diff --git a/CVE-2018-10254.patch b/CVE-2018-10254.patch deleted file mode 100644 index bdf6bd13b6850e2a053ddfcabe92493ebfcba6ae..0000000000000000000000000000000000000000 --- a/CVE-2018-10254.patch +++ /dev/null @@ -1,345 +0,0 @@ -commit cfa3559b8ec9e693142638eedb4d6340ecf01c90 -Author: Adam Majer -Date: Thu Jun 28 13:03:06 2018 +0200 - - Verify we do not read longer than the buffer - - Netwide Assembler (NASM) 2.13 has a stack-based buffer over-read - in the disasm function of the disasm/disasm.c file. - - Bug: 3392475 - Signed-off-by: Adam Majer - -diff --git a/disasm/disasm.c b/disasm/disasm.c -index a75d839e..a503434b 100644 ---- a/disasm/disasm.c -+++ b/disasm/disasm.c -@@ -474,8 +474,10 @@ static uint8_t *do_ea(uint8_t *data, int modrm, int asize, - * stream in data. Return the number of bytes matched if so. - */ - #define case4(x) case (x): case (x)+1: case (x)+2: case (x)+3 -+#define check_can_read_data_byte() if (--remaining_bytes < 0) return 0 -+#define check_can_read_data_bytes(n) { if (remaining_bytes < n) return 0; remaining_bytes -= n; } while(0) - --static int matches(const struct itemplate *t, uint8_t *data, -+static int matches(const struct itemplate *t, uint8_t *data, int remaining_bytes, - const struct prefix_info *prefix, int segsize, insn *ins) - { - uint8_t *r = (uint8_t *)(t->code); -@@ -525,9 +527,11 @@ static int matches(const struct itemplate *t, uint8_t *data, - case 02: - case 03: - case 04: -- while (c--) -+ while (c--) { -+ check_can_read_data_byte(); - if (*r++ != *data++) - return 0; -+ } - break; - - case 05: -@@ -538,7 +542,9 @@ static int matches(const struct itemplate *t, uint8_t *data, - - case4(010): - { -- int t = *r++, d = *data++; -+ int d, t = *r++; -+ check_can_read_data_byte(); -+ d = *data++; - if (d < t || d > t + 7) - return 0; - else { -@@ -555,28 +561,34 @@ static int matches(const struct itemplate *t, uint8_t *data, - break; - - case4(0274): -+ check_can_read_data_byte(); - opx->offset = (int8_t)*data++; - opx->segment |= SEG_SIGNED; - break; - - case4(020): -+ check_can_read_data_byte(); - opx->offset = *data++; - break; - - case4(024): -+ check_can_read_data_byte(); - opx->offset = *data++; - break; - - case4(030): -+ check_can_read_data_bytes(2); - opx->offset = getu16(data); - data += 2; - break; - - case4(034): - if (osize == 32) { -+ check_can_read_data_bytes(4); - opx->offset = getu32(data); - data += 4; - } else { -+ check_can_read_data_bytes(2); - opx->offset = getu16(data); - data += 2; - } -@@ -585,11 +597,13 @@ static int matches(const struct itemplate *t, uint8_t *data, - break; - - case4(040): -+ check_can_read_data_bytes(4); - opx->offset = getu32(data); - data += 4; - break; - - case4(0254): -+ check_can_read_data_bytes(4); - opx->offset = gets32(data); - data += 4; - break; -@@ -597,18 +611,21 @@ static int matches(const struct itemplate *t, uint8_t *data, - case4(044): - switch (asize) { - case 16: -+ check_can_read_data_bytes(2); - opx->offset = getu16(data); - data += 2; - if (segsize != 16) - opx->disp_size = 16; - break; - case 32: -+ check_can_read_data_bytes(4); - opx->offset = getu32(data); - data += 4; - if (segsize == 16) - opx->disp_size = 32; - break; - case 64: -+ check_can_read_data_bytes(8); - opx->offset = getu64(data); - opx->disp_size = 64; - data += 8; -@@ -617,16 +634,19 @@ static int matches(const struct itemplate *t, uint8_t *data, - break; - - case4(050): -+ check_can_read_data_byte(); - opx->offset = gets8(data++); - opx->segment |= SEG_RELATIVE; - break; - - case4(054): -+ check_can_read_data_bytes(8); - opx->offset = getu64(data); - data += 8; - break; - - case4(060): -+ check_can_read_data_bytes(2); - opx->offset = gets16(data); - data += 2; - opx->segment |= SEG_RELATIVE; -@@ -637,6 +657,7 @@ static int matches(const struct itemplate *t, uint8_t *data, - opx->segment |= SEG_RELATIVE; - /* In long mode rel is always 32 bits, sign extended. */ - if (segsize == 64 || osize == 32) { -+ check_can_read_data_bytes(4); - opx->offset = gets32(data); - data += 4; - if (segsize != 64) -@@ -644,6 +665,7 @@ static int matches(const struct itemplate *t, uint8_t *data, - opx->type = (opx->type & ~SIZE_MASK) - | (segsize == 64 ? BITS64 : BITS32); - } else { -+ check_can_read_data_bytes(2); - opx->offset = gets16(data); - data += 2; - opx->segment &= ~SEG_32BIT; -@@ -652,6 +674,7 @@ static int matches(const struct itemplate *t, uint8_t *data, - break; - - case4(070): -+ check_can_read_data_bytes(4); - opx->offset = gets32(data); - data += 4; - opx->segment |= SEG_32BIT | SEG_RELATIVE; -@@ -662,11 +685,19 @@ static int matches(const struct itemplate *t, uint8_t *data, - case4(0120): - case4(0130): - { -- int modrm = *data++; -+ int modrm; -+ uint8_t *new_data; -+ -+ check_can_read_data_byte(); -+ modrm = *data++; - opx->segment |= SEG_RMREG; -- data = do_ea(data, modrm, asize, segsize, eat, opy, ins); -- if (!data) -+ new_data = do_ea(data, modrm, asize, segsize, eat, opy, ins); -+ if (!new_data) -+ return 0; -+ remaining_bytes = data + remaining_bytes - new_data; -+ if (remaining_bytes < 0) - return 0; -+ data = new_data; - opx->basereg = ((modrm >> 3) & 7) + (ins->rex & REX_R ? 8 : 0); - if ((ins->rex & REX_EV) && (segsize == 64)) - opx->basereg += (ins->evex_p[0] & EVEX_P0RP ? 0 : 16); -@@ -675,7 +706,10 @@ static int matches(const struct itemplate *t, uint8_t *data, - - case 0172: - { -- uint8_t ximm = *data++; -+ uint8_t ximm; -+ -+ check_can_read_data_byte(); -+ ximm = *data++; - c = *r++; - ins->oprs[c >> 3].basereg = (ximm >> 4) & regmask; - ins->oprs[c >> 3].segment |= SEG_RMREG; -@@ -685,7 +719,10 @@ static int matches(const struct itemplate *t, uint8_t *data, - - case 0173: - { -- uint8_t ximm = *data++; -+ uint8_t ximm; -+ -+ check_can_read_data_byte(); -+ ximm = *data++; - c = *r++; - - if ((c ^ ximm) & 15) -@@ -698,7 +735,10 @@ static int matches(const struct itemplate *t, uint8_t *data, - - case4(0174): - { -- uint8_t ximm = *data++; -+ uint8_t ximm; -+ -+ check_can_read_data_byte(); -+ ximm = *data++; - - opx->basereg = (ximm >> 4) & regmask; - opx->segment |= SEG_RMREG; -@@ -714,12 +754,20 @@ static int matches(const struct itemplate *t, uint8_t *data, - case4(0230): - case4(0234): - { -- int modrm = *data++; -+ int modrm; -+ uint8_t *new_data; -+ -+ check_can_read_data_byte(); -+ modrm = *data++; - if (((modrm >> 3) & 07) != (c & 07)) - return 0; /* spare field doesn't match up */ -- data = do_ea(data, modrm, asize, segsize, eat, opy, ins); -- if (!data) -+ new_data = do_ea(data, modrm, asize, segsize, eat, opy, ins); -+ if (!new_data) -+ return 0; -+ remaining_bytes = data + remaining_bytes - new_data; -+ if (remaining_bytes < 0) - return 0; -+ data = new_data; - break; - } - -@@ -935,7 +983,10 @@ static int matches(const struct itemplate *t, uint8_t *data, - - case 0330: - { -- int t = *r++, d = *data++; -+ int t = *r++, d; -+ -+ check_can_read_data_byte(); -+ d = *data++; - if (d < t || d > t + 15) - return 0; - else -@@ -1126,6 +1177,8 @@ int32_t disasm(uint8_t *data, char *output, int outbufsize, int segsize, - bool end_prefix; - bool is_evex; - -+ int remaining_bytes = INSN_MAX; -+ - memset(&ins, 0, sizeof ins); - - /* -@@ -1141,6 +1194,8 @@ int32_t disasm(uint8_t *data, char *output, int outbufsize, int segsize, - - end_prefix = false; - while (!end_prefix) { -+ check_can_read_data_byte(); -+ - switch (*data) { - case 0xF2: - case 0xF3: -@@ -1185,6 +1240,7 @@ int32_t disasm(uint8_t *data, char *output, int outbufsize, int segsize, - - case 0xC4: - case 0xC5: -+ check_can_read_data_byte(); - if (segsize == 64 || (data[1] & 0xc0) == 0xc0) { - prefix.vex[0] = *data++; - prefix.vex[1] = *data++; -@@ -1193,6 +1249,7 @@ int32_t disasm(uint8_t *data, char *output, int outbufsize, int segsize, - prefix.vex_c = RV_VEX; - - if (prefix.vex[0] == 0xc4) { -+ check_can_read_data_byte(); - prefix.vex[2] = *data++; - prefix.rex |= (~prefix.vex[1] >> 5) & 7; /* REX_RXB */ - prefix.rex |= (prefix.vex[2] >> (7-3)) & REX_W; -@@ -1213,7 +1270,8 @@ int32_t disasm(uint8_t *data, char *output, int outbufsize, int segsize, - - case 0x62: - { -- if (segsize == 64 || ((data[1] & 0xc0) == 0xc0)) { -+ if (segsize == 64 || (remaining_bytes > 3 && (data[1] & 0xc0) == 0xc0)) { -+ check_can_read_data_bytes(3); - data++; /* 62h EVEX prefix */ - prefix.evex[0] = *data++; - prefix.evex[1] = *data++; -@@ -1235,8 +1293,10 @@ int32_t disasm(uint8_t *data, char *output, int outbufsize, int segsize, - } - - case 0x8F: -- if ((data[1] & 030) != 0 && -+ check_can_read_data_byte(); -+ if ((data[1] & 030) != 0 && - (segsize == 64 || (data[1] & 0xc0) == 0xc0)) { -+ check_can_read_data_byte(); - prefix.vex[0] = *data++; - prefix.vex[1] = *data++; - prefix.vex[2] = *data++; -@@ -1280,6 +1340,7 @@ int32_t disasm(uint8_t *data, char *output, int outbufsize, int segsize, - break; - - default: -+ remaining_bytes++; /* didn't actually use the last byte */ - end_prefix = true; - break; - } -@@ -1293,14 +1354,17 @@ int32_t disasm(uint8_t *data, char *output, int outbufsize, int segsize, - return 0; /* No instruction table at all... */ - - dp = data; -+ -+ check_can_read_data_byte(); - ix += *dp++; - while (ix->n == -1) { -+ check_can_read_data_byte(); - ix = (const struct disasm_index *)ix->p + *dp++; - } - - p = (const struct itemplate * const *)ix->p; - for (n = ix->n; n; n--, p++) { -- if ((length = matches(*p, data, &prefix, segsize, &tmp_ins))) { -+ if ((length = matches(*p, data, remaining_bytes, &prefix, segsize, &tmp_ins))) { - works = true; - /* - * Final check to make sure the types of r/m match up. diff --git a/Drop-unused-seg_init.patch b/Drop-unused-seg_init.patch deleted file mode 100644 index 652f78f1ccec37a915fceb00545b5b76395d6d7a..0000000000000000000000000000000000000000 --- a/Drop-unused-seg_init.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 5eb1838b4d3752fd863d19442943983a2a5ee87c Mon Sep 17 00:00:00 2001 -From: Cyrill Gorcunov -Date: Sat, 10 Feb 2018 00:33:41 +0300 -Subject: [PATCH] nasmlib: Drop unused seg_init - -The helper has been eliminated in 2c4a4d5810d0a59b033a07876a2648ef5d4c2859 - -https://bugzilla.nasm.us/show_bug.cgi?id=3392461 - -Signed-off-by: Cyrill Gorcunov ---- - include/nasmlib.h | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/include/nasmlib.h b/include/nasmlib.h -index 79e866b5..fee1b5ea 100644 ---- a/include/nasmlib.h -+++ b/include/nasmlib.h -@@ -188,10 +188,8 @@ int64_t readnum(char *str, bool *error); - int64_t readstrnum(char *str, int length, bool *warn); - - /* -- * seg_init: Initialise the segment-number allocator. - * seg_alloc: allocate a hitherto unused segment number. - */ --void pure_func seg_init(void); - int32_t pure_func seg_alloc(void); - - /* diff --git a/nasm-2.13.03-xdoc.tar.bz2 b/nasm-2.13.03-xdoc.tar.bz2 deleted file mode 100644 index d06df3ed99f33129b12318abb0f13bfac8c7e8d4..0000000000000000000000000000000000000000 Binary files a/nasm-2.13.03-xdoc.tar.bz2 and /dev/null differ diff --git a/nasm-2.13.03.tar.bz2 b/nasm-2.13.03.tar.bz2 deleted file mode 100644 index 44f678862bbcbc831b8aff2d881b855b31ae22d6..0000000000000000000000000000000000000000 Binary files a/nasm-2.13.03.tar.bz2 and /dev/null differ diff --git a/nasm-2.15.03-xdoc.tar.bz2 b/nasm-2.15.03-xdoc.tar.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..51b13c4e19448ac2b026a49e26523e3b90fa5393 Binary files /dev/null and b/nasm-2.15.03-xdoc.tar.bz2 differ diff --git a/nasm-2.15.03.tar.bz2 b/nasm-2.15.03.tar.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..11c5867764fb6e0802e8eb089f28dc331134ea3a Binary files /dev/null and b/nasm-2.15.03.tar.bz2 differ diff --git a/nasm.spec b/nasm.spec index 89e221fc06f2ab05a3e9b7b520e3023dce99c68b..bfd352a30d2f36aaeb99d03bf5b6dd0edafe42aa 100644 --- a/nasm.spec +++ b/nasm.spec @@ -7,16 +7,14 @@ %endif Name: nasm -Version: 2.13.03 -Release: 6 +Version: 2.15.03 +Release: 1 Summary: The Netwide Assembler, a portable x86 assembler with Intel-like syntax License: BSD URL: http://www.nasm.us Source0: http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}.tar.bz2 Source1: http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}-xdoc.tar.bz2 #https://bugzilla.nasm.us/attachment.cgi?id=411648 -Patch0000:CVE-2018-10254.patch -Patch0001:Drop-unused-seg_init.patch BuildRequires: perl(Env) autoconf asciidoc xmlto gcc make git Provides: %{name}-rdoff @@ -48,20 +46,19 @@ and text formats. %autosetup -n %{name}-%{version} -p1 %build -autoreconf %configure %if %{with documentation} -%make_build everything +%make everything gzip -9f doc/nasmdoc.{ps,txt} %else make all %{?_smp_mflags} %endif %install -make INSTALLROOT=%{buildroot} install install_rdf +%make_install install_rdf %files -%doc CHANGES README TODO +%doc CHANGES README.md %license AUTHORS %{_bindir}/nasm %{_bindir}/ndisasm @@ -85,8 +82,8 @@ make INSTALLROOT=%{buildroot} install install_rdf %{_mandir}/man1/ld* %changelog -* Tue Jun 9 2020 lizhenhua - 2.13.03-6 -- fix compile error +* Wed Jul 22 2020 shixuantong - 2.15.03-1 +- update to 2.15.03-1 * Fri Mar 20 2020 shijian - 2.13.03-5 - fix CVE-2018-10254