[Nasm-bugs] [Bug 3392436] New: There is an illegal address access in function is_mmacro() of nasm.
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:25:47 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392436
Bug ID: 3392436
Summary: There is an illegal address access in function
is_mmacro() of nasm.
Product: NASM
Version: unspecified
Hardware: All
OS: All
Status: OPEN
Severity: blocker
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: v.owl337 at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
Created attachment 411613
--> https://bugzilla.nasm.us/attachment.cgi?id=411613&action=edit
./nasm -f bin POC15 -o tmp
Description:
The debugging information is as follows:
$ ./nasm -f bin POC15 -o tmp
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:17: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%1': not in a macro call
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%$arg': context stack is
empty
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: minimum parameter count
exceeds maximum
Segmentation fault
The GDB debugging information is as follows:
(gdb) set args -f bin POC15 -o tmp
(gdb) r
Starting program: /home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm
-f bin id:000291,sig:11,src:003187,op:havoc,rep:8 -o tmp
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:17: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%1': not in a macro call
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%$arg': context stack is
empty
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: minimum parameter count
exceeds maximum
Program received signal SIGSEGV, Segmentation fault.
0x0000000000574f0a in is_mmacro (tline=<optimized out>, params_array=<optimized
out>) at asm/preproc.c:4645
4645 params[nparam] = NULL;
(gdb) bt
#0 0x0000000000574f0a in is_mmacro (tline=<optimized out>,
params_array=<optimized out>) at asm/preproc.c:4645
#1 0x000000000051d44d in expand_mmacro (tline=0x7ffff7f5b380) at
asm/preproc.c:4756
#2 pp_getline () at asm/preproc.c:5211
#3 0x0000000000483517 in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#4 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) c
Continuing.
ASAN:SIGSEGV
=================================================================
==107477==ERROR: AddressSanitizer: SEGV on unknown address 0x601f7af45248 (pc
0x000000574f0a sp 0x7fffffffde30 bp 0x7fffffffded0 T0)
==107477==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
#0 0x574f09
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x574f09)
#1 0x51d44c
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51d44c)
#2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
#3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#4 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==107477==ABORTING
[Inferior 1 (process 107477) exited with code 01]
(gdb)
Tirgged in:
is_mmacro (tline=<optimized out>, params_array=<optimized out>) at
asm/preproc.c:4645
4645 params[nparam] = NULL;
(gdb) list
4640 */
4641 if (!params) { /* need this special case */
4642 params = nasm_malloc(sizeof(*params));
4643 nparam = 0;
4644 }
4645 params[nparam] = NULL;
4646 *params_array = params;
4647 return m;
4648 }
4649 /*
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list