fix CVE-2019-20352 CVE-2020-24241

2021-01-07 10:46:03 +08:00 · 2021-01-07 10:46:03 +08:00 · 0e3b35ff04
commit 0e3b35ff04
parent a852df8a04
4 changed files with 192 additions and 1 deletions
--- a/backport-CVE-2019-20352.patch
+++ b/backport-CVE-2019-20352.patch
@ -0,0 +1,52 @@
 From 7c88289e222dc5ef9f53f9e86ecaab1924744b88 Mon Sep 17 00:00:00 2001
 From: Cyrill Gorcunov <gorcunov@gmail.com>
 Date: Tue, 18 Aug 2020 11:25:14 +0300
 Subject: [PATCH] BR3392711: preproc: fix memory corruption in
 expand_one_smacro
 https://github.com/netwide-assembler/nasm/commit/7c88289e222dc5ef9f53f9e86ecaab1924744b88
 The mempcpy helper returns *last* byte pointer thus when
 we call set_text_free we have to pass a pointer to the
 start of the string.
 Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
 ---
 asm/preproc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/asm/preproc.c b/asm/preproc.c
 index fec9520..1368cee 100644
 --- a/asm/preproc.c
 +++ b/asm/preproc.c
@@ -5531,7 +5531,7 @@ static SMacro *expand_one_smacro(Token ***tpp)
         {
             size_t mlen = strlen(m->name);
 	    size_t len;
 -            char *p;
 +            char *p, *from;
             t->type = mstart->type;
             if (t->type == TOK_LOCAL_MACRO) {
@@ -5544,15 +5544,15 @@ static SMacro *expand_one_smacro(Token ***tpp)
                 plen = pep - psp;
                 len = mlen + plen;
 -                p = nasm_malloc(len + 1);
 +                from = p = nasm_malloc(len + 1);
                 p = mempcpy(p, psp, plen);
             } else {
                 len = mlen;
 -                p = nasm_malloc(len + 1);
 +                from = p = nasm_malloc(len + 1);
             }
             p = mempcpy(p, m->name, mlen);
             *p = '\0';
 -	    set_text_free(t, p, len);
 +	    set_text_free(t, from, len);
             t->next = tline;
             break;
 -- 
 2.23.0
--- a/backport-CVE-2020-24241-1.patch
+++ b/backport-CVE-2020-24241-1.patch
@ -0,0 +1,76 @@
 From 6ac6ac57e3d01ea8ed4ea47706eb724b59176461 Mon Sep 17 00:00:00 2001
 From: "H. Peter Anvin (Intel)" <hpa@zytor.com>
 Date: Thu, 30 Jul 2020 15:46:12 -0700
 Subject: [PATCH] parser: when flattening an eop, must preserve any data buffer
 https://github.com/netwide-assembler/nasm/commit/6ac6ac57e3d01ea8ed4ea47706eb724b59176461
 An eop may have a data buffer associated with it as part of the same
 memory allocation. Therefore, we need to move "subexpr" up instead of
 merging it into "eop".
 This *partially* resolves BR 3392707, but that test case still
 triggers a violation when using -gcv8.
 Reported-by: Suhwan <prada960808@gmail.com>
 Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
 ---
 asm/parser.c       | 16 +++++++++++-----
 test/br3392707.asm | 21 +++++++++++++++++++++
 2 files changed, 32 insertions(+), 5 deletions(-)
 create mode 100644 test/br3392707.asm
 diff --git a/asm/parser.c b/asm/parser.c
 index dbd2240c..584e40c9 100644
 --- a/asm/parser.c
 +++ b/asm/parser.c
@@ -458,11 +458,17 @@ static int parse_eops(extop **result, bool critical, int elem)
                 /* Subexpression is empty */
                 eop->type = EOT_NOTHING;
             } else if (!subexpr->next) {
 -                /* Subexpression is a single element, flatten */
 -                eop->val   = subexpr->val;
 -                eop->type  = subexpr->type;
 -                eop->dup  *= subexpr->dup;
 -                nasm_free(subexpr);
 +                /*
 +                 * Subexpression is a single element, flatten.
 +                 * Note that if subexpr has an allocated buffer associated
 +                 * with it, freeing it would free the buffer, too, so
 +                 * we need to move subexpr up, not eop down.
 +                 */
 +                if (!subexpr->elem)
 +                    subexpr->elem = eop->elem;
 +                subexpr->dup *= eop->dup;
 +                nasm_free(eop);
 +                eop = subexpr;
             } else {
                 eop->type = EOT_EXTOP;
             }
 diff --git a/test/br3392707.asm b/test/br3392707.asm
 new file mode 100644
 index 00000000..6e84c5b4
 --- /dev/null
 +++ b/test/br3392707.asm
@@ -0,0 +1,21 @@
 +	bits 32
 +
 +	db 33
 +	db (44)
 +;	db (44,55)	-- error
 +	db %(44.55)
 +	db %('XX','YY')
 +	db ('AA')
 +	db %('BB')
 +	db ?
 +	db 6 dup (33)
 +	db 6 dup (33, 34)
 +	db 6 dup (33, 34), 35
 +	db 7 dup (99)
 +	db 7 dup (?,?)
 +	dw byte (?,44)
 +
 +	dw 0xcc, 4 dup byte ('PQR'), ?, 0xabcd
 +
 +	dd 16 dup (0xaaaa, ?, 0xbbbbbb)
 +	dd 64 dup (?)
--- a/backport-CVE-2020-24241-2.patch
+++ b/backport-CVE-2020-24241-2.patch
@ -0,0 +1,55 @@
 From 78df8828a0a5d8e2d8ff3dced562bf1778ce2e6c Mon Sep 17 00:00:00 2001
 From: "H. Peter Anvin (Intel)" <hpa@zytor.com>
 Date: Thu, 30 Jul 2020 17:06:24 -0700
 Subject: [PATCH] output/codeview.c: use list_for_each_safe() to free a list
 https://github.com/netwide-assembler/nasm/commit/78df8828a0a5d8e2d8ff3dced562bf1778ce2e6c
 Using list_for_each() is by definition not safe when freeing the
 members of the list, use list_for_each_free() instead.
 Also, use nasm_new() and nasm_free() where appropriate.
 This was discovered as a downstream bug from BR 3392707.
 Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
 ---
 output/codeview.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)
 diff --git a/output/codeview.c b/output/codeview.c
 index be3fd27a..8276a4f3 100644
 --- a/output/codeview.c
 +++ b/output/codeview.c
@@ -305,7 +305,7 @@ static void build_type_table(struct coff_Section *const sect);
 static void cv8_cleanup(void)
 {
     struct cv8_symbol *sym;
 -    struct source_file *file;
 +    struct source_file *file, *ftmp;
     struct coff_Section *symbol_sect = coff_sects[cv8_state.symbol_sect];
     struct coff_Section *type_sect = coff_sects[cv8_state.type_sect];
@@ -316,10 +316,10 @@ static void cv8_cleanup(void)
     build_symbol_table(symbol_sect);
     build_type_table(type_sect);
 -    list_for_each(file, cv8_state.source_files) {
 +    list_for_each_safe(file, ftmp, cv8_state.source_files) {
         nasm_free(file->fullname);
         saa_free(file->lines);
 -        free(file);
 +        nasm_free(file);
     }
     hash_free(&cv8_state.file_hash);
@@ -398,8 +398,7 @@ static struct source_file *register_file(const char *filename)
         fullpath = nasm_realpath(filename);
 -        file = nasm_zalloc(sizeof(*file));
 -
 +        nasm_new(file);
         file->filename = filename;
         file->fullname = fullpath;
         file->fullnamelen = strlen(fullpath);
--- a/nasm.spec
+++ b/nasm.spec
@ -8,12 +8,17 @@
 Name:     nasm
 Version:  2.15.03
-Release:  1
+Release:  2
 Summary:  The Netwide Assembler, a portable x86 assembler with Intel-like syntax
 License:  BSD
 URL:      http://www.nasm.us
 Source0:  http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}.tar.bz2
 Source1:  http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}-xdoc.tar.bz2
 Patch6000: backport-CVE-2019-20352.patch
 Patch6001: backport-CVE-2020-24241-1.patch
 Patch6002: backport-CVE-2020-24241-2.patch
 #https://bugzilla.nasm.us/attachment.cgi?id=411648
 BuildRequires: perl(Env) autoconf asciidoc xmlto gcc make git
@ -82,6 +87,9 @@ make all %{?_smp_mflags}
 %{_mandir}/man1/ld*
 %changelog
 * Thu Jan 07 2020 shixuantong <shixuantong@huawei.com> - 2.15.03-2
 - fix CVE-2019-20352 CVE-2020-24241 
 * Thu Jul 23 2020 shixuantong <shixuantong@huawei.com> - 2.15.03-1
 - update to 2.15.03-1