[Nasm-bugs] [Bug 3392435] New: There is an illegal address access in function find_cc() of nasm.

no-reply at bugzilla-nasm.gorcunov.org no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:24:16 PDT 2017 

https://bugzilla.nasm.us/show_bug.cgi?id=3392435

            Bug ID: 3392435
           Summary: There is an illegal address access in function
                    find_cc() of nasm.
           Product: NASM
           Version: unspecified
          Hardware: All
                OS: All
            Status: OPEN
          Severity: blocker
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: v.owl337 at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Binary from nasm.us

Created attachment 411612
  --> https://bugzilla.nasm.us/attachment.cgi?id=411612&action=edit
./nasm -f bin  POC14 -o tmp

Description:

The debugging information is as follows:

$ ./nasm -f bin  POC14 -o tmp
id:000572,sig:11,src:007739,op:flip4,pos:289:15: ... from macro `b_struc'
defined here
id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: symbol `ro' redefined
id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: parser: instruction
expected
id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: `%-1': not in a macro
call
id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: macro params should be
enclosed in braces
Segmentation fault


The GDB debugging information is as follows:

(gdb) set args  -f bin  POC14 -o tmp
(gdb) r 
...
id:000572,sig:11,src:007739,op:flip4,pos:289:18: error: parser: instruction
expected
id:000572,sig:11,src:007739,op:flip4,pos:289:14: ... from macro `b_struc'
defined here
id:000572,sig:11,src:007739,op:flip4,pos:289:18: error: label or instruction
expected at start of line
id:000572,sig:11,src:007739,op:flip4,pos:289:15: ... from macro `b_struc'
defined here
id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: symbol `ro' redefined
id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: parser: instruction
expected
id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: `%-1': not in a macro
call
id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: macro params should be
enclosed in braces

Program received signal SIGSEGV, Segmentation fault.
0x0000000000535b63 in find_cc (t=0x0) at asm/preproc.c:3709
3709        if (t->type != TOK_ID)
(gdb) bt 
#0  0x0000000000535b63 in find_cc (t=0x0) at asm/preproc.c:3709
#1  expand_mmac_params (tline=0x0) at asm/preproc.c:4035
#2  0x000000000051bd82 in pp_getline () at asm/preproc.c:5166
#3  0x0000000000483517 in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#4  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) c 
Continuing.
ASAN:SIGSEGV
=================================================================
==55298==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc
0x000000535b63 sp 0x7fffffffddf0 bp 0x7fffffffdee0 T0)
==55298==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
    #0 0x535b62
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x535b62)
    #1 0x51bd81
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51bd81)
    #2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==55298==ABORTING
[Inferior 1 (process 55298) exited with code 01]
(gdb) 


Tirgged in: 
find_cc (t=0x0) at asm/preproc.c:3709
3709        if (t->type != TOK_ID)
(gdb) list 
3704    
3705        if (!t)
3706            return -1;              /* Probably a %+ without a space */
3707    
3708        skip_white_(t);
3709        if (t->type != TOK_ID)
3710            return -1;
3711        tt = t->next;
3712        skip_white_(tt);
3713        if (tt && (tt->type != TOK_OTHER || strcmp(tt->text, ",")))


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com   and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

More information about the Nasm-bugs mailing list