[Nasm-bugs] [Bug 3392436] New: There is an illegal address access in function is_mmacro() of nasm.

no-reply at bugzilla-nasm.gorcunov.org no-reply at bugzilla-nasm.gorcunov.org
Mon Aug 28 01:25:47 PDT 2017


https://bugzilla.nasm.us/show_bug.cgi?id=3392436

            Bug ID: 3392436
           Summary: There is an illegal address access in function
                    is_mmacro() of nasm.
           Product: NASM
           Version: unspecified
          Hardware: All
                OS: All
            Status: OPEN
          Severity: blocker
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: v.owl337 at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Binary from nasm.us

Created attachment 411613
  --> https://bugzilla.nasm.us/attachment.cgi?id=411613&action=edit
./nasm -f bin  POC15 -o tmp

Description:

The debugging information is as follows:

$ ./nasm -f bin  POC15 -o tmp
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:17: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%1': not in a macro call
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%$arg': context stack is
empty
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: minimum parameter count
exceeds maximum
Segmentation fault


The GDB debugging information is as follows:

(gdb) set args  -f bin  POC15 -o tmp
(gdb) r 
Starting program: /home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm
-f bin  id:000291,sig:11,src:003187,op:havoc,rep:8 -o tmp 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:16: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:29: warning: forward reference in
RESx can have unpredictable results
id:000291,sig:11,src:003187,op:havoc,rep:8:17: ... from macro `b_struc' defined
here
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%1': not in a macro call
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: `%$arg': context stack is
empty
id:000291,sig:11,src:003187,op:havoc,rep:8:43: error: minimum parameter count
exceeds maximum

Program received signal SIGSEGV, Segmentation fault.
0x0000000000574f0a in is_mmacro (tline=<optimized out>, params_array=<optimized
out>) at asm/preproc.c:4645
4645                params[nparam] = NULL;
(gdb) bt 
#0  0x0000000000574f0a in is_mmacro (tline=<optimized out>,
params_array=<optimized out>) at asm/preproc.c:4645
#1  0x000000000051d44d in expand_mmacro (tline=0x7ffff7f5b380) at
asm/preproc.c:4756
#2  pp_getline () at asm/preproc.c:5211
#3  0x0000000000483517 in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1233
#4  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) c
Continuing.
ASAN:SIGSEGV
=================================================================
==107477==ERROR: AddressSanitizer: SEGV on unknown address 0x601f7af45248 (pc
0x000000574f0a sp 0x7fffffffde30 bp 0x7fffffffded0 T0)
==107477==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
    #0 0x574f09
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x574f09)
    #1 0x51d44c
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51d44c)
    #2 0x483516
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x47e7e8
(/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==107477==ABORTING
[Inferior 1 (process 107477) exited with code 01]
(gdb) 


Tirgged in: 
is_mmacro (tline=<optimized out>, params_array=<optimized out>) at
asm/preproc.c:4645
4645                params[nparam] = NULL;
(gdb) list 
4640                 */
4641                if (!params) {      /* need this special case */
4642                    params = nasm_malloc(sizeof(*params));
4643                    nparam = 0;
4644                }
4645                params[nparam] = NULL;
4646                *params_array = params;
4647                return m;
4648            }
4649            /*



Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com   and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.


More information about the Nasm-bugs mailing list