[Nasm-bugs] [Bug 3392445] New: Stack under flow in function ieee_shr at source file asm/float.c
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Wed Oct 18 14:04:29 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392445
Bug ID: 3392445
Summary: Stack under flow in function ieee_shr at source file
asm/float.c
Product: NASM
Version: 2.13.xx
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: jxx13 at psu.edu
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411616
--> https://bugzilla.nasm.us/attachment.cgi?id=411616&action=edit
File to trigger the bug under ASAN
Stack underflow in function ieee_shr at source file asm/float.c.
Tested on nasm-2.13.02rc2 with address-sanitizer on 0 4.4.0-31-generic
#50~14.04.1-Ubuntu SMP
Runing command: nasm -felf64 poc
Function to_float at Line 836 in asm/float.c:
836: ieee_shr(mant, shift);
/*mant is defined at line 716 with size MANT_LIMBS = 6: fp_limb
mant[MANT_LIMBS]
shift is an integer*/
Function ieee_shr at line 612 in asm/float.c access mant:
612: n = mant[MANT_LIMBS-1-offs] >> sr;
/* offs = shift / 32 */
When shift is larger than 224, MANT_LIMBS-1-offs will be less than zero, and
thus mant is accessed with under-bound index.
We attach the PoC to trigger this defect with nasm compiled with
Address-Sanitizer and display the outout of Sanitizer as follows:
===============================Cut Line===================================
==2338== ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffdec4 at pc 0x4b6749 bp 0x7fffffffddd0 sp 0x7fffffffddc8
READ of size 4 at 0x7fffffffdec4 thread T0
#0 0x4b6748
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x4b6748)
#1 0x4b7418
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x4b7418)
#2 0x4b7ee5
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x4b7ee5)
#3 0x42823b
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x42823b)
#4 0x406d8f
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x406d8f)
#5 0x403a8a
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x403a8a)
#6 0x7ffff4aa3f44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44)
#7 0x401ec8
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x401ec8)
Address 0x7fffffffdec4 is located at offset 84 in frame <to_float> of T0's
stack:
This frame has 2 object(s):
[32, 36) 'exponent'
[96, 120) 'mant'
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list