[Nasm-bugs] [Bug 3392504] New: ndisasm (nasm-2.14rc15) - Stack Buffer Overflow
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Fri Aug 3 19:15:22 PDT 2018
https://bugzilla.nasm.us/show_bug.cgi?id=3392504
Bug ID: 3392504
Summary: ndisasm (nasm-2.14rc15) - Stack Buffer Overflow
Product: NASM
Version: unspecified
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Disassembler
Assignee: nobody at nasm.us
Reporter: nafiez.skins at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411659
--> https://bugzilla.nasm.us/attachment.cgi?id=411659&action=edit
POC generated by AFL
An buffer overflow trigger upon fuzzing. We compiled the program with ASAN to
see the result crash. Target version of ndisasm (nasm-2.14rc15).
==31549==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffc2dc6ad80 at pc 0x000000523f5a bp 0x7ffc2dc6a4d0 sp 0x7ffc2dc6a4c8
READ of size 1 at 0x7ffc2dc6ad80 thread T0
#0 0x523f59 (/home/john/fuzzing/nasm-2.14rc15/ndisasm+0x523f59)
#1 0x50dd2a (/home/john/fuzzing/nasm-2.14rc15/ndisasm+0x50dd2a)
#2 0x7f84e2c6bb96 (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#3 0x41c5e9 (/home/john/fuzzing/nasm-2.14rc15/ndisasm+0x41c5e9)
Address 0x7ffc2dc6ad80 is located in stack of thread T0 at offset 416 in frame
#0 0x50babf (/home/john/fuzzing/nasm-2.14rc15/ndisasm+0x50babf)
This frame has 7 object(s):
[32, 288) 'buffer.i'
[352, 416) 'buffer' <== Memory access at offset 416 overflows this variable
[448, 456) 'ep'
[480, 736) 'outbuf'
[800, 804) 'synclen'
[816, 832) 'prefer'
[848, 849) 'rn_error'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/john/fuzzing/nasm-2.14rc15/ndisasm+0x523f59)
Shadow bytes around the buggy address:
0x100005b85560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005b85570: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100005b85580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005b85590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005b855a0: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
=>0x100005b855b0:[f2]f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00
0x100005b855c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005b855d0: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2
0x100005b855e0: 04 f2 00 00 f2 f2 01 f3 00 00 00 00 00 00 00 00
0x100005b855f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005b85600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31549==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
More information about the Nasm-bugs
mailing list