[Nasm-bugs] [Bug 3392415] New: A heap buffer overflow vulnerability at file preproc.c

Fri Jun 23 21:53:13 PDT 2017

https://bugzilla.nasm.us/show_bug.cgi?id=3392415

            Bug ID: 3392415
           Summary: A heap buffer overflow vulnerability at file preproc.c
           Product: NASM
           Version: 2.14 (development)
          Hardware: All
                OS: All
            Status: OPEN
          Severity: critical
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: v.owl337 at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Binary from nasm.us

Created attachment 411594
  --> https://bugzilla.nasm.us/attachment.cgi?id=411594&action=edit
Triggered by "nasm -f bin  $POC   -o  nasm.out"

There is a heap buffer overflow vulnerability at file preproc.c(line:3849) in
the Nasm tool with latest version. 

3845                        len += strlen(tok->text);
3846                        p = buf = nasm_malloc(len + 1);
3847        
3848                        while (tok != next) {
3849                            strcpy(p, tok->text); //the heap buffer
overflow  operation
3850                            p = strchr(p, '\0');
3851                            tok = delete_Token(tok);
3852                        }

The asan and gdb debug infor are as follows:

$nasm -f bin  $POC   -o  nasm.out

==62963==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300000c44a at pc 0x459370 bp 0x7ffe0bdf6f80 sp 0x7ffe0bdf6738
WRITE of size 2 at 0x60300000c44a thread T0
==62963==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
    #0 0x45936f
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x45936f)
    #1 0x4e79a2
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x4e79a2)
    #2 0x50f784
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x50f784)
    #3 0x4d3a0e
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x4d3a0e)
    #4 0x483bcd
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x483bcd)
    #5 0x7f2971b3fa3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #6 0x47e3f8
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x47e3f8)

0x60300000c44a is located 0 bytes to the right of 26-byte region
[0x60300000c430,0x60300000c44a)
allocated by thread T0 here:
    #0 0x468309
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x468309)
    #1 0x48b6b5
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x48b6b5)
    #2 0x4d3a0e
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x4d3a0e)
    #3 0x483bcd
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x483bcd)
    #4 0x7f2971b3fa3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c067fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9880: fa fa fa fa fa fa 00 00 00[02]fa fa fd fd fd fd
  0x0c067fff9890: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff98a0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff98b0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff98c0: fa fa 00 00 02 fa fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff98d0: 02 fa fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==62963==ABORTING

$gdb nasm
(gdb)set args -f bin $POC   -o  nasm.out

(gdb) r
...
(gdb) bt
#0  __strcmp_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:29
#1  0x0000000000414a0b in mstrcmp (casesense=<optimized out>, q=<optimized
out>, p=<optimized out>) at asm/preproc.c:1440
#2  is_mmacro (params_array=params_array at entry=0x7fffffffe110,
tline=0x7ffff7f7c0f0, tline=0x7ffff7f7c0f0) at asm/preproc.c:4654
#3  0x000000000041d1b9 in expand_mmacro (tline=0x7ffff7f7c0b0) at
asm/preproc.c:4756
#4  pp_getline () at asm/preproc.c:5211
#5  0x00000000004039c1 in assemble_file (depend_ptr=depend_ptr at entry=0x0,
fname=0x7284e0 <inname>
"../nasm-2.14rc0/afl-out/crashes/id:000931,sig:11,src:009876,op:havoc,rep:2")
at asm/nasm.c:1233
#6  0x0000000000402e56 in main (argc=<optimized out>, argv=<optimized out>) at
asm/nasm.c:453

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com   and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.