[Nasm-bugs] [Bug 3392446] New: Heap overflow in function tokenize at source file asm/preproc.c
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Wed Oct 18 14:54:56 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392446
Bug ID: 3392446
Summary: Heap overflow in function tokenize at source file
asm/preproc.c
Product: NASM
Version: 2.13.xx
Hardware: All
OS: All
Status: OPEN
Severity: severe
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: jxx13 at psu.edu
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411617
--> https://bugzilla.nasm.us/attachment.cgi?id=411617&action=edit
File to trigger the bug under ASAN
Heap overflow in function tokenize at source file asm/preproc.c
Tested on nasm-2.13.02rc2 with address-sanitizer on machine running
4.4.0-31-generic#50~14.04.1-Ubuntu
Running command: nasm -felf64 poc1
Bug analysis:
Function tokenize at Line 939 in asm/preproc.c:
939: while (lvl && (c = *p++))
/* p is copied from the argument */
/* p is accessed without boundary check*/
When tokenzie is invoked by function pp_getline at Line 5143 in asm/preproc.c:
5143: tline = tokenize(line)
/* p is actually line and line is allocated from heap in read_line() with fixed
size of 512.*/
/* When the above operation "p++" iterates over 512 times, heap overflow
happens */
We attach the PoC to trigger this defect with nasm compiled with
Address-Sanitizer and display the outout of Sanitizer as follows:
===============================Cut Line===================================
==4448==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000c800
at pc 0x0000005373aa bp 0x7fffffffc950 sp 0x7fffffffc948
READ of size 1 at 0x61500000c800 thread T0
#0 0x5373a9
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x5373a9)
#1 0x530f64
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x530f64)
#2 0x4f4ff4
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4f4ff4)
#3 0x4f2e8e
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4f2e8e)
#4 0x7ffff6eecf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#5 0x419e15
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x419e15)
0x61500000c800 is located 0 bytes to the right of 512-byte region
[0x61500000c600,0x61500000c800)
allocated by thread T0 here:
#0 0x4c4178
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4c4178)
#1 0x4fc9d4
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4fc9d4)
#2 0x535f65
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x535f65)
#3 0x530ea7
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x530ea7)
#4 0x4f4ff4
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4f4ff4)
#5 0x4f2e8e
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/nasm+0x4f2e8e)
#6 0x7ffff6eecf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list