From 44c71b7134124086cf20f49f47f0596aa58da3b9 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Wed, 26 Jul 2017 06:21:51 +0200 Subject: [PATCH] Fix use-after-free and heap buffer overflow vulnerabilities Resolves: CVE-2017-10686, CVE-2017-11111 --- ...cat-tok-text-if-we-accounted-for-its.patch | 39 +++++++++++++++ ...oc-Workaround-a-usage-after-free-bug.patch | 47 +++++++++++++++++++ ...en-s-text-if-only-it-has-been-modifi.patch | 29 ++++++++++++ nasm.spec | 12 ++++- 4 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 0001-preproc-Only-concat-tok-text-if-we-accounted-for-its.patch create mode 100644 0002-preproc-Workaround-a-usage-after-free-bug.patch create mode 100644 0003-preproc-Free-token-s-text-if-only-it-has-been-modifi.patch diff --git a/0001-preproc-Only-concat-tok-text-if-we-accounted-for-its.patch b/0001-preproc-Only-concat-tok-text-if-we-accounted-for-its.patch new file mode 100644 index 0000000..0a5f0c6 --- /dev/null +++ b/0001-preproc-Only-concat-tok-text-if-we-accounted-for-its.patch @@ -0,0 +1,39 @@ +From 0e8efb23bec14057b21ff7aab280e5a82e1bde30 Mon Sep 17 00:00:00 2001 +From: Adam Majer +Date: Tue, 25 Jul 2017 11:12:35 +0200 +Subject: [PATCH 1/3] preproc: Only concat tok->text if we accounted for its + size + +https://bugzilla.nasm.us/show_bug.cgi?id=3392415 + +Signed-off-by: Adam Majer +Signed-off-by: Cyrill Gorcunov +--- + asm/preproc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/asm/preproc.c b/asm/preproc.c +index 97e87d2c..22c90f2b 100644 +--- a/asm/preproc.c ++++ b/asm/preproc.c +@@ -3845,9 +3845,15 @@ static bool paste_tokens(Token **head, const struct tokseq_match *m, + len += strlen(tok->text); + p = buf = nasm_malloc(len + 1); + ++ strcpy(p, tok->text); ++ p = strchr(p, '\0'); ++ tok = delete_Token(tok); ++ + while (tok != next) { +- strcpy(p, tok->text); +- p = strchr(p, '\0'); ++ if (PP_CONCAT_MATCH(tok, m[i].mask_tail)) { ++ strcpy(p, tok->text); ++ p = strchr(p, '\0'); ++ } + tok = delete_Token(tok); + } + +-- +2.13.3 + diff --git a/0002-preproc-Workaround-a-usage-after-free-bug.patch b/0002-preproc-Workaround-a-usage-after-free-bug.patch new file mode 100644 index 0000000..0a40abf --- /dev/null +++ b/0002-preproc-Workaround-a-usage-after-free-bug.patch @@ -0,0 +1,47 @@ +From 35c32162338847b935bc4d2cab7378caeb48e2ca Mon Sep 17 00:00:00 2001 +From: Adam Majer +Date: Tue, 25 Jul 2017 10:42:01 +0200 +Subject: [PATCH 2/3] preproc: Workaround a usage after free bug + +In some circumstantes this free is incorrect resulting +in usage after-free. Workaround it by not freeing memory +here. + +https://bugzilla.nasm.us/show_bug.cgi?id=3392414 + +gorcunov@: + - slightly tuneup the comment + +Signed-off-by: Adam Majer +Signed-off-by: Cyrill Gorcunov +--- + asm/preproc.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/asm/preproc.c b/asm/preproc.c +index 22c90f2b..f6e296b4 100644 +--- a/asm/preproc.c ++++ b/asm/preproc.c +@@ -5101,8 +5101,18 @@ static char *pp_getline(void) + nasm_free(m->paramlen); + l->finishes->in_progress = 0; + } +- } else ++ } ++ ++ /* ++ * FIXME It is incorrect to always free_mmacro here. ++ * It leads to usage-after-free. ++ * ++ * https://bugzilla.nasm.us/show_bug.cgi?id=3392414 ++ */ ++#if 0 ++ else + free_mmacro(m); ++#endif + } + istk->expansion = l->next; + nasm_free(l); +-- +2.13.3 + diff --git a/0003-preproc-Free-token-s-text-if-only-it-has-been-modifi.patch b/0003-preproc-Free-token-s-text-if-only-it-has-been-modifi.patch new file mode 100644 index 0000000..71babcd --- /dev/null +++ b/0003-preproc-Free-token-s-text-if-only-it-has-been-modifi.patch @@ -0,0 +1,29 @@ +From 3018ceaacf334d0da938c9d3cd35ec8b06b4bf90 Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov +Date: Wed, 26 Jul 2017 01:21:16 +0300 +Subject: [PATCH 3/3] preproc: Free token's text if only it has been modified + +https://bugzilla.nasm.us/show_bug.cgi?id=3392414 + +Signed-off-by: Cyrill Gorcunov +--- + asm/preproc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/asm/preproc.c b/asm/preproc.c +index f6e296b4..0d0e1040 100644 +--- a/asm/preproc.c ++++ b/asm/preproc.c +@@ -1280,8 +1280,8 @@ static char *detoken(Token * tlist, bool expand_locals) + t->text = nasm_zalloc(2); + } else + t->text = nasm_strdup(p); ++ nasm_free(q); + } +- nasm_free(q); + } + + /* Expand local macros here and not during preprocessing */ +-- +2.13.3 + diff --git a/nasm.spec b/nasm.spec index a71117c..1dd6622 100644 --- a/nasm.spec +++ b/nasm.spec @@ -8,11 +8,14 @@ Summary: A portable x86 assembler which uses Intel-like syntax Name: nasm Version: 2.13.01 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD URL: http://www.nasm.us Source0: http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}.tar.bz2 Source1: http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}-xdoc.tar.bz2 +Patch0: 0001-preproc-Only-concat-tok-text-if-we-accounted-for-its.patch +Patch1: 0002-preproc-Workaround-a-usage-after-free-bug.patch +Patch2: 0003-preproc-Free-token-s-text-if-only-it-has-been-modifi.patch BuildRequires: perl(Env) BuildRequires: autoconf BuildRequires: asciidoc @@ -54,6 +57,9 @@ include linker, library manager, loader, and information dump. %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 tar xjf %{SOURCE1} --strip-components 1 %build @@ -95,6 +101,10 @@ make INSTALLROOT=$RPM_BUILD_ROOT install install_rdf %{_mandir}/man1/ld* %changelog +* Wed Jul 26 2017 Mikolaj Izdebski - 2.13.01-3 +- Fix use-after-free and heap buffer overflow vulnerabilities +- Resolves: CVE-2017-10686, CVE-2017-11111 + * Tue Jul 04 2017 Nils Philippsen - 2.13.01-2 - don't build documentation during modular build - fix bogus changelog date