[Nasm-bugs] [Bug 3392430] New: There is heap-use-after-free on address 0x60f00000cf80 in nasm.
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:14:01 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392430
Bug ID: 3392430
Summary: There is heap-use-after-free on address
0x60f00000cf80 in nasm.
Product: NASM
Version: unspecified
Hardware: All
OS: All
Status: OPEN
Severity: blocker
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: v.owl337 at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
Created attachment 411608
--> https://bugzilla.nasm.us/attachment.cgi?id=411608&action=edit
./nasm -f bin POC10 -o tmp
Description:
The debugging information is as follows:
$ ./nasm -f bin POC10 -o tmp
...
id:000538,sig:11,src:007218,op:havoc,rep:8:68: error: (b_struc:8) macro params
should be enclosed in braces
id:000538,sig:11,src:007218,op:havoc,rep:8:62: ... from macro `pp_local'
defined here
id:000538,sig:11,src:007218,op:havoc,rep:8:16: ... from macro `b_struc' defined
here
id:000538,sig:11,src:007218,op:havoc,rep:8:68: warning: (b_struc:8) trailing
garbage after expression ignored
id:000538,sig:11,src:007218,op:havoc,rep:8:62: ... from macro `pp_local'
defined here
id:000538,sig:11,src:007218,op:havoc,rep:8:16: ... from macro `b_struc' defined
here
Segmentation fault
The GDB debugging information is as follows:
(gdb) set args -f bin POC10 -o tmp
(gdb) r
Starting program: /home/company/check_nasm/nasm-2.14rc0/install/bin/nasm -f bin
id:000538,sig:11,src:007218,op:havoc,rep:8 -o tmp
id:000538,sig:11,src:007218,op:havoc,rep:8:68: warning: (b_struc:8) trailing
garbage after expression ignored
id:000538,sig:11,src:007218,op:havoc,rep:8:62: ... from macro `pp_local'
defined here
id:000538,sig:11,src:007218,op:havoc,rep:8:16: ... from macro `b_struc' defined
here
Program received signal SIGSEGV, Segmentation fault.
0x000000000042ee8d in do_directive (tline=<optimized out>, output=<optimized
out>) at asm/preproc.c:2992
2992 while (mmac && !mmac->name) /* avoid mistaking %reps for
macros */
(gdb) bt
#0 0x000000000042ee8d in do_directive (tline=<optimized out>,
output=<optimized out>) at asm/preproc.c:2992
#1 0x0000000000423a6e in pp_getline () at asm/preproc.c:5172
#2 0x000000000040368d in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#3 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb)
ASAN info:
=================================================================
==91204==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000cf80
at pc 0x54f397 bp 0x7fffffffdac0 sp 0x7fffffffdab8
READ of size 8 at 0x60f00000cf80 thread T0
==91204==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
#0 0x54f396
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x54f396)
#1 0x51be1a
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a)
#2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#4 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)
0x60f00000cf80 is located 16 bytes inside of 176-byte region
[0x60f00000cf70,0x60f00000d020)
freed by thread T0 here:
#0 0x468579
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x468579)
#1 0x49c2bd
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49c2bd)
#2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
previously allocated by thread T0 here:
#0 0x4686f9
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
#1 0x49b6a8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)
#2 0x51be1a
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51be1a)
#3 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c1e7fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff99d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff99e0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fd fd
=>0x0c1e7fff99f0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fff9a00: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1e7fff9a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff9a20: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x0c1e7fff9a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff9a40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==91204==ABORTING
[Inferior 1 (process 91204) exited with code 01]
The bug was trigged in:
do_directive (tline=<optimized out>, output=<optimized out>) at
asm/preproc.c:2992
2992 while (mmac && !mmac->name) /* avoid mistaking %reps for
macros */
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list