[Nasm-bugs] [Bug 3392475] New: Stack buffer overflow (out-of-bound) in disasm (src/disasm/disasm.c)
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Mon Apr 23 12:45:51 PDT 2018
https://bugzilla.nasm.us/show_bug.cgi?id=3392475
Bug ID: 3392475
Summary: Stack buffer overflow (out-of-bound) in disasm
(src/disasm/disasm.c)
Product: NASM
Version: 2.13.xx
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Disassembler
Assignee: nobody at nasm.us
Reporter: traceprobe at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411636
--> https://bugzilla.nasm.us/attachment.cgi?id=411636&action=edit
poc
On latest stable version and development snapshot of nasm, there is a stack
buffer overflow (out-of-bound read) in disasm function of (src/disasm/disasm.c)
file, which could be triggered by the POC below.
The issue happens since the condition "end_prefix" of the while loop (line
1143) is only set when certain items in "data" are encountered, which however,
could be manipulated by the input file.
1111 int32_t disasm(uint8_t data, char output, int outbufsize, int segsize,
1112 int64_t offset, int autosync, iflag_t prefer)
1113 {
...
1143 while (!end_prefix) {
1144 switch (data) {
...
1282 default:
1283 end_prefix = true;
1284 break;
1285 }
To reproduce:
1) download nasm-2.14rc0-20180420.tar.gz OR stable version of nasm-2.13.0
2) build nasm with ASAN enabled;
3) execute: bin/ndisasm -b 32 $POC
Stack trace:
==104144==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffd4536b4c0 at pc 0x00000041bb44 bp 0x7ffd4536ac20 sp 0x7ffd4536ac18
READ of size 1 at 0x7ffd4536b4c0 thread T0
0 0x41bb43 in disasm
/u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/disasm.c:1144
1 0x403e5d in main
/u/test/test/product/nasm/nasm-2.14rc0-20180420/src/disasm/ndisasm.c:320
2 0x7f29e681f3d4 in __libc_start_main (/usr/lib64/libc.so.6+0x223d4)
3 0x406591
(/home/test/test/product/nasm/nasm-2.14rc0-20180420/exe_asan/bin/ndisasm+0x406591)
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list