[Nasm-bugs] [Bug 3392475] New: Stack buffer overflow (out-of-bound) in disasm (src/disasm/disasm.c)

noreply-nasm at gorcunov.org noreply-nasm at gorcunov.org
Mon Apr 23 12:45:51 PDT 2018 

https://bugzilla.nasm.us/show_bug.cgi?id=3392475

            Bug ID: 3392475
           Summary: Stack buffer overflow (out-of-bound) in disasm
                    (src/disasm/disasm.c)
           Product: NASM
           Version: 2.13.xx
          Hardware: All
                OS: All
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Disassembler
          Assignee: nobody at nasm.us
          Reporter: traceprobe at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411636
  --> https://bugzilla.nasm.us/attachment.cgi?id=411636&action=edit
poc

On latest stable version and development snapshot of nasm, there is a stack
buffer overflow (out-of-bound read) in disasm function of (src/disasm/disasm.c)
file, which could be triggered by the POC below.

The issue happens since the condition "end_prefix" of the while loop (line
1143) is only set when certain items in "data" are encountered, which however,
could be manipulated by the input file.

1111 int32_t disasm(uint8_t data, char output, int outbufsize, int segsize,
1112 int64_t offset, int autosync, iflag_t prefer)
1113 {
...
1143 while (!end_prefix) {
1144 switch (data) {
...
1282 default:
1283 end_prefix = true;
1284 break;
1285 }

To reproduce:
1) download nasm-2.14rc0-20180420.tar.gz OR stable version of nasm-2.13.0
2) build nasm with ASAN enabled;
3) execute: bin/ndisasm -b 32 $POC

Stack trace:
==104144==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffd4536b4c0 at pc 0x00000041bb44 bp 0x7ffd4536ac20 sp 0x7ffd4536ac18
READ of size 1 at 0x7ffd4536b4c0 thread T0
0 0x41bb43 in disasm
/u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/disasm.c:1144
1 0x403e5d in main
/u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/ndisasm.c:320
2 0x7f29e681f3d4 in __libc_start_main (/usr/lib64/libc.so.6+0x223d4)
3 0x406591
(/home/test/test/product/nasm/nasm-2.14rc0-20180420/exe_asan/bin/ndisasm+0x406591)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

More information about the Nasm-bugs mailing list