[Nasm-bugs] [Bug 3392445] New: Stack under flow in function ieee_shr at source file asm/float.c

no-reply at bugzilla-nasm.gorcunov.org no-reply at bugzilla-nasm.gorcunov.org
Wed Oct 18 14:04:29 PDT 2017 

https://bugzilla.nasm.us/show_bug.cgi?id=3392445

            Bug ID: 3392445
           Summary: Stack under flow in function ieee_shr at source file
                    asm/float.c
           Product: NASM
           Version: 2.13.xx
          Hardware: All
                OS: All
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: jxx13 at psu.edu
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411616
  --> https://bugzilla.nasm.us/attachment.cgi?id=411616&action=edit
File to trigger the bug under ASAN

Stack underflow in function ieee_shr at source file asm/float.c. 
Tested on nasm-2.13.02rc2 with address-sanitizer on 0 4.4.0-31-generic
#50~14.04.1-Ubuntu SMP 

Runing command: nasm -felf64 poc


Function to_float at Line 836 in asm/float.c:

836: ieee_shr(mant, shift); 
/*mant is defined at line 716 with size MANT_LIMBS = 6:  fp_limb
mant[MANT_LIMBS]
shift is an integer*/ 

Function ieee_shr at line 612 in asm/float.c access mant:
612: n = mant[MANT_LIMBS-1-offs] >> sr;
 /* offs = shift / 32 */

When shift is larger than 224, MANT_LIMBS-1-offs will be less than zero, and
thus mant is accessed with under-bound index. 

We attach the PoC to trigger this defect with nasm compiled with
Address-Sanitizer and display the outout of Sanitizer as follows:


===============================Cut Line===================================

==2338== ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffdec4 at pc 0x4b6749 bp 0x7fffffffddd0 sp 0x7fffffffddc8
READ of size 4 at 0x7fffffffdec4 thread T0
    #0 0x4b6748
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x4b6748)
    #1 0x4b7418
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x4b7418)
    #2 0x4b7ee5
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x4b7ee5)
    #3 0x42823b
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x42823b)
    #4 0x406d8f
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x406d8f)
    #5 0x403a8a
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x403a8a)
    #6 0x7ffff4aa3f44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44)
    #7 0x401ec8
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x401ec8)
Address 0x7fffffffdec4 is located at offset 84 in frame <to_float> of T0's
stack:
  This frame has 2 object(s):
    [32, 36) 'exponent'
    [96, 120) 'mant'

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

More information about the Nasm-bugs mailing list