[Nasm-bugs] [Bug 3392424] New: There is a heap based buffer overflow in function detoken() of nasm
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:01:29 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392424
Bug ID: 3392424
Summary: There is a heap based buffer overflow in function
detoken() of nasm
Product: NASM
Version: unspecified
Hardware: All
OS: All
Status: OPEN
Severity: blocker
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: v.owl337 at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
Created attachment 411602
--> https://bugzilla.nasm.us/attachment.cgi?id=411602&action=edit
Triggered by " ./nasm -f bin POC4 -o tmp "
Description:
The debugging information is as follows:
$ ./nasm -f bin POC4 -o tmp
id:000244,sig:11,src:003034,op:havoc,rep:4:6: warning: unterminated string
id:000244,sig:11,src:003034,op:havoc,rep:4:13: warning: unterminated %{
construct
id:000244,sig:11,src:003034,op:havoc,rep:4:20: error: parser: instruction
expected
id:000244,sig:11,src:003034,op:havoc,rep:4:25: error: (b_struc:3) `'1':
parameter identifier expected
id:000244,sig:11,src:003034,op:havoc,rep:4:7: ... from macro `b_struc' defined
here
id:000244,sig:11,src:003034,op:havoc,rep:4:25: warning: forward reference in
RESx can have unpredictable results
id:000244,sig:11,src:003034,op:havoc,rep:4:13: ... from macro `b_struc' defined
here
...
Segmentation fault
The GDB debugging information is as follows:
(gdb)set args -f bin POC4 -o tmp
(gdb) r
...
Breakpoint 4, detoken (expand_locals=false, tlist=<optimized out>) at
asm/preproc.c:1255
1255 if (t->type == TOK_PREPROC_ID && t->text[1] == '!') {
(gdb) c 355
Will ignore next 354 crossings of breakpoint 4. Continuing.
id:000244,sig:11,src:003034,op:havoc,rep:4:6: warning: unterminated string
id:000244,sig:11,src:003034,op:havoc,rep:4:13: warning: unterminated %{
construct
id:000244,sig:11,src:003034,op:havoc,rep:4:20: error: parser: instruction
expected
id:000244,sig:11,src:003034,op:havoc,rep:4:25: error: (b_struc:3) `'1':
parameter identifier expected
id:000244,sig:11,src:003034,op:havoc,rep:4:7: ... from macro `b_struc' defined
here
id:000244,sig:11,src:003034,op:havoc,rep:4:25: warning: forward reference in
RESx can have unpredictable results
id:000244,sig:11,src:003034,op:havoc,rep:4:13: ... from macro `b_struc' defined
here
id:000244,sig:11,src:003034,op:havoc,rep:4:25: warning: forward reference in
RESx can have unpredictable results
...
Breakpoint 4, detoken (expand_locals=false, tlist=<optimized out>) at
asm/preproc.c:1255
1255 if (t->type == TOK_PREPROC_ID && t->text[1] == '!') {
(gdb) s
1288 if (expand_locals &&
...
(gdb) s
1254 list_for_each(t, tlist) {
(gdb) s
=================================================================
==86909==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000010891 at pc 0x53214e bp 0x7fffffffde30 sp 0x7fffffffde28
READ of size 1 at 0x602000010891 thread T0
==86909==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
#0 0x53214d
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x53214d)
#1 0x5195c8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5195c8)
#2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#4 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)
0x602000010891 is located 0 bytes to the right of 1-byte region
[0x602000010890,0x602000010891)
allocated by thread T0 here:
#0 0x4686f9
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
#1 0x49b6a8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c047fffa0c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffa0d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffa0e0: fa fa 02 fa fa fa 02 fa fa fa 00 fa fa fa 02 fa
0x0c047fffa0f0: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa 03 fa
0x0c047fffa100: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa 07 fa
=>0x0c047fffa110: fa fa[01]fa fa fa fd fd fa fa 02 fa fa fa fd fa
0x0c047fffa120: fa fa fd fa fa fa 06 fa fa fa 06 fa fa fa 02 fa
0x0c047fffa130: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffa140: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 fa
0x0c047fffa150: fa fa 00 fa fa fa 06 fa fa fa 00 fa fa fa 00 fa
0x0c047fffa160: fa fa 06 fa fa fa 02 fa fa fa 04 fa fa fa 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==86909==ABORTING
[Inferior 1 (process 86909) exited with code 01]
(gdb)
The bug was trigged in:
detoken (expand_locals=false, tlist=<optimized out>) at asm/preproc.c:1254
1254 if (t->type == TOK_PREPROC_ID && t->text[1] == '!') {
(gdb) list
1250 char *line, *p;
1251 const char *q;
1252 int len = 0;
1253
1254 list_for_each(t, tlist) {
1255 if (t->type == TOK_PREPROC_ID && t->text[1] == '!') {
1256 char *v;
1257 char *q = t->text;
1258
1259 v = t->text + 2;
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list