[Nasm-bugs] [Bug 3392432] New: There is a heap-buffer-overflow on address 0x60300000c4d2 in nasm.
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:17:24 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392432
Bug ID: 3392432
Summary: There is a heap-buffer-overflow on address
0x60300000c4d2 in nasm.
Product: NASM
Version: unspecified
Hardware: All
OS: All
Status: OPEN
Severity: blocker
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: v.owl337 at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
Created attachment 411610
--> https://bugzilla.nasm.us/attachment.cgi?id=411610&action=edit
./nasm -f bin POC12 -o tmp
Description:
The debugging information is as follows:
$ ./nasm -f bin POC12 -o tmp
id:000335,sig:06,src:004190,op:havoc,rep:128:4: warning: label alone on a line
without a colon might be in error [-w+orphan-labels]
id:000335,sig:06,src:004190,op:havoc,rep:128:6: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:8: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:9: error: unknown preprocessor
directive `%mmcro'
id:000335,sig:06,src:004190,op:havoc,rep:128:9: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:11: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:13: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:14: warning: label alone on a line
without a colon might be in error [-w+orphan-labels]
id:000335,sig:06,src:004190,op:havoc,rep:128:16: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:17: error: unknown preprocessor
directive `%mm'
id:000335,sig:06,src:004190,op:havoc,rep:128:17: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:18: error: parser: instruction
expected
id:000335,sig:06,src:004190,op:havoc,rep:128:19: error: unknown preprocessor
directive `%eQdmacro'
id:000335,sig:06,src:004190,op:havoc,rep:128:19: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:21: error: parser: instruction
expected
id:000335,sig:06,src:004190,op:havoc,rep:128:23: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:24: error: parser: instruction
expected
id:000335,sig:06,src:004190,op:havoc,rep:128:26: error: `%1': not in a macro
call
*** Error in `./../../../nasm': free(): invalid next size (fast):
0x0000000001376ab0 ***
Aborted
The GDB debugging information is as follows:
(gdb)set args -f bin POC12 -o tmp
(gdb) r
The program being debugged has been started already.
...
id:000335,sig:06,src:004190,op:havoc,rep:128:19: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:21: error: parser: instruction
expected
id:000335,sig:06,src:004190,op:havoc,rep:128:23: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:24: error: parser: instruction
expected
id:000335,sig:06,src:004190,op:havoc,rep:128:26: error: `%1': not in a macro
call
*** Error in `/home/company/check_nasm/nasm-2.14rc0/install/bin/nasm': free():
invalid next size (fast): 0x00000000007c0ab0 ***
Program received signal SIGABRT, Aborted.
0x00007ffff7a44267 in __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
ASAN info:
(gdb) r
Starting program: /home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm
-f bin id:000335,sig:06,src:004190,op:havoc,rep:128 -o tmp
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 6, paste_tokens (head=0x7fffffffd8f0, m=<optimized out>,
mnum=<optimized out>,
handle_explicit=<optimized out>) at asm/preproc.c:3849
3849 strcpy(p, tok->text);
(gdb) c 61
Will ignore next 60 crossings of breakpoint 6. Continuing.
id:000335,sig:06,src:004190,op:havoc,rep:128:4: warning: label alone on a line
without a colon might be in error [-w+orphan-labels]
id:000335,sig:06,src:004190,op:havoc,rep:128:6: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:8: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:9: error: unknown preprocessor
directive `%mmcro'
id:000335,sig:06,src:004190,op:havoc,rep:128:9: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:11: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:13: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:14: warning: label alone on a line
without a colon might be in error [-w+orphan-labels]
id:000335,sig:06,src:004190,op:havoc,rep:128:16: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:17: error: unknown preprocessor
directive `%mm'
id:000335,sig:06,src:004190,op:havoc,rep:128:17: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:18: error: parser: instruction
expected
id:000335,sig:06,src:004190,op:havoc,rep:128:19: error: unknown preprocessor
directive `%eQdmacro'
id:000335,sig:06,src:004190,op:havoc,rep:128:19: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:21: error: parser: instruction
expected
id:000335,sig:06,src:004190,op:havoc,rep:128:23: error: label or instruction
expected at start of line
id:000335,sig:06,src:004190,op:havoc,rep:128:24: error: parser: instruction
expected
id:000335,sig:06,src:004190,op:havoc,rep:128:26: error: `%1': not in a macro
call
Breakpoint 6, paste_tokens (head=0x7fffffffde10, m=<optimized out>,
mnum=<optimized out>,
handle_explicit=<optimized out>) at asm/preproc.c:3849
3849 strcpy(p, tok->text);
(gdb) bt
#0 paste_tokens (head=0x7fffffffd8f0, m=<optimized out>, mnum=<optimized out>,
handle_explicit=<optimized out>)
at asm/preproc.c:3849
#1 0x0000000000571664 in expand_smacro (tline=<optimized out>) at
asm/preproc.c:4475
#2 0x0000000000587a82 in parse_mmacro_spec (tline=<optimized out>,
def=<optimized out>, directive=<optimized out>)
at asm/preproc.c:2141
#3 0x0000000000545641 in do_directive (tline=<optimized out>,
output=<optimized out>) at asm/preproc.c:2872
#4 0x000000000051be1b in pp_getline () at asm/preproc.c:5172
#5 0x0000000000483517 in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#6 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) n
=================================================================
==70709==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300000c4d2 at pc 0x459760 bp 0x7fffffffdd40 sp 0x7fffffffd4f8
WRITE of size 2 at 0x60300000c4d2 thread T0
==70709==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
#0 0x45975f
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x45975f)
#1 0x57906a
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x57906a)
#2 0x53765b
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x53765b)
#3 0x51bd81
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51bd81)
#4 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#5 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#6 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)
0x60300000c4d2 is located 0 bytes to the right of 18-byte region
[0x60300000c4c0,0x60300000c4d2)
allocated by thread T0 here:
#0 0x4686f9
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x4686f9)
#1 0x49b6a8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x49b6a8)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c067fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9890: fa fa fa fa fa fa fa fa 00 00[02]fa fa fa fd fd
0x0c067fff98a0: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c067fff98b0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c067fff98c0: fa fa 00 00 02 fa fa fa 00 00 00 00 fa fa 00 00
0x0c067fff98d0: 02 fa fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
0x0c067fff98e0: 00 00 01 fa fa fa 00 00 00 00 fa fa 00 00 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==70709==ABORTING
[Inferior 1 (process 70709) exited with code 01]
The bug was trigged in:
paste_tokens (head=0x7fffffffd8f0, m=<optimized out>, mnum=<optimized out>,
handle_explicit=<optimized out>) at asm/preproc.c:3849
3849 strcpy(p, tok->text);
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list