[Nasm-bugs] [Bug 3392428] New: There is a heap-buffer-overflow on address 0x61500000e100 in nasm.
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:10:55 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392428
Bug ID: 3392428
Summary: There is a heap-buffer-overflow on address
0x61500000e100 in nasm.
Product: NASM
Version: unspecified
Hardware: All
OS: All
Status: OPEN
Severity: blocker
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: v.owl337 at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
Created attachment 411606
--> https://bugzilla.nasm.us/attachment.cgi?id=411606&action=edit
./nasm -f bin POC8 -o tmp
Description:
The debugging information is as follows:
$ ./nasm -f bin POC8 -o tmp
id:000089,sig:11,src:000775,op:havoc,rep:32:5: error: parser: instruction
expected
id:000089,sig:11,src:000775,op:havoc,rep:32:9: warning: unterminated string
id:000089,sig:11,src:000775,op:havoc,rep:32:13: error: unterminated %[
construct
id:000089,sig:11,src:000775,op:havoc,rep:32:23: error: comma, colon, decorator
or end of line expected after operand
id:000089,sig:11,src:000775,op:havoc,rep:32:24: error: (b_struc:3) `%define'
expects a macro identifier
id:000089,sig:11,src:000775,op:havoc,rep:32:10: ... from macro `b_struc'
defined here
id:000089,sig:11,src:000775,op:havoc,rep:32:24: error: parser: instruction
expected
id:000089,sig:11,src:000775,op:havoc,rep:32:12: ... from macro `b_struc'
defined here
id:000089,sig:11,src:000775,op:havoc,rep:32:24: error: (b_struc:6) unknown
preprocessor directive `%rotDte'
id:000089,sig:11,src:000775,op:havoc,rep:32:13: ... from macro `b_struc'
defined here
id:000089,sig:11,src:000775,op:havoc,rep:32:24: error: label or instruction
expected at start of line
id:000089,sig:11,src:000775,op:havoc,rep:32:13: ... from macro `b_struc'
defined here
id:000089,sig:11,src:000775,op:havoc,rep:32:24: error: (b_struc:7) nonexistent
environment variable `top_'
id:000089,sig:11,src:000775,op:havoc,rep:32:14: ... from macro `b_struc'
defined here
id:000089,sig:11,src:000775,op:havoc,rep:32:24: warning: (b_struc:7)
unterminated string
id:000089,sig:11,src:000775,op:havoc,rep:32:14: ... from macro `b_struc'
defined here
Segmentation fault
The GDB debugging information is as follows:
(gdb)set args -f bin POC8 -o tmp
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/company/check_nasm/nasm-2.14rc0/install/bin/nasm -f bin
id:000089,sig:11,src:000775,op:havoc,rep:32 -o tmp
c
Breakpoint 2, paste_tokens (head=0x7fffffffdc68, m=0x4a91c8 <expand_smacro.t>,
mnum=1, handle_explicit=true)
at asm/preproc.c:3866
3866 while (tok && tok->next)
(gdb) c 56
Will ignore next 55 crossings of breakpoint 2. Continuing.
id:000089,sig:11,src:000775,op:havoc,rep:32:5: error: parser: instruction
expected
id:000089,sig:11,src:000775,op:havoc,rep:32:9: warning: unterminated string
id:000089,sig:11,src:000775,op:havoc,rep:32:13: error: unterminated %[
construct
id:000089,sig:11,src:000775,op:havoc,rep:32:23: error: comma, colon, decorator
or end of line expected after operand
id:000089,sig:11,src:000775,op:havoc,rep:32:24: error: (b_struc:3) `%define'
expects a macro identifier
id:000089,sig:11,src:000775,op:havoc,rep:32:10: ... from macro `b_struc'
defined here
id:000089,sig:11,src:000775,op:havoc,rep:32:24: error: parser: instruction
expected
id:000089,sig:11,src:000775,op:havoc,rep:32:12: ... from macro `b_struc'
defined here
id:000089,sig:11,src:000775,op:havoc,rep:32:24: error: (b_struc:6) unknown
preprocessor directive `%rotDte'
id:000089,sig:11,src:000775,op:havoc,rep:32:13: ... from macro `b_struc'
defined here
id:000089,sig:11,src:000775,op:havoc,rep:32:24: error: label or instruction
expected at start of line
id:000089,sig:11,src:000775,op:havoc,rep:32:13: ... from macro `b_struc'
defined here
id:000089,sig:11,src:000775,op:havoc,rep:32:24: error: (b_struc:7) nonexistent
environment variable `top_'
id:000089,sig:11,src:000775,op:havoc,rep:32:14: ... from macro `b_struc'
defined here
id:000089,sig:11,src:000775,op:havoc,rep:32:24: warning: (b_struc:7)
unterminated string
id:000089,sig:11,src:000775,op:havoc,rep:32:14: ... from macro `b_struc'
defined here
Breakpoint 2, paste_tokens (head=0x7fffffffe038, m=0x4a91c8 <expand_smacro.t>,
mnum=1, handle_explicit=true)
at asm/preproc.c:3866
3866 while (tok && tok->next)
(gdb) n
Program received signal SIGSEGV, Segmentation fault.
0x0000000000437cc2 in paste_tokens (head=0x7fffffffe038, m=0x4a91c8
<expand_smacro.t>, mnum=1, handle_explicit=true)
at asm/preproc.c:3866
3866 while (tok && tok->next)
(gdb) bt
#0 0x0000000000437cc2 in paste_tokens (head=0x7fffffffe038, m=0x4a91c8
<expand_smacro.t>, mnum=1, handle_explicit=true)
at asm/preproc.c:3866
#1 0x00000000004363d1 in expand_smacro (tline=0x7ffff7f7ba10) at
asm/preproc.c:4475
#2 0x0000000000423c7b in pp_getline () at asm/preproc.c:5210
#3 0x000000000040368d in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#4 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb)
ASAN info:
=================================================================
==58114==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61500000e100 at pc 0x52deed bp 0x7fffffffde60 sp 0x7fffffffde58
READ of size 1 at 0x61500000e100 thread T0
==58114==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
#0 0x52deec
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x52deec)
#1 0x51b984
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51b984)
#2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#4 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)
0x61500000e100 is located 0 bytes to the right of 512-byte region
[0x61500000df00,0x61500000e100)
allocated by thread T0 here:
#0 0x4686f9
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
#1 0x49b6a8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)
#2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c2a7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff9c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff9c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9c20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff9c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a7fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==58114==ABORTING
The bug was trigged in:
paste_tokens (head=0x7fffffffdc68, m=0x4a91c8 <expand_smacro.t>, mnum=1,
handle_explicit=true)
at asm/preproc.c:3866
3866 while (tok && tok->next)
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list