->buffer)) { \
|
||||
+ return; \
|
||||
+ } \
|
||||
+ } while (0)
|
||||
+
|
||||
+
|
||||
void SStream_Init(SStream *ss);
|
||||
|
||||
void SStream_concat(SStream *ss, const char *fmt, ...);
|
||||
@ -1,6 +1,6 @@
|
||||
Name: capstone
|
||||
Version: 4.0.2
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
Summary: A lightweight multi-platform, multi-architecture disassembly framework
|
||||
|
||||
%global gituser aquynh
|
||||
@ -27,6 +27,9 @@ Source0: https://github.com/%{gituser}/%{gitname}/archive/%{version}.tar.
|
||||
# See: https://github.com/aquynh/capstone/issues/1339
|
||||
# Patch1: 0001-Fix-include-path-in-pkg-config-for-Makefile-too-1339.patch
|
||||
|
||||
# CVE-2025-68114: Check vsnprintf return value
|
||||
Patch0: CVE-2025-68114-capstone-4.x.patch
|
||||
|
||||
%global common_desc %{expand:
|
||||
Capstone is a disassembly framework with the target of becoming the ultimate
|
||||
disasm engine for binary analysis and reversing in the security community.}
|
||||
@ -232,6 +235,10 @@ make check LD_LIBRARY_PATH="`pwd`"
|
||||
%{_javadir}/
|
||||
|
||||
%changelog
|
||||
* Thu Mar 12 2026 Jon Maloy <jmaloy@redhat.com> - 4.0.2-11
|
||||
- Fix CVE-2025-68114 (memory corruption) and CVE-2025-67873 (heap buffer overflow)
|
||||
Resolves: RHEL-137760
|
||||
|
||||
* Fri Sep 02 2022 Miroslav Rezanina <mrezanin@redhat.com> - 4.0.2-10
|
||||
- Import to CentOS 9 Stream / RHEL 9
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user