Fix use-after-free and heap buffer overflow vulnerabilities

Resolves: CVE-2017-10686, CVE-2017-11111
This commit is contained in:
Mikolaj Izdebski 2017-07-26 06:21:51 +02:00
parent 8b29a25b24
commit 44c71b7134
4 changed files with 126 additions and 1 deletions

View File

@ -0,0 +1,39 @@
From 0e8efb23bec14057b21ff7aab280e5a82e1bde30 Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.de>
Date: Tue, 25 Jul 2017 11:12:35 +0200
Subject: [PATCH 1/3] preproc: Only concat tok->text if we accounted for its
size
https://bugzilla.nasm.us/show_bug.cgi?id=3392415
Signed-off-by: Adam Majer <amajer@suse.de>
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
---
asm/preproc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/asm/preproc.c b/asm/preproc.c
index 97e87d2c..22c90f2b 100644
--- a/asm/preproc.c
+++ b/asm/preproc.c
@@ -3845,9 +3845,15 @@ static bool paste_tokens(Token **head, const struct tokseq_match *m,
len += strlen(tok->text);
p = buf = nasm_malloc(len + 1);
+ strcpy(p, tok->text);
+ p = strchr(p, '\0');
+ tok = delete_Token(tok);
+
while (tok != next) {
- strcpy(p, tok->text);
- p = strchr(p, '\0');
+ if (PP_CONCAT_MATCH(tok, m[i].mask_tail)) {
+ strcpy(p, tok->text);
+ p = strchr(p, '\0');
+ }
tok = delete_Token(tok);
}
--
2.13.3

View File

@ -0,0 +1,47 @@
From 35c32162338847b935bc4d2cab7378caeb48e2ca Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.de>
Date: Tue, 25 Jul 2017 10:42:01 +0200
Subject: [PATCH 2/3] preproc: Workaround a usage after free bug
In some circumstantes this free is incorrect resulting
in usage after-free. Workaround it by not freeing memory
here.
https://bugzilla.nasm.us/show_bug.cgi?id=3392414
gorcunov@:
- slightly tuneup the comment
Signed-off-by: Adam Majer <amajer@suse.de>
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
---
asm/preproc.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/asm/preproc.c b/asm/preproc.c
index 22c90f2b..f6e296b4 100644
--- a/asm/preproc.c
+++ b/asm/preproc.c
@@ -5101,8 +5101,18 @@ static char *pp_getline(void)
nasm_free(m->paramlen);
l->finishes->in_progress = 0;
}
- } else
+ }
+
+ /*
+ * FIXME It is incorrect to always free_mmacro here.
+ * It leads to usage-after-free.
+ *
+ * https://bugzilla.nasm.us/show_bug.cgi?id=3392414
+ */
+#if 0
+ else
free_mmacro(m);
+#endif
}
istk->expansion = l->next;
nasm_free(l);
--
2.13.3

View File

@ -0,0 +1,29 @@
From 3018ceaacf334d0da938c9d3cd35ec8b06b4bf90 Mon Sep 17 00:00:00 2001
From: Cyrill Gorcunov <gorcunov@gmail.com>
Date: Wed, 26 Jul 2017 01:21:16 +0300
Subject: [PATCH 3/3] preproc: Free token's text if only it has been modified
https://bugzilla.nasm.us/show_bug.cgi?id=3392414
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
---
asm/preproc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/asm/preproc.c b/asm/preproc.c
index f6e296b4..0d0e1040 100644
--- a/asm/preproc.c
+++ b/asm/preproc.c
@@ -1280,8 +1280,8 @@ static char *detoken(Token * tlist, bool expand_locals)
t->text = nasm_zalloc(2);
} else
t->text = nasm_strdup(p);
+ nasm_free(q);
}
- nasm_free(q);
}
/* Expand local macros here and not during preprocessing */
--
2.13.3

View File

@ -8,11 +8,14 @@
Summary: A portable x86 assembler which uses Intel-like syntax
Name: nasm
Version: 2.13.01
Release: 2%{?dist}
Release: 3%{?dist}
License: BSD
URL: http://www.nasm.us
Source0: http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}.tar.bz2
Source1: http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}-xdoc.tar.bz2
Patch0: 0001-preproc-Only-concat-tok-text-if-we-accounted-for-its.patch
Patch1: 0002-preproc-Workaround-a-usage-after-free-bug.patch
Patch2: 0003-preproc-Free-token-s-text-if-only-it-has-been-modifi.patch
BuildRequires: perl(Env)
BuildRequires: autoconf
BuildRequires: asciidoc
@ -54,6 +57,9 @@ include linker, library manager, loader, and information dump.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
tar xjf %{SOURCE1} --strip-components 1
%build
@ -95,6 +101,10 @@ make INSTALLROOT=$RPM_BUILD_ROOT install install_rdf
%{_mandir}/man1/ld*
%changelog
* Wed Jul 26 2017 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.13.01-3
- Fix use-after-free and heap buffer overflow vulnerabilities
- Resolves: CVE-2017-10686, CVE-2017-11111
* Tue Jul 04 2017 Nils Philippsen <nils@redhat.com> - 2.13.01-2
- don't build documentation during modular build
- fix bogus changelog date