[Nasm-bugs] [Bug 3392429] New: There is a heap-use-after-free on address 0x60f00000d568 in nasm.

no-reply at bugzilla-nasm.gorcunov.org no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:12:26 PDT 2017 

https://bugzilla.nasm.us/show_bug.cgi?id=3392429

            Bug ID: 3392429
           Summary: There is a  heap-use-after-free on address
                    0x60f00000d568  in nasm.
           Product: NASM
           Version: unspecified
          Hardware: All
                OS: All
            Status: OPEN
          Severity: blocker
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: v.owl337 at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Binary from nasm.us

Created attachment 411607
  --> https://bugzilla.nasm.us/attachment.cgi?id=411607&action=edit
./nasm -f bin  POC9 -o tmp

The debugging information is as follows:

$ ./nasm -f bin  POC9 -o tmp 
id:000532,sig:11,src:007319,op:havoc,rep:64:1: error: label or instruction
expected at start of line
id:000532,sig:11,src:007319,op:havoc,rep:64:3: error: label or instruction
expected at start of line
id:000532,sig:11,src:007319,op:havoc,rep:64:4: error: parser: instruction
expected
id:000532,sig:11,src:007319,op:havoc,rep:64:5: error: `%endmacro': not defining
a macro
id:000532,sig:11,src:007319,op:havoc,rep:64:7: error: parser: instruction
expected
id:000532,sig:11,src:007319,op:havoc,rep:64:9: error: parser: instruction
expected
id:000532,sig:11,src:007319,op:havoc,rep:64:10: error: `%5': not in a macro
call
id:000532,sig:11,src:007319,op:havoc,rep:64:10: warning: trailing garbage after
expression ignored
id:000532,sig:11,src:007319,op:havoc,rep:64:20: error: `%endm': not defining a
macro
id:000532,sig:11,src:007319,op:havoc,rep:64:22: warning: unterminated string
id:000532,sig:11,src:007319,op:havoc,rep:64:26: warning: label alone on a line
without a colon might be in error [-w+orphan-labels]
id:000532,sig:11,src:007319,op:havoc,rep:64:26: error: `%5': not in a macro
call
id:000532,sig:11,src:007319,op:havoc,rep:64:42: warning: label alone on a line
without a colon might be in error [-w+orphan-labels]
Segmentation fault


The GDB debugging information is as follows:

(gdb)set args -f bin  POC9 -o tmp
(gdb) r 
Starting program: /home/company/check_nasm/nasm-2.14rc0/install/bin/nasm -f bin
 id:000532,sig:11,src:007319,op:havoc,rep:64 -o tmp
id:000532,sig:11,src:007319,op:havoc,rep:64:1: error: label or instruction
expected at start of line
id:000532,sig:11,src:007319,op:havoc,rep:64:3: error: label or instruction
expected at start of line
id:000532,sig:11,src:007319,op:havoc,rep:64:4: error: parser: instruction
expected
id:000532,sig:11,src:007319,op:havoc,rep:64:5: error: `%endmacro': not defining
a macro
id:000532,sig:11,src:007319,op:havoc,rep:64:7: error: parser: instruction
expected
id:000532,sig:11,src:007319,op:havoc,rep:64:9: error: parser: instruction
expected
id:000532,sig:11,src:007319,op:havoc,rep:64:10: error: `%5': not in a macro
call
id:000532,sig:11,src:007319,op:havoc,rep:64:10: warning: trailing garbage after
expression ignored
id:000532,sig:11,src:007319,op:havoc,rep:64:20: error: `%endm': not defining a
macro
id:000532,sig:11,src:007319,op:havoc,rep:64:22: warning: unterminated string
id:000532,sig:11,src:007319,op:havoc,rep:64:26: warning: label alone on a line
without a colon might be in error [-w+orphan-labels]
id:000532,sig:11,src:007319,op:havoc,rep:64:26: error: `%5': not in a macro
call
id:000532,sig:11,src:007319,op:havoc,rep:64:42: warning: label alone on a line
without a colon might be in error [-w+orphan-labels]

Program received signal SIGSEGV, Segmentation fault.
0x0000000000425e54 in pp_list_one_macro (m=0x21, severity=17729) at
asm/preproc.c:5389
5389        pp_list_one_macro(m->next_active, severity);
(gdb) bt 
#0  0x0000000000425e54 in pp_list_one_macro (m=0x21, severity=17729) at
asm/preproc.c:5389
#1  0x0000000000425e60 in pp_list_one_macro (m=0x7c7290, severity=17729) at
asm/preproc.c:5389
#2  0x0000000000425e60 in pp_list_one_macro (m=0x7c8320, severity=17729) at
asm/preproc.c:5389
#3  0x0000000000425dce in pp_error_list_macros (severity=<optimized out>) at
asm/preproc.c:5406
#4  0x00000000004066ec in nasm_verror_common (severity=16449, fmt=<optimized
out>, args=<optimized out>)
    at asm/nasm.c:1665
#5  0x0000000000405158 in nasm_verror_gnu (severity=16449, 
    fmt=0x4a869f "label alone on a line without a colon might be in error",
ap=0x7fffffffdfa0) at asm/nasm.c:1508
#6  0x000000000040d8c3 in nasm_error (severity=<error reading variable: Value
out of range.>, 
    fmt=0x4541 <error: Cannot access memory at address 0x4541>) at
asm/error.c:86
#7  0x000000000041d521 in parse_line (pass=<optimized out>, buffer=0x7d0230
"st", result=0x7fffffffe268, 
    ldef=0x41c300 <define_label>) at asm/parser.c:474
#8  0x00000000004036fb in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1245
#9  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) 


ASAN info:
=================================================================
==49024==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000d568
at pc 0x527e12 bp 0x7fffffffd690 sp 0x7fffffffd688
READ of size 8 at 0x60f00000d568 thread T0
==49024==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
    #0 0x527e11
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x527e11)
    #1 0x527b11
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x527b11)
    #2 0x527830
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x527830)
    #3 0x491fe0
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x491fe0)
    #4 0x48c3f4
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x48c3f4)
    #5 0x4b42df
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4b42df)
    #6 0x5007a1
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x5007a1)
    #7 0x483660
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483660)
    #8 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #9 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

0x60f00000d568 is located 88 bytes inside of 176-byte region
[0x60f00000d510,0x60f00000d5c0)
freed by thread T0 here:
    #0 0x468579
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x468579)
    #1 0x49c2bd
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49c2bd)
    #2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:
    #0 0x4686f9
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
    #1 0x49b6a8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)
    #2 0x51be1a
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a)
    #3 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c1e7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9a90: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
=>0x0c1e7fff9aa0: fa fa fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c1e7fff9ab0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1e7fff9ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9ad0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
  0x0c1e7fff9ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9af0: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==49024==ABORTING
[Inferior 1 (process 49024) exited with code 01]



The bug was trigged in:
pp_list_one_macro (m=0x21, severity=17729) at asm/preproc.c:5389
5389        pp_list_one_macro(m->next_active, severity);



Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com   and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

More information about the Nasm-bugs mailing list