[Nasm-bugs] [Bug 3392503] New: nasm-2.14rc15 - Buffer Overflow

noreply-nasm at gorcunov.org noreply-nasm at gorcunov.org
Fri Aug 3 03:00:21 PDT 2018


https://bugzilla.nasm.us/show_bug.cgi?id=3392503

            Bug ID: 3392503
           Summary: nasm-2.14rc15 - Buffer Overflow
           Product: NASM
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: nafiez.skins at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411658
  --> https://bugzilla.nasm.us/attachment.cgi?id=411658&action=edit
POC generated by AFL

An buffer overflow trigger upon fuzzing. We compiled the program with ASAN to
see the result crash. Target version nasm-2.14rc15. 

The issue found by AFL.

==17458==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000008d8090 at pc 0x00000056d272 bp 0x7ffe65d7d2d0 sp 0x7ffe65d7d2c8
READ of size 8 at 0x0000008d8090 thread T0
    #0 0x56d271  (/home/john/fuzzing/nasm-2.14rc15/nasm+0x56d271)
    #1 0x50e027  (/home/john/fuzzing/nasm-2.14rc15/nasm+0x50e027)
    #2 0x7f8a4f7deb96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #3 0x41cac9  (/home/john/fuzzing/nasm-2.14rc15/nasm+0x41cac9)

0x0000008d8090 is located 8 bytes to the right of global variable
'nasm_reg_flags' defined in 'x86/regflags.c:6:17' (0x8d7900) of size 1928
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/john/fuzzing/nasm-2.14rc15/nasm+0x56d271) 
Shadow bytes around the buggy address:
  0x000080112fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080112fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080112fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080112ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080113000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080113010: 00 f9[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080113020: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080113030: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080113040: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080113050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080113060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17458==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.


More information about the Nasm-bugs mailing list