[Nasm-bugs] [Bug 3392423] New: There is an illegal address access in function paste_tokens() in nasm.

no-reply at bugzilla-nasm.gorcunov.org no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 00:58:04 PDT 2017 

https://bugzilla.nasm.us/show_bug.cgi?id=3392423

            Bug ID: 3392423
           Summary: There is an illegal address access in function
                    paste_tokens() in nasm.
           Product: NASM
           Version: unspecified
          Hardware: All
                OS: All
            Status: OPEN
          Severity: blocker
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: v.owl337 at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Binary from nasm.us

Created attachment 411601
  --> https://bugzilla.nasm.us/attachment.cgi?id=411601&action=edit
Triggered by "./nasm -f bin  POC3 -o tmp"

The debugging information is as follows:

$ ./nasm -f bin  POC3 -o tmp
id:000106,sig:11,src:001363,op:flip1,pos:752:9: warning: unterminated string
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: parser: instruction
expected
id:000106,sig:11,src:001363,op:flip1,pos:752:11: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:17: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:17: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:30: error: expression syntax error
id:000106,sig:11,src:001363,op:flip1,pos:752:51: error: (proc:2) nonexistent
environment variable `ssign'
id:000106,sig:11,src:001363,op:flip1,pos:752:40: ... from macro `proc' defined
here
id:000106,sig:11,src:001363,op:flip1,pos:752:51: error: (proc:2) unknown
preprocessor directive `'
id:000106,sig:11,src:001363,op:flip1,pos:752:40: ... from macro `proc' defined
here
Segmentation fault

The GDB debugging information is as follows:

(gdb) set args  -f bin  POC3 -o tmp
(gdb) r
Starting program: /home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm
-f bin  id:000106,sig:11,src:001363,op:flip1,pos:752 -o tmp
 [Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
id:000106,sig:11,src:001363,op:flip1,pos:752:9: warning: unterminated string
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: parser: instruction
expected
id:000106,sig:11,src:001363,op:flip1,pos:752:11: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:16: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: warning: character constant
too long
id:000106,sig:11,src:001363,op:flip1,pos:752:17: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:29: error: comma, colon, decorator
or end of line expected after operand
id:000106,sig:11,src:001363,op:flip1,pos:752:17: ... from macro `b_struc'
defined here
id:000106,sig:11,src:001363,op:flip1,pos:752:30: error: expression syntax error
id:000106,sig:11,src:001363,op:flip1,pos:752:51: error: (proc:2) nonexistent
environment variable `ssign'
id:000106,sig:11,src:001363,op:flip1,pos:752:40: ... from macro `proc' defined
here
id:000106,sig:11,src:001363,op:flip1,pos:752:51: error: (proc:2) unknown
preprocessor directive `'
id:000106,sig:11,src:001363,op:flip1,pos:752:40: ... from macro `proc' defined
here

Program received signal SIGSEGV, Segmentation fault.
0x000000000057938d in paste_tokens (head=0x7fffffffddb0, m=<optimized out>,
mnum=<optimized out>, 
    handle_explicit=<optimized out>) at asm/preproc.c:3866
3866                    while (tok && tok->next)
(gdb)  bt 
#0  0x000000000057938d in paste_tokens (head=0x7fffffffddb0, m=<optimized out>,
mnum=<optimized out>, 
    handle_explicit=<optimized out>) at asm/preproc.c:3866
#1  0x0000000000571664 in expand_smacro (tline=<optimized out>) at
asm/preproc.c:4475
#2  0x000000000051c561 in pp_getline () at asm/preproc.c:5210
#3  0x0000000000483517 in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#4  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) list 
3861    
3862                    /*
3863                     * Connect pasted into original stream,
3864                     * ie A -> new-tokens -> B
3865                     */
3866                    while (tok && tok->next)
3867                        tok = tok->next;
3868                    tok->next = next;
3869    
3870                    if (!pasted)
(gdb) c
Continuing.
ASAN:SIGSEGV
=================================================================
==14975==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000057938d sp 0x7fffffffdd00 bp 0x602000004e10 T0)
==14975==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
    #0 0x57938c
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x57938c)
    #1 0x571663
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x571663)
    #2 0x51c560
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51c560)
    #3 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #5 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==14975==ABORTING
[Inferior 1 (process 14975) exited with code 01]
(gdb) 

Tirgged in: 
paste_tokens (head=0x7fffffffddb0, m=<optimized out>, mnum=<optimized out>, 
    handle_explicit=<optimized out>) at asm/preproc.c:3866
3866                    while (tok && tok->next)
(gdb) list 
3861    
3862                    /*
3863                     * Connect pasted into original stream,
3864                     * ie A -> new-tokens -> B
3865                     */
3866                    while (tok && tok->next)
3867                        tok = tok->next;
3868                    tok->next = next;
3869    
3870                    if (!pasted)


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com   and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

More information about the Nasm-bugs mailing list