[Nasm-bugs] [Bug 3392446] New: Heap overflow in function tokenize at source file asm/preproc.c

no-reply at bugzilla-nasm.gorcunov.org no-reply at bugzilla-nasm.gorcunov.org
Wed Oct 18 14:54:56 PDT 2017


https://bugzilla.nasm.us/show_bug.cgi?id=3392446

            Bug ID: 3392446
           Summary: Heap overflow in function tokenize at source file
                    asm/preproc.c
           Product: NASM
           Version: 2.13.xx
          Hardware: All
                OS: All
            Status: OPEN
          Severity: severe
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: jxx13 at psu.edu
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411617
  --> https://bugzilla.nasm.us/attachment.cgi?id=411617&action=edit
File to trigger the bug under ASAN

Heap overflow in function tokenize at source file asm/preproc.c
Tested on nasm-2.13.02rc2 with address-sanitizer on machine running
4.4.0-31-generic#50~14.04.1-Ubuntu 

Running command: nasm -felf64 poc1

Bug analysis: 
Function tokenize at Line 939 in asm/preproc.c:

939:  while (lvl && (c = *p++)) 
/* p is copied from the argument */
/* p is accessed without boundary check*/

When tokenzie is invoked by function pp_getline at Line 5143 in asm/preproc.c:

5143: tline = tokenize(line)
/* p is actually line and line is allocated from heap in read_line() with fixed
size of 512.*/
/* When the above operation "p++" iterates over 512 times, heap overflow
happens */

We attach the PoC to trigger this defect with nasm compiled with
Address-Sanitizer and display the outout of Sanitizer as follows:


===============================Cut Line===================================

==4448==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000c800
at pc 0x0000005373aa bp 0x7fffffffc950 sp 0x7fffffffc948
READ of size 1 at 0x61500000c800 thread T0
    #0 0x5373a9 
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x5373a9)
    #1 0x530f64 
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x530f64)
    #2 0x4f4ff4 
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4f4ff4)
    #3 0x4f2e8e 
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4f2e8e)
    #4 0x7ffff6eecf44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #5 0x419e15 
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x419e15)

0x61500000c800 is located 0 bytes to the right of 512-byte region
[0x61500000c600,0x61500000c800)
allocated by thread T0 here:
    #0 0x4c4178 
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4c4178)
    #1 0x4fc9d4 
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4fc9d4)
    #2 0x535f65 
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x535f65)
    #3 0x530ea7 
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x530ea7)
    #4 0x4f4ff4 
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4f4ff4)
    #5 0x4f2e8e 
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4f2e8e)
    #6 0x7ffff6eecf44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.


More information about the Nasm-bugs mailing list