[Nasm-bugs] [Bug 3392431] New: There is a SEGV on unknown address 0x000000000018 in nasm.

no-reply at bugzilla-nasm.gorcunov.org no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:15:57 PDT 2017 

https://bugzilla.nasm.us/show_bug.cgi?id=3392431

            Bug ID: 3392431
           Summary: There is a SEGV on unknown address 0x000000000018 in
                    nasm.
           Product: NASM
           Version: unspecified
          Hardware: All
                OS: All
            Status: OPEN
          Severity: blocker
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: v.owl337 at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Binary from nasm.us

Created attachment 411609
  --> https://bugzilla.nasm.us/attachment.cgi?id=411609&action=edit
./nasm -f bin  POC11 -o tmp

Description:

The debugging information is as follows:

$ ./nasm -f bin  POC11 -o tmp
...
id:000643,sig:11,src:009027,op:havoc,rep:64:28: error: symbol `t' redefined
id:000643,sig:11,src:009027,op:havoc,rep:64:33: error: parser: instruction
expected
id:000643,sig:11,src:009027,op:havoc,rep:64:34: error: label or instruction
expected at start of line
id:000643,sig:11,src:009027,op:havoc,rep:64:35: error: parser: instruction
expected
id:000643,sig:11,src:009027,op:havoc,rep:64:88: error: label or instruction
expected at start of line
id:000643,sig:11,src:009027,op:havoc,rep:64:95: error: macro call expects
terminating `)'
id:000643,sig:11,src:009027,op:havoc,rep:64:95: error: parser: instruction
expected
id:000643,sig:11,src:009027,op:havoc,rep:64:96: error: `%0': not in a macro
call
id:000643,sig:11,src:009027,op:havoc,rep:64:96: error: expression syntax error
id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: unknown preprocessor
directive `%rota'
id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: label or instruction
expected at start of line
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: `%%top': not in a macro
call
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects
terminating `)'
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects
terminating `)'
Segmentation fault

The GDB debugging information is as follows:

(gdb) set args  -f bin  POC11 -o tmp
(gdb) r
...
id:000643,sig:11,src:009027,op:havoc,rep:64:96: error: expression syntax error
id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: unknown preprocessor
directive `%rota'
id:000643,sig:11,src:009027,op:havoc,rep:64:97: error: label or instruction
expected at start of line
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: `%%top': not in a macro
call
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects
terminating `)'

Breakpoint 2, expand_smacro (tline=<optimized out>) at asm/preproc.c:4415
4415                                    pt = *ptail = new_Token(tline,
ttt->type,

(gdb) c 53
Will ignore next 51 crossings of breakpoint 2.  Continuing.
id:000643,sig:11,src:009027,op:havoc,rep:64:98: error: macro call expects
terminating `)'

Breakpoint 2, expand_smacro (tline=<optimized out>) at asm/preproc.c:4415
4415                                    pt = *ptail = new_Token(tline,
ttt->type,
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x000000000056d5d6 in expand_smacro (tline=<optimized out>) at
asm/preproc.c:4415
4415                                    pt = *ptail = new_Token(tline,
ttt->type,
(gdb) bt 
#0  expand_smacro (tline=<optimized out>) at asm/preproc.c:4415
#1  0x000000000051c561 in pp_getline () at asm/preproc.c:5210
#2  0x0000000000483517 in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#3  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) c
Continuing.
ASAN:SIGSEGV
=================================================================
==9792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc
0x00000056d5d6 sp 0x7fffffffdda0 bp 0x7fffffffdee0 T0)
==9792==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
    #0 0x56d5d5
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x56d5d5)
    #1 0x51c560
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51c560)
    #2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==9792==ABORTING
[Inferior 1 (process 9792) exited with code 01]
(gdb) 

Tirgged in: 
expand_smacro (tline=<optimized out>) at asm/preproc.c:4415
4415                                    pt = *ptail = new_Token(tline,
ttt->type,


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com   and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

More information about the Nasm-bugs mailing list