[Nasm-bugs] [Bug 3392447] New: Global buffer overflow over nasm_reg_flags in function at source file asm/parser.c

no-reply at bugzilla-nasm.gorcunov.org no-reply at bugzilla-nasm.gorcunov.org
Sun Oct 22 13:38:22 PDT 2017


https://bugzilla.nasm.us/show_bug.cgi?id=3392447

            Bug ID: 3392447
           Summary: Global buffer overflow over nasm_reg_flags in function
                    at source file asm/parser.c
           Product: NASM
           Version: 2.13.xx
          Hardware: All
                OS: All
            Status: OPEN
          Severity: severe
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: jxx13 at psu.edu
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411618
  --> https://bugzilla.nasm.us/attachment.cgi?id=411618&action=edit
File to trigger the bug under ASAN

Global buffer overflow on nasm_reg_flags in function at source file
asm/parser.c.

Tested on nasm-2.13.02rc2 with address-sanitizer on machine running
4.4.0-31-generic#50~14.04.1-Ubuntu 

Running command: nasm -felf64 poc2

Bug analysis: 

Function parse_line at line 891 at asm/parser.c:

891:                    !IS_SREG(value->type))
/* IS_SREG is a macro defined as: #define IS_SREG(reg)             
is_reg_class(REG_SREG, (reg)) */

/* and is_reg_class is defined as is_class((class), nasm_reg_flags[(reg)]) */

/* The above macro tries to access global buffer nasm_reg_flags with index ref
(nasm_reg_flags is a global array with size 241) */

/* at line 891 in asm/parser.c, value->type is the reg to access nasm_reg_flags
without any boundary check */

/* When an input makes value->type larger than 240, out-of-bound access happens
*/

We attach the PoC to trigger this defect with nasm compiled with
Address-Sanitizer and display the outout of Sanitizer as follows:

===============================Cut Line===================================

==8457== ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000061ec68 at pc 0x4293e7 bp 0x7ffd22418dd0 sp 0x7ffd22418dc8
READ of size 8 at 0x00000061ec68 thread T0
    #0 0x4293e6
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x4293e6)
    #1 0x406d8f
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x406d8f)
    #2 0x403a8a
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x403a8a)
    #3 0x7f8080f53f44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44)
    #4 0x401ec8
(/home/mdl/jun/afl-pt/samples/nasm/target/nasm-2.13.02rc2/dbg/nasm+0x401ec8)
0x00000061ec68 is located 0 bytes to the right of global variable
'nasm_reg_flags (x86/regflags.c)' (0x61e4e0) of size 1928

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.


More information about the Nasm-bugs mailing list