[Nasm-bugs] [Bug 3392447] New: Global buffer overflow over nasm_reg_flags in function at source file asm/parser.c
no-reply at bugzilla-nasm.gorcunov.org
no-reply at bugzilla-nasm.gorcunov.org
Sun Oct 22 13:38:22 PDT 2017
https://bugzilla.nasm.us/show_bug.cgi?id=3392447
Bug ID: 3392447
Summary: Global buffer overflow over nasm_reg_flags in function
at source file asm/parser.c
Product: NASM
Version: 2.13.xx
Hardware: All
OS: All
Status: OPEN
Severity: severe
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: jxx13 at psu.edu
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411618
--> https://bugzilla.nasm.us/attachment.cgi?id=411618&action=edit
File to trigger the bug under ASAN
Global buffer overflow on nasm_reg_flags in function at source file
asm/parser.c.
Tested on nasm-2.13.02rc2 with address-sanitizer on machine running
4.4.0-31-generic#50~14.04.1-Ubuntu
Running command: nasm -felf64 poc2
Bug analysis:
Function parse_line at line 891 at asm/parser.c:
891: !IS_SREG(value->type))
/* IS_SREG is a macro defined as: #define IS_SREG(reg)
is_reg_class(REG_SREG, (reg)) */
/* and is_reg_class is defined as is_class((class), nasm_reg_flags[(reg)]) */
/* The above macro tries to access global buffer nasm_reg_flags with index ref
(nasm_reg_flags is a global array with size 241) */
/* at line 891 in asm/parser.c, value->type is the reg to access nasm_reg_flags
without any boundary check */
/* When an input makes value->type larger than 240, out-of-bound access happens
*/
We attach the PoC to trigger this defect with nasm compiled with
Address-Sanitizer and display the outout of Sanitizer as follows:
===============================Cut Line===================================
==8457== ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000061ec68 at pc 0x4293e7 bp 0x7ffd22418dd0 sp 0x7ffd22418dc8
READ of size 8 at 0x00000061ec68 thread T0
#0 0x4293e6
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x4293e6)
#1 0x406d8f
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x406d8f)
#2 0x403a8a
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x403a8a)
#3 0x7f8080f53f44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44)
#4 0x401ec8
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x401ec8)
0x00000061ec68 is located 0 bytes to the right of global variable
'nasm_reg_flags (x86/regflags.c)' (0x61e4e0) of size 1928
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list