[Nasm-bugs] [Bug 3392426] New: There is a heap use-after-free on address 0x60f00000d4b0 in nasm.
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:07:21 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392426
Bug ID: 3392426
Summary: There is a heap use-after-free on address
0x60f00000d4b0 in nasm.
Product: NASM
Version: unspecified
Hardware: All
OS: All
Status: OPEN
Severity: blocker
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: v.owl337 at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
Created attachment 411604
--> https://bugzilla.nasm.us/attachment.cgi?id=411604&action=edit
/nasm -f bin POC6 -o tmp
Description:
The debugging information is as follows:
$ ./nasm -f bin POC6 -o tmp
id:000248,sig:06,src:003072,op:flip1,pos:236:13: error: unterminated %! string
id:000248,sig:06,src:003072,op:flip1,pos:236:29: error: (b_struc:7) NUL
character in %! string
id:000248,sig:06,src:003072,op:flip1,pos:236:14: ... from macro `b_struc'
defined here
*** Error in `./../../../nasm': double free or corruption (fasttop):
0x00000000018facb0 ***
Aborted
The GDB debugging information is as follows:
(gdb)set args -f bin POC6 -o tmp
(gdb) r
...
*** Error in `/home/company/check_nasm/nasm-2.14rc0/install/bin/nasm': double
free or corruption (fasttop): 0x00000000007d7cb0 ***
Program received signal SIGABRT, Aborted.
0x00007ffff7a44267 in __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a44267 in __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
#1 0x00007ffff7a45eca in __GI_abort () at abort.c:89
#2 0x00007ffff7a87c53 in __libc_message (do_abort=do_abort at entry=1,
fmt=fmt at entry=0x7ffff7ba01a8 "*** Error in `%s': %s: 0x%s ***\n") at
../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff7a8fc69 in malloc_printerr (ptr=<optimized out>,
str=0x7ffff7ba0270 "double free or corruption (fasttop)", action=1) at
malloc.c:4965
#4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at
malloc.c:3834
#5 0x00007ffff7a9389c in __GI___libc_free (mem=<optimized out>) at
malloc.c:2950
#6 0x00000000004089d8 in nasm_free (q=0x117f7) at nasmlib/malloc.c:77
#7 0x00000000004234fa in delete_Token (t=0x7ffff7f7bc50) at asm/preproc.c:1236
#8 free_tlist (list=0x0) at asm/preproc.c:612
#9 free_llist (list=<optimized out>) at asm/preproc.c:622
#10 free_mmacro (m=<optimized out>) at asm/preproc.c:635
#11 pp_getline () at asm/preproc.c:5099
#12 0x000000000040368d in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#13 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
ASAN info:
(gdb) r
Starting program: /home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm
-f bin id:000266,sig:11,src:003293,op:havoc,rep:4 -o tmp
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 10, nasm_free (q=<optimized out>) at nasmlib/malloc.c:77
77 free(q);
(gdb) c 925
Will ignore next 924 crossings of breakpoint 10. Continuing.
id:000266,sig:11,src:003293,op:havoc,rep:4:8: warning: unterminated string
id:000266,sig:11,src:003293,op:havoc,rep:4:29: warning: (b_struc:2) trailing
garbage after `%push' ignored
id:000266,sig:11,src:003293,op:havoc,rep:4:8: ... from macro `b_struc' defined
here
id:000266,sig:11,src:003293,op:havoc,rep:4:29: error: parser: instruction
expected
id:000266,sig:11,src:003293,op:havoc,rep:4:10: ... from macro `b_struc' defined
here
id:000266,sig:11,src:003293,op:havoc,rep:4:29: error: (b_struc:8) braces do not
enclose all of macro parameter
id:000266,sig:11,src:003293,op:havoc,rep:4:15: ... from macro `b_struc' defined
here
id:000266,sig:11,src:003293,op:havoc,rep:4:29: error: (b_struc:8) braces do not
enclose all of macro parameter
id:000266,sig:11,src:003293,op:havoc,rep:4:15: ... from macro `b_struc' defined
here
id:000266,sig:11,src:003293,op:havoc,rep:4:29: warning: (b_struc:8) trailing
garbage after expression ignored
id:000266,sig:11,src:003293,op:havoc,rep:4:15: ... from macro `b_struc' defined
here
Breakpoint 10, nasm_free (q=<optimized out>) at nasmlib/malloc.c:77
77 free(q);
(gdb) n
78 }
(gdb) n
pp_getline () at asm/preproc.c:5143
5143 lfmt->downlevel(LIST_INCLUDE);
...
(gdb) n
5112 istk->mstk->lineno++;
(gdb) n
=================================================================
==50260==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000d4b0
at pc 0x5214d0 bp 0x7fffffffdee0 sp 0x7fffffffded8
READ of size 4 at 0x60f00000d4b0 thread T0
==50260==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
#0 0x5214cf
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5214cf)
#1 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#2 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#3 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)
0x60f00000d4b0 is located 144 bytes inside of 176-byte region
[0x60f00000d420,0x60f00000d4d0)
freed by thread T0 here:
#0 0x468579
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x468579)
#1 0x49c2bd
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49c2bd)
#2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
previously allocated by thread T0 here:
#0 0x4686f9
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
#1 0x49b6a8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)
#2 0x51be1a
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a)
#3 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c1e7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9a60: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c1e7fff9a70: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1e7fff9a80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1e7fff9a90: fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa fa fa
0x0c1e7fff9aa0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff9ab0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c1e7fff9ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff9ad0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
0x0c1e7fff9ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==50260==ABORTING
[Inferior 1 (process 50260) exited with code 01]
(gdb)
The bug was trigged in:
pp_getline () at asm/preproc.c:5112
5107
5108 if (istk->expansion) { /* from a macro expansion */
5109 char *p;
5110 Line *l = istk->expansion;
5111 if (istk->mstk)
5112 istk->mstk->lineno++;
5113 tline = l->first;
5114 istk->expansion = l->next;
5115 nasm_free(l);
5116 p = detoken(tline, false);
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list