[Nasm-bugs] [Bug 3392425] New: There is a heap-use-after-free on address 0x602000008b50 of nasm
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:04:22 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392425
Bug ID: 3392425
Summary: There is a heap-use-after-free on address
0x602000008b50 of nasm
Product: NASM
Version: unspecified
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: v.owl337 at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
Created attachment 411603
--> https://bugzilla.nasm.us/attachment.cgi?id=411603&action=edit
./nasm -f bin POC5 -o tmp
Description:
The debugging information is as follows:
$ ./nasm -f bin POC5 -o tmp
id:000369,sig:11,src:004890,op:havoc,rep:32:2: error: parser: instruction
expected
id:000369,sig:11,src:004890,op:havoc,rep:32:3: error: unterminated %! string
id:000369,sig:11,src:004890,op:havoc,rep:32:3: error: unterminated %! string
id:000369,sig:11,src:004890,op:havoc,rep:32:3: error: NUL character in %!
string
Program received signal SIGSEGV, Segmentation fault.
The GDB debugging information is as follows:
(gdb)set args -f bin POC5 -o tmp
(gdb) r
...
Program received signal SIGSEGV, Segmentation fault.
0x00000000004285ed in detoken (tlist=<optimized out>, expand_locals=<optimized
out>) at asm/preproc.c:1316
1316 *p++ = *q++;
(gdb) bt
#0 0x00000000004285ed in detoken (tlist=<optimized out>,
expand_locals=<optimized out>) at asm/preproc.c:1316
#1 0x0000000000424d9a in pp_getline () at asm/preproc.c:5215
#2 0x000000000040368d in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#3 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) list
1311 if (t->type == TOK_WHITESPACE) {
1312 *p++ = ' ';
1313 } else if (t->text) {
1314 q = t->text;
1315 while (*q)
1316 *p++ = *q++;
1317 }
1318 }
1319 *p = '\0';
1320
(gdb)
ASAN info:
=================================================================
==104657==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000008b50 at pc 0x532376 bp 0x7fffffffde30 sp 0x7fffffffde28
READ of size 1 at 0x602000008b50 thread T0
==104657==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
#0 0x532375
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x532375)
#1 0x5206a5
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5206a5)
#2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#4 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)
0x602000008b50 is located 0 bytes inside of 4-byte region
[0x602000008b50,0x602000008b54)
freed by thread T0 here:
#0 0x468579
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x468579)
#1 0x49c2bd
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49c2bd)
#2 0x5206a5
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5206a5)
#3 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
previously allocated by thread T0 here:
#0 0x4686f9
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
#1 0x49b6a8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c047fff9110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9160: fa fa fa fa fa fa fa fa fa fa[fd]fa fa fa 02 fa
0x0c047fff9170: fa fa fd fa fa fa 03 fa fa fa fd fa fa fa fd fa
0x0c047fff9180: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa 02 fa
0x0c047fff9190: fa fa 02 fa fa fa fd fa fa fa 06 fa fa fa fd fa
0x0c047fff91a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff91b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 07
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==104657==ABORTING
The bug was trigged in:
detoken (tlist=<optimized out>, expand_locals=<optimized out>) at
asm/preproc.c:1316
1316 *p++ = *q++;
(gdb) list
1311 if (t->type == TOK_WHITESPACE) {
1312 *p++ = ' ';
1313 } else if (t->text) {
1314 q = t->text;
1315 while (*q)
1316 *p++ = *q++;
1317 }
1318 }
1319 *p = '\0';
1320
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list