[Nasm-bugs] [Bug 3392413] New: Multiple use after free vulnerabilities in the Nasm tool with latest vesion

no-reply at bugzilla-nasm.gorcunov.org no-reply at bugzilla-nasm.gorcunov.org
Fri Jun 23 21:45:12 PDT 2017 

https://bugzilla.nasm.us/show_bug.cgi?id=3392413

            Bug ID: 3392413
           Summary: Multiple use after free vulnerabilities in the Nasm
                    tool with latest vesion
           Product: NASM
           Version: 2.14 (development)
          Hardware: All
                OS: All
            Status: OPEN
          Severity: critical
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: v.owl337 at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Binary from nasm.us

Created attachment 411593
  --> https://bugzilla.nasm.us/attachment.cgi?id=411593&action=edit
It's triggered by "nasm -f bin  $POC  -o  nasm.out"

There were multiple heap use after free vulnerabilities in the tool nasm with
latest version(2.14rc0). The related heap was allocated at token() function and
freed  at detoken() function(called by pp_getline())that used again at
different positions later that could cause multiple damages. 

In the loop "while ((line = preproc->getline()))" of  function
assemble_file(called at nasm.c:453) ,pp_getline function freed a heap via
calling detoken function(line:5214)  but the heap was read and written
frequently later that caused multiple use after free vulnerabilities. 



The asan and gdb debug information are as follows for all POCs:

POC1:  corrupted double-linked in detoken() function

$nasm -f bin  POC1   -o  nasm.out

==98294==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000006f90
at pc 0x50fe1e bp 0x7fffffffbb10 sp 0x7fffffffbb08
READ of size 1 at 0x602000006f90 thread T0
==98294==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
    #0 0x50fe1d
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x50fe1d)
    #1 0x4d71d9
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x4d71d9)
    #2 0x483bcd
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x483bcd)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x47e3f8
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x47e3f8)

0x602000006f90 is located 0 bytes inside of 6-byte region
[0x602000006f90,0x602000006f96]
freed by thread T0 here:
    #0 0x468189
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x468189)
    nasmlib/malloc.c:77 free(q)
    #1 0x48b80a
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x48b80a)
   preproc.c:5215 line = detoken(tline, true);
    #2 0x4d71d9
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x4d71d9)
    #3 0x483bcd
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x483bcd)
    #4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:

    #0 0x468309
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x468309)
    nasmlib/malloc.c:47  void *p = malloc(size);
    #1 0x48b6b5
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x48b6b5)
    asm/T2 preproc.c:5124  tline = tokenize(line);
    #2 0x4d33be
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x4d33be)
    asm/nasm.c:1233  while ((line = preproc->getline())) {
    #3 0x483bcd
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x483bcd)
    #4 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c047fff8da0: fa fa 03 fa fa fa fd fa fa fa 02 fa fa fa fd fa
  0x0c047fff8db0: fa fa 02 fa fa fa fd fa fa fa 02 fa fa fa fd fa
  0x0c047fff8dc0: fa fa 06 fa fa fa fd fa fa fa 04 fa fa fa fd fa
  0x0c047fff8dd0: fa fa 05 fa fa fa fd fa fa fa 02 fa fa fa fd fa
  0x0c047fff8de0: fa fa 03 fa fa fa fd fa fa fa 03 fa fa fa fd fa
=>0x0c047fff8df0: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa 02 fa
  0x0c047fff8e00: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa
  0x0c047fff8e10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8e20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8e30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8e40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==98294==ABORTING


$gdb nasm
(gdb)set args -f bin  POC1   -o  nasm.out
(gdb) r
...
(gdb) bt

#0  0x00007ffff7a44267 in __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff7a45eca in __GI_abort () at abort.c:89
#2  0x00007ffff7a87c53 in __libc_message (do_abort=do_abort at entry=1,
fmt=fmt at entry=0x7ffff7ba01a8 "*** Error in `%s': %s: 0x%s ***\n") at
../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7a8e468 in malloc_printerr (ptr=<optimized out>,
str=0x7ffff7b9c2dd "corrupted double-linked list", action=1) at malloc.c:4965
#4  malloc_consolidate (av=av at entry=0x7ffff7dd3c00 <main_arena>) at
malloc.c:4150
#5  0x00007ffff7a8ff18 in _int_free (av=0x7ffff7dd3c00 <main_arena>,
p=<optimized out>, have_lock=0) at malloc.c:4042
#6  0x00007ffff7a9389c in __GI___libc_free (mem=<optimized out>) at
malloc.c:2950
#7  0x0000000000408374 in saa_free (s=0x7411a0) at nasmlib/saa.c:71
#8  0x0000000000402c2d in main (argc=<optimized out>, argv=<optimized out>) at
asm/nasm.c:481

POC2:  double free or corruption in delete_Token() function 

$gdb nasm
(gdb)set args -f bin  POC2   -o  nasm.out
(gdb) r
...

Program received signal SIGABRT, Aborted.
0x00007ffff6efb267 in __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
55      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff6efb267 in __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff6efceca in __GI_abort () at abort.c:89
#2  0x00007ffff6f3ec53 in __libc_message (do_abort=do_abort at entry=1,
fmt=fmt at entry=0x7ffff70571a8 "*** Error in `%s': %s: 0x%s ***\n") at
../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff6f46c69 in malloc_printerr (ptr=<optimized out>,
str=0x7ffff7057270 "double free or corruption (fasttop)", action=1) at
malloc.c:4965
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at
malloc.c:3834
#5  0x00007ffff6f4a89c in __GI___libc_free (mem=<optimized out>) at
malloc.c:2950
#6  0x0000000000438c71 in nasm_free (q=<optimized out>) at nasmlib/malloc.c:77
#7  0x0000000000506249 in delete_Token (t=<optimized out>) at
asm/preproc.c:1236
#8  0x00000000004f1819 in pp_getline () at asm/preproc.c:612


POC3:  out of write caused segmentation fault in detoken() funtion

$gdb nasm
(gdb)set args -f bin  POC3   -o  nasm.out
(gdb) r
...

Program received signal SIGSEGV, Segmentation fault.
0x0000000000583173 in detoken (tlist=<optimized out>, expand_locals=<optimized
out>) at asm/preproc.c:1316
1316                    *p++ = *q++;
(gdb) bt
#0  0x0000000000583173 in detoken (tlist=<optimized out>,
expand_locals=<optimized out>) at asm/preproc.c:1316
#1  0x00000000004f17cc in pp_getline () at asm/preproc.c:5215
#2  0x0000000000427f52 in assemble_file (warning: Unmapped DWARF Register #-1
encountered.


POC4:  out of write caused segmentation fault in  new_Token() function

$gdb nasm
(gdb)set args -f bin  POC4  -o  nasm.out
(gdb) r
...

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106     ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00000000004f86ad in new_Token (next=<optimized out>, type=<optimized
out>, text=<optimized out>, txtlen=<optimized out>) at asm/preproc.c:1225
#2  0x0000000000579845 in expand_mmac_params (tline=<optimized out>) at
asm/preproc.c:4083
#3  0x00000000004e56a9 in pp_getline () at asm/preproc.c:5166
#4  0x0000000000427f52 in assemble_file (warning: Unmapped DWARF Register #-1
encountered.


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com   and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

More information about the Nasm-bugs mailing list