[Nasm-bugs] [Bug 3392508] New: one invalid memory write(segment fault) in expand_smacro in preproc.c in nasm-2.14rc15
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Wed Aug 22 07:53:50 PDT 2018
https://bugzilla.nasm.us/show_bug.cgi?id=3392508
Bug ID: 3392508
Summary: one invalid memory write(segment fault) in
expand_smacro in preproc.c in nasm-2.14rc15
Product: NASM
Version: 2.14 (development)
Hardware: Undefined
OS: Linux
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: 92wyunchao at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411661
--> https://bugzilla.nasm.us/attachment.cgi?id=411661&action=edit
poc file to trigger the crash
There exsits one invalid memory write(segment fault) in expand_smacro in
preproc.c in nasm-2.14rc15 which allows attackers to cause a denial of service
via a crafted input file.
To reproduce:
nasm -f bin poc -o tmp
ASan:
==51827==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc
0x000000551151 bp 0x7fff06648510 sp 0x7fff06648340 T0)
#0 0x551150 in expand_smacro /home/s2e/nasm-2.14rc15/asm/preproc.c:4475
#1 0x52d372 in pp_getline /home/s2e/nasm-2.14rc15/asm/preproc.c:5248
#2 0x4ed8ce in assemble_file /home/s2e/nasm-2.14rc15/asm/nasm.c:1435
#3 0x4ed8ce in main /home/s2e/nasm-2.14rc15/asm/nasm.c:566
#4 0x7fdf10c1a82f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#5 0x4190f8 in _start (/home/s2e/nasm-2.14rc15/tmp/bin/nasm+0x4190f8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/s2e/nasm-2.14rc15/asm/preproc.c:4475 in
expand_smacro
==51827==ABORTING
gdb output:
RAX: 0x0
RBX: 0x7ffff7f79730 --> 0x7ffff7f79710 --> 0x7ffff7f796f0 --> 0x7ffff7f796d0
--> 0x7ffff7f796b0 --> 0x7ffff7f79690 (--> ...)
RCX: 0x79add0 --> 0x0
RDX: 0x79add0 --> 0x0
RSI: 0x0
RDI: 0xff
RBP: 0x7ffff7f79630 --> 0x7ffff7f79650 --> 0x7ffff7f79610 --> 0x7ffff7f795f0
--> 0x7ffff7f795d0 --> 0x7ffff7f795b0 (--> ...)
RSP: 0x7fffffffd940 --> 0x4bd920 --> 0x2c800000088
RIP: 0x43c191 (<expand_smacro+5713>: mov BYTE PTR [rax+0x11],0x0)
R8 : 0x79add0 --> 0x0
R9 : 0xfffffffffffffffc
R10: 0x22 ('"')
R11: 0x246
R12: 0x0
R13: 0x0
R14: 0xf41dc
R15: 0xfffffffffffffffc
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x43c182 <expand_smacro+5698>: inc BYTE PTR [rcx+rax*1]
0x43c185 <expand_smacro+5701>: mov DWORD PTR fs:[r15],0x6bd0
0x43c18d <expand_smacro+5709>: mov rax,QWORD PTR [rbp+0x10]
=> 0x43c191 <expand_smacro+5713>: mov BYTE PTR [rax+0x11],0x0
0x43c195 <expand_smacro+5717>: mov rbx,QWORD PTR [rbp+0x0]
0x43c199 <expand_smacro+5721>: mov rdi,QWORD PTR [rbp+0x8]
0x43c19d <expand_smacro+5725>: call 0x409510 <nasm_free>
0x43c1a2 <expand_smacro+5730>: mov rax,QWORD PTR [rip+0x35a797]
# 0x796940 <freeTokens>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd940 --> 0x4bd920 --> 0x2c800000088
0008| 0x7fffffffd948 --> 0x7de160 --> 0x31 ('1')
0016| 0x7fffffffd950 --> 0x0
0024| 0x7fffffffd958 --> 0x10
0032| 0x7fffffffd960 --> 0x100000000
0040| 0x7fffffffd968 --> 0x7de9a0 --> 0x7ffff7dd1b78 --> 0x7dece0 --> 0x0
0048| 0x7fffffffd970 --> 0xf41e4
0056| 0x7fffffffd978 --> 0x7de240 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000043c191 in expand_smacro (tline=<optimized out>) at
asm/preproc.c:4475
4475 tline->a.mac->in_progress = false;
gdb-peda$ bt
#0 0x000000000043c191 in expand_smacro (tline=<optimized out>) at
asm/preproc.c:4475
#1 0x0000000000426667 in pp_getline () at asm/preproc.c:5248
#2 0x0000000000404269 in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1435
#3 main (argc=<optimized out>, argv=<optimized out>,
argv at entry=0x7fffffffdd78) at asm/nasm.c:566
#4 0x00007ffff7a2d830 in __libc_start_main (main=0x4021b0 <main>, argc=0x6,
argv=0x7fffffffdd78, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffdd68) at ../csu/libc-start.c:291
#5 0x0000000000401d49 in _start ()
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list