[Nasm-bugs] [Bug 3392415] New: A heap buffer overflow vulnerability at file preproc.c
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Fri Jun 23 21:53:13 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392415
Bug ID: 3392415
Summary: A heap buffer overflow vulnerability at file preproc.c
Product: NASM
Version: 2.14 (development)
Hardware: All
OS: All
Status: OPEN
Severity: critical
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: v.owl337 at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
Created attachment 411594
--> https://bugzilla.nasm.us/attachment.cgi?id=411594&action=edit
Triggered by "nasm -f bin $POC -o nasm.out"
There is a heap buffer overflow vulnerability at file preproc.c(line:3849) in
the Nasm tool with latest version.
3845 len += strlen(tok->text);
3846 p = buf = nasm_malloc(len + 1);
3847
3848 while (tok != next) {
3849 strcpy(p, tok->text); //the heap buffer
overflow operation
3850 p = strchr(p, '\0');
3851 tok = delete_Token(tok);
3852 }
The asan and gdb debug infor are as follows:
$nasm -f bin $POC -o nasm.out
==62963==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300000c44a at pc 0x459370 bp 0x7ffe0bdf6f80 sp 0x7ffe0bdf6738
WRITE of size 2 at 0x60300000c44a thread T0
==62963==WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
#0 0x45936f
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x45936f)
#1 0x4e79a2
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x4e79a2)
#2 0x50f784
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x50f784)
#3 0x4d3a0e
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x4d3a0e)
#4 0x483bcd
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x483bcd)
#5 0x7f2971b3fa3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#6 0x47e3f8
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x47e3f8)
0x60300000c44a is located 0 bytes to the right of 26-byte region
[0x60300000c430,0x60300000c44a)
allocated by thread T0 here:
#0 0x468309
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x468309)
#1 0x48b6b5
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x48b6b5)
#2 0x4d3a0e
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x4d3a0e)
#3 0x483bcd
(/home/company/real/nasm-2.14rc0/install_asan/bin/nasm_asan+0x483bcd)
#4 0x7f2971b3fa3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c067fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9880: fa fa fa fa fa fa 00 00 00[02]fa fa fd fd fd fd
0x0c067fff9890: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c067fff98a0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x0c067fff98b0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c067fff98c0: fa fa 00 00 02 fa fa fa 00 00 00 00 fa fa 00 00
0x0c067fff98d0: 02 fa fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==62963==ABORTING
$gdb nasm
(gdb)set args -f bin $POC -o nasm.out
(gdb) r
...
(gdb) bt
#0 __strcmp_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S:29
#1 0x0000000000414a0b in mstrcmp (casesense=<optimized out>, q=<optimized
out>, p=<optimized out>) at asm/preproc.c:1440
#2 is_mmacro (params_array=params_array at entry=0x7fffffffe110,
tline=0x7ffff7f7c0f0, tline=0x7ffff7f7c0f0) at asm/preproc.c:4654
#3 0x000000000041d1b9 in expand_mmacro (tline=0x7ffff7f7c0b0) at
asm/preproc.c:4756
#4 pp_getline () at asm/preproc.c:5211
#5 0x00000000004039c1 in assemble_file (depend_ptr=depend_ptr at entry=0x0,
fname=0x7284e0 <inname>
"../nasm-2.14rc0/afl-out/crashes/id:000931,sig:11,src:009876,op:havoc,rep:2")
at asm/nasm.c:1233
#6 0x0000000000402e56 in main (argc=<optimized out>, argv=<optimized out>) at
asm/nasm.c:453
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao at gmail.com and chaoz at tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list