Fix use-after-free and heap buffer overflow vulnerabilities
Resolves: CVE-2017-10686, CVE-2017-11111
This commit is contained in:
parent
8b29a25b24
commit
44c71b7134
@ -0,0 +1,39 @@
|
||||
From 0e8efb23bec14057b21ff7aab280e5a82e1bde30 Mon Sep 17 00:00:00 2001
|
||||
From: Adam Majer <amajer@suse.de>
|
||||
Date: Tue, 25 Jul 2017 11:12:35 +0200
|
||||
Subject: [PATCH 1/3] preproc: Only concat tok->text if we accounted for its
|
||||
size
|
||||
|
||||
https://bugzilla.nasm.us/show_bug.cgi?id=3392415
|
||||
|
||||
Signed-off-by: Adam Majer <amajer@suse.de>
|
||||
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
|
||||
---
|
||||
asm/preproc.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/asm/preproc.c b/asm/preproc.c
|
||||
index 97e87d2c..22c90f2b 100644
|
||||
--- a/asm/preproc.c
|
||||
+++ b/asm/preproc.c
|
||||
@@ -3845,9 +3845,15 @@ static bool paste_tokens(Token **head, const struct tokseq_match *m,
|
||||
len += strlen(tok->text);
|
||||
p = buf = nasm_malloc(len + 1);
|
||||
|
||||
+ strcpy(p, tok->text);
|
||||
+ p = strchr(p, '\0');
|
||||
+ tok = delete_Token(tok);
|
||||
+
|
||||
while (tok != next) {
|
||||
- strcpy(p, tok->text);
|
||||
- p = strchr(p, '\0');
|
||||
+ if (PP_CONCAT_MATCH(tok, m[i].mask_tail)) {
|
||||
+ strcpy(p, tok->text);
|
||||
+ p = strchr(p, '\0');
|
||||
+ }
|
||||
tok = delete_Token(tok);
|
||||
}
|
||||
|
||||
--
|
||||
2.13.3
|
||||
|
||||
47
0002-preproc-Workaround-a-usage-after-free-bug.patch
Normal file
47
0002-preproc-Workaround-a-usage-after-free-bug.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From 35c32162338847b935bc4d2cab7378caeb48e2ca Mon Sep 17 00:00:00 2001
|
||||
From: Adam Majer <amajer@suse.de>
|
||||
Date: Tue, 25 Jul 2017 10:42:01 +0200
|
||||
Subject: [PATCH 2/3] preproc: Workaround a usage after free bug
|
||||
|
||||
In some circumstantes this free is incorrect resulting
|
||||
in usage after-free. Workaround it by not freeing memory
|
||||
here.
|
||||
|
||||
https://bugzilla.nasm.us/show_bug.cgi?id=3392414
|
||||
|
||||
gorcunov@:
|
||||
- slightly tuneup the comment
|
||||
|
||||
Signed-off-by: Adam Majer <amajer@suse.de>
|
||||
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
|
||||
---
|
||||
asm/preproc.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/asm/preproc.c b/asm/preproc.c
|
||||
index 22c90f2b..f6e296b4 100644
|
||||
--- a/asm/preproc.c
|
||||
+++ b/asm/preproc.c
|
||||
@@ -5101,8 +5101,18 @@ static char *pp_getline(void)
|
||||
nasm_free(m->paramlen);
|
||||
l->finishes->in_progress = 0;
|
||||
}
|
||||
- } else
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * FIXME It is incorrect to always free_mmacro here.
|
||||
+ * It leads to usage-after-free.
|
||||
+ *
|
||||
+ * https://bugzilla.nasm.us/show_bug.cgi?id=3392414
|
||||
+ */
|
||||
+#if 0
|
||||
+ else
|
||||
free_mmacro(m);
|
||||
+#endif
|
||||
}
|
||||
istk->expansion = l->next;
|
||||
nasm_free(l);
|
||||
--
|
||||
2.13.3
|
||||
|
||||
@ -0,0 +1,29 @@
|
||||
From 3018ceaacf334d0da938c9d3cd35ec8b06b4bf90 Mon Sep 17 00:00:00 2001
|
||||
From: Cyrill Gorcunov <gorcunov@gmail.com>
|
||||
Date: Wed, 26 Jul 2017 01:21:16 +0300
|
||||
Subject: [PATCH 3/3] preproc: Free token's text if only it has been modified
|
||||
|
||||
https://bugzilla.nasm.us/show_bug.cgi?id=3392414
|
||||
|
||||
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
|
||||
---
|
||||
asm/preproc.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/asm/preproc.c b/asm/preproc.c
|
||||
index f6e296b4..0d0e1040 100644
|
||||
--- a/asm/preproc.c
|
||||
+++ b/asm/preproc.c
|
||||
@@ -1280,8 +1280,8 @@ static char *detoken(Token * tlist, bool expand_locals)
|
||||
t->text = nasm_zalloc(2);
|
||||
} else
|
||||
t->text = nasm_strdup(p);
|
||||
+ nasm_free(q);
|
||||
}
|
||||
- nasm_free(q);
|
||||
}
|
||||
|
||||
/* Expand local macros here and not during preprocessing */
|
||||
--
|
||||
2.13.3
|
||||
|
||||
12
nasm.spec
12
nasm.spec
@ -8,11 +8,14 @@
|
||||
Summary: A portable x86 assembler which uses Intel-like syntax
|
||||
Name: nasm
|
||||
Version: 2.13.01
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: BSD
|
||||
URL: http://www.nasm.us
|
||||
Source0: http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}.tar.bz2
|
||||
Source1: http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}-xdoc.tar.bz2
|
||||
Patch0: 0001-preproc-Only-concat-tok-text-if-we-accounted-for-its.patch
|
||||
Patch1: 0002-preproc-Workaround-a-usage-after-free-bug.patch
|
||||
Patch2: 0003-preproc-Free-token-s-text-if-only-it-has-been-modifi.patch
|
||||
BuildRequires: perl(Env)
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: asciidoc
|
||||
@ -54,6 +57,9 @@ include linker, library manager, loader, and information dump.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
tar xjf %{SOURCE1} --strip-components 1
|
||||
|
||||
%build
|
||||
@ -95,6 +101,10 @@ make INSTALLROOT=$RPM_BUILD_ROOT install install_rdf
|
||||
%{_mandir}/man1/ld*
|
||||
|
||||
%changelog
|
||||
* Wed Jul 26 2017 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.13.01-3
|
||||
- Fix use-after-free and heap buffer overflow vulnerabilities
|
||||
- Resolves: CVE-2017-10686, CVE-2017-11111
|
||||
|
||||
* Tue Jul 04 2017 Nils Philippsen <nils@redhat.com> - 2.13.01-2
|
||||
- don't build documentation during modular build
|
||||
- fix bogus changelog date
|
||||
|
||||
Loading…
Reference in New Issue
Block a user