[Nasm-bugs] [Bug 3392425] New: There is a heap-use-after-free on address 0x602000008b50 of nasm

no-reply at bugzilla-nasm.gorcunov.org no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:04:22 PDT 2017


https://bugzilla.nasm.us/show_bug.cgi?id=3392425

            Bug ID: 3392425
           Summary: There is a   heap-use-after-free on address
                    0x602000008b50 of nasm
           Product: NASM
           Version: unspecified
          Hardware: All
                OS: All
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: v.owl337 at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Binary from nasm.us

Created attachment 411603
  --> https://bugzilla.nasm.us/attachment.cgi?id=411603&action=edit
./nasm -f bin  POC5 -o tmp

Description:

The debugging information is as follows:

$ ./nasm -f bin  POC5 -o tmp 
id:000369,sig:11,src:004890,op:havoc,rep:32:2: error: parser: instruction
expected
id:000369,sig:11,src:004890,op:havoc,rep:32:3: error: unterminated %! string
id:000369,sig:11,src:004890,op:havoc,rep:32:3: error: unterminated %! string
id:000369,sig:11,src:004890,op:havoc,rep:32:3: error: NUL character in %!
string

Program received signal SIGSEGV, Segmentation fault.


The GDB debugging information is as follows:

(gdb)set args -f bin  POC5 -o tmp
(gdb) r 
...

Program received signal SIGSEGV, Segmentation fault.
0x00000000004285ed in detoken (tlist=<optimized out>, expand_locals=<optimized
out>) at asm/preproc.c:1316
1316                    *p++ = *q++;
(gdb) bt
#0  0x00000000004285ed in detoken (tlist=<optimized out>,
expand_locals=<optimized out>) at asm/preproc.c:1316
#1  0x0000000000424d9a in pp_getline () at asm/preproc.c:5215
#2  0x000000000040368d in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#3  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) list 
1311            if (t->type == TOK_WHITESPACE) {
1312                *p++ = ' ';
1313            } else if (t->text) {
1314                q = t->text;
1315                while (*q)
1316                    *p++ = *q++;
1317            }
1318        }
1319        *p = '\0';
1320    
(gdb) 

ASAN info:
=================================================================
==104657==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000008b50 at pc 0x532376 bp 0x7fffffffde30 sp 0x7fffffffde28
READ of size 1 at 0x602000008b50 thread T0


==104657==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
    #0 0x532375
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x532375)
    #1 0x5206a5
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5206a5)
    #2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

0x602000008b50 is located 0 bytes inside of 4-byte region
[0x602000008b50,0x602000008b54)
freed by thread T0 here:
    #0 0x468579
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x468579)
    #1 0x49c2bd
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49c2bd)
    #2 0x5206a5
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5206a5)
    #3 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:
    #0 0x4686f9
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
    #1 0x49b6a8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c047fff9110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9160: fa fa fa fa fa fa fa fa fa fa[fd]fa fa fa 02 fa
  0x0c047fff9170: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa fd fa
  0x0c047fff9180: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa 02 fa
  0x0c047fff9190: fa fa 02 fa fa fa fd fa fa fa 06 fa fa fa fd fa
  0x0c047fff91a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff91b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 07
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==104657==ABORTING


The bug was trigged in:
detoken (tlist=<optimized out>, expand_locals=<optimized out>) at
asm/preproc.c:1316
1316                    *p++ = *q++;
(gdb) list 
1311            if (t->type == TOK_WHITESPACE) {
1312                *p++ = ' ';
1313            } else if (t->text) {
1314                q = t->text;
1315                while (*q)
1316                    *p++ = *q++;
1317            }
1318        }
1319        *p = '\0';
1320    



Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com   and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.


More information about the Nasm-bugs mailing list