[Nasm-bugs] [Bug 3392423] New: There is an illegal address access in function paste_tokens() in nasm.
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 00:58:04 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392423
Bug ID: 3392423
Summary: There is an illegal address access in function
paste_tokens() in nasm.
Product: NASM
Version: unspecified
Hardware: All
OS: All
Status: OPEN
Severity: blocker
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: v.owl337 at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
Created attachment 411601
--> https://bugzilla.nasm.us/attachment.cgi?id=411601&action=edit
Triggered by "./nasm -f bin POC3 -o tmp"
The debugging information is as follows:
$ ./nasm -f bin POC3 -o tmp
id:000106,sig:11,src:001363,op:flip1,pos:752:9: warning: unterminated string
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: parser: instruction
expected
id:000106,sig:11,src:001363,op:flip1,pos:752:11: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:17: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:17: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:30: error: expression syntax error
id:000106,sig:11,src:001363,op:flip1,pos:752:51: error: (proc:2) nonexistent
environment variable `ssign'
id:000106,sig:11,src:001363,op:flip1,pos:752:40: ... from macro `proc' defined
here
id:000106,sig:11,src:001363,op:flip1,pos:752:51: error: (proc:2) unknown
preprocessor directive `'
id:000106,sig:11,src:001363,op:flip1,pos:752:40: ... from macro `proc' defined
here
Segmentation fault
The GDB debugging information is as follows:
(gdb) set args -f bin POC3 -o tmp
(gdb) r
Starting program: /home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm
-f bin id:000106,sig:11,src:001363,op:flip1,pos:752 -o tmp
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
id:000106,sig:11,src:001363,op:flip1,pos:752:9: warning: unterminated string
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: parser: instruction
expected
id:000106,sig:11,src:001363,op:flip1,pos:752:11: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:17: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:17: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:30: error: expression syntax error
id:000106,sig:11,src:001363,op:flip1,pos:752:51: error: (proc:2) nonexistent
environment variable `ssign'
id:000106,sig:11,src:001363,op:flip1,pos:752:40: ... from macro `proc' defined
here
id:000106,sig:11,src:001363,op:flip1,pos:752:51: error: (proc:2) unknown
preprocessor directive `'
id:000106,sig:11,src:001363,op:flip1,pos:752:40: ... from macro `proc' defined
here
Program received signal SIGSEGV, Segmentation fault.
0x000000000057938d in paste_tokens (head=0x7fffffffddb0, m=<optimized out>,
mnum=<optimized out>,
handle_explicit=<optimized out>) at asm/preproc.c:3866
3866 while (tok && tok->next)
(gdb) bt
#0 0x000000000057938d in paste_tokens (head=0x7fffffffddb0, m=<optimized out>,
mnum=<optimized out>,
handle_explicit=<optimized out>) at asm/preproc.c:3866
#1 0x0000000000571664 in expand_smacro (tline=<optimized out>) at
asm/preproc.c:4475
#2 0x000000000051c561 in pp_getline () at asm/preproc.c:5210
#3 0x0000000000483517 in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#4 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) list
3861
3862 /*
3863 * Connect pasted into original stream,
3864 * ie A -> new-tokens -> B
3865 */
3866 while (tok && tok->next)
3867 tok = tok->next;
3868 tok->next = next;
3869
3870 if (!pasted)
(gdb) c
Continuing.
ASAN:SIGSEGV
=================================================================
==14975==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000057938d sp 0x7fffffffdd00 bp 0x602000004e10 T0)
==14975==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
#0 0x57938c
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x57938c)
#1 0x571663
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x571663)
#2 0x51c560
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51c560)
#3 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#5 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==14975==ABORTING
[Inferior 1 (process 14975) exited with code 01]
(gdb)
Tirgged in:
paste_tokens (head=0x7fffffffddb0, m=<optimized out>, mnum=<optimized out>,
handle_explicit=<optimized out>) at asm/preproc.c:3866
3866 while (tok && tok->next)
(gdb) list
3861
3862 /*
3863 * Connect pasted into original stream,
3864 * ie A -> new-tokens -> B
3865 */
3866 while (tok && tok->next)
3867 tok = tok->next;
3868 tok->next = next;
3869
3870 if (!pasted)
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list