fix CVE-2019-20352 CVE-2020-24241

2021-01-07 10:46:03 +08:00 · 2021-01-07 10:46:03 +08:00 · 0e3b35ff04
commit 0e3b35ff04
parent a852df8a04
4 changed files with 192 additions and 1 deletions
--- a/backport-CVE-2019-20352.patch
+++ b/backport-CVE-2019-20352.patch
@ -0,0 +1,52 @@
+From 7c88289e222dc5ef9f53f9e86ecaab1924744b88 Mon Sep 17 00:00:00 2001
+From: Cyrill Gorcunov <gorcunov@gmail.com>
+Date: Tue, 18 Aug 2020 11:25:14 +0300
+Subject: [PATCH] BR3392711: preproc: fix memory corruption in
+ expand_one_smacro
+
+https://github.com/netwide-assembler/nasm/commit/7c88289e222dc5ef9f53f9e86ecaab1924744b88
+
+The mempcpy helper returns *last* byte pointer thus when
+we call set_text_free we have to pass a pointer to the
+start of the string.
+
+Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
+---
+ asm/preproc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/asm/preproc.c b/asm/preproc.c
+index fec9520..1368cee 100644
+--- a/asm/preproc.c
+++ b/asm/preproc.c
+@@ -5531,7 +5531,7 @@ static SMacro *expand_one_smacro(Token ***tpp)
+         {
+             size_t mlen = strlen(m->name);
+ 	    size_t len;
+-            char *p;
+            char *p, *from;
+ 
+             t->type = mstart->type;
+             if (t->type == TOK_LOCAL_MACRO) {
+@@ -5544,15 +5544,15 @@ static SMacro *expand_one_smacro(Token ***tpp)
+                 plen = pep - psp;
+ 
+                 len = mlen + plen;
+-                p = nasm_malloc(len + 1);
+                from = p = nasm_malloc(len + 1);
+                 p = mempcpy(p, psp, plen);
+             } else {
+                 len = mlen;
+-                p = nasm_malloc(len + 1);
+                from = p = nasm_malloc(len + 1);
+             }
+             p = mempcpy(p, m->name, mlen);
+             *p = '\0';
+-	    set_text_free(t, p, len);
+	    set_text_free(t, from, len);
+ 
+             t->next = tline;
+             break;
+-- 
+2.23.0
+
--- a/backport-CVE-2020-24241-1.patch
+++ b/backport-CVE-2020-24241-1.patch
@ -0,0 +1,76 @@
+From 6ac6ac57e3d01ea8ed4ea47706eb724b59176461 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin (Intel)" <hpa@zytor.com>
+Date: Thu, 30 Jul 2020 15:46:12 -0700
+Subject: [PATCH] parser: when flattening an eop, must preserve any data buffer
+
+https://github.com/netwide-assembler/nasm/commit/6ac6ac57e3d01ea8ed4ea47706eb724b59176461
+
+An eop may have a data buffer associated with it as part of the same
+memory allocation. Therefore, we need to move "subexpr" up instead of
+merging it into "eop".
+
+This *partially* resolves BR 3392707, but that test case still
+triggers a violation when using -gcv8.
+
+Reported-by: Suhwan <prada960808@gmail.com>
+Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+---
+ asm/parser.c       | 16 +++++++++++-----
+ test/br3392707.asm | 21 +++++++++++++++++++++
+ 2 files changed, 32 insertions(+), 5 deletions(-)
+ create mode 100644 test/br3392707.asm
+
+diff --git a/asm/parser.c b/asm/parser.c
+index dbd2240c..584e40c9 100644
+--- a/asm/parser.c
+++ b/asm/parser.c
+@@ -458,11 +458,17 @@ static int parse_eops(extop **result, bool critical, int elem)
+                 /* Subexpression is empty */
+                 eop->type = EOT_NOTHING;
+             } else if (!subexpr->next) {
+-                /* Subexpression is a single element, flatten */
+-                eop->val   = subexpr->val;
+-                eop->type  = subexpr->type;
+-                eop->dup  *= subexpr->dup;
+-                nasm_free(subexpr);
+                /*
+                 * Subexpression is a single element, flatten.
+                 * Note that if subexpr has an allocated buffer associated
+                 * with it, freeing it would free the buffer, too, so
+                 * we need to move subexpr up, not eop down.
+                 */
+                if (!subexpr->elem)
+                    subexpr->elem = eop->elem;
+                subexpr->dup *= eop->dup;
+                nasm_free(eop);
+                eop = subexpr;
+             } else {
+                 eop->type = EOT_EXTOP;
+             }
+diff --git a/test/br3392707.asm b/test/br3392707.asm
+new file mode 100644
+index 00000000..6e84c5b4
+--- /dev/null
+++ b/test/br3392707.asm
+@@ -0,0 +1,21 @@
+	bits 32
+
+	db 33
+	db (44)
+;	db (44,55)	-- error
+	db %(44.55)
+	db %('XX','YY')
+	db ('AA')
+	db %('BB')
+	db ?
+	db 6 dup (33)
+	db 6 dup (33, 34)
+	db 6 dup (33, 34), 35
+	db 7 dup (99)
+	db 7 dup (?,?)
+	dw byte (?,44)
+
+	dw 0xcc, 4 dup byte ('PQR'), ?, 0xabcd
+
+	dd 16 dup (0xaaaa, ?, 0xbbbbbb)
+	dd 64 dup (?)
--- a/backport-CVE-2020-24241-2.patch
+++ b/backport-CVE-2020-24241-2.patch
@ -0,0 +1,55 @@
+From 78df8828a0a5d8e2d8ff3dced562bf1778ce2e6c Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin (Intel)" <hpa@zytor.com>
+Date: Thu, 30 Jul 2020 17:06:24 -0700
+Subject: [PATCH] output/codeview.c: use list_for_each_safe() to free a list
+
+https://github.com/netwide-assembler/nasm/commit/78df8828a0a5d8e2d8ff3dced562bf1778ce2e6c
+
+Using list_for_each() is by definition not safe when freeing the
+members of the list, use list_for_each_free() instead.
+
+Also, use nasm_new() and nasm_free() where appropriate.
+
+This was discovered as a downstream bug from BR 3392707.
+
+Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+---
+ output/codeview.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/output/codeview.c b/output/codeview.c
+index be3fd27a..8276a4f3 100644
+--- a/output/codeview.c
+++ b/output/codeview.c
+@@ -305,7 +305,7 @@ static void build_type_table(struct coff_Section *const sect);
+ static void cv8_cleanup(void)
+ {
+     struct cv8_symbol *sym;
+-    struct source_file *file;
+    struct source_file *file, *ftmp;
+ 
+     struct coff_Section *symbol_sect = coff_sects[cv8_state.symbol_sect];
+     struct coff_Section *type_sect = coff_sects[cv8_state.type_sect];
+@@ -316,10 +316,10 @@ static void cv8_cleanup(void)
+     build_symbol_table(symbol_sect);
+     build_type_table(type_sect);
+ 
+-    list_for_each(file, cv8_state.source_files) {
+    list_for_each_safe(file, ftmp, cv8_state.source_files) {
+         nasm_free(file->fullname);
+         saa_free(file->lines);
+-        free(file);
+        nasm_free(file);
+     }
+     hash_free(&cv8_state.file_hash);
+ 
+@@ -398,8 +398,7 @@ static struct source_file *register_file(const char *filename)
+ 
+         fullpath = nasm_realpath(filename);
+ 
+-        file = nasm_zalloc(sizeof(*file));
+-
+        nasm_new(file);
+         file->filename = filename;
+         file->fullname = fullpath;
+         file->fullnamelen = strlen(fullpath);
--- a/nasm.spec
+++ b/nasm.spec
@ -8,12 +8,17 @@

 Name:     nasm
 Version:  2.15.03
-Release:  1
+Release:  2
 Summary:  The Netwide Assembler, a portable x86 assembler with Intel-like syntax
 License:  BSD
 URL:      http://www.nasm.us
 Source0:  http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}.tar.bz2
 Source1:  http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}-xdoc.tar.bz2
+
+Patch6000: backport-CVE-2019-20352.patch
+Patch6001: backport-CVE-2020-24241-1.patch
+Patch6002: backport-CVE-2020-24241-2.patch
+
 #https://bugzilla.nasm.us/attachment.cgi?id=411648
 BuildRequires: perl(Env) autoconf asciidoc xmlto gcc make git

@ -82,6 +87,9 @@ make all %{?_smp_mflags}
 %{_mandir}/man1/ld*

 %changelog
+* Thu Jan 07 2020 shixuantong <shixuantong@huawei.com> - 2.15.03-2
+- fix CVE-2019-20352 CVE-2020-24241 
+
 * Thu Jul 23 2020 shixuantong <shixuantong@huawei.com> - 2.15.03-1
 - update to 2.15.03-1