[Nasm-bugs] [Bug 3392508] New: one invalid memory write(segment fault) in expand_smacro in preproc.c in nasm-2.14rc15

noreply-nasm at gorcunov.org noreply-nasm at gorcunov.org
Wed Aug 22 07:53:50 PDT 2018


https://bugzilla.nasm.us/show_bug.cgi?id=3392508

            Bug ID: 3392508
           Summary: one invalid memory write(segment fault) in
                    expand_smacro in preproc.c in nasm-2.14rc15
           Product: NASM
           Version: 2.14 (development)
          Hardware: Undefined
                OS: Linux
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: 92wyunchao at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411661
  --> https://bugzilla.nasm.us/attachment.cgi?id=411661&action=edit
poc file to trigger the crash

There exsits one invalid memory write(segment fault) in expand_smacro in
preproc.c in nasm-2.14rc15 which allows attackers to cause a denial of service
via a crafted input file.

To reproduce:
nasm -f bin poc -o tmp

ASan:
==51827==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc
0x000000551151 bp 0x7fff06648510 sp 0x7fff06648340 T0)
    #0 0x551150 in expand_smacro /home/s2e/nasm-2.14rc15/asm/preproc.c:4475
    #1 0x52d372 in pp_getline /home/s2e/nasm-2.14rc15/asm/preproc.c:5248
    #2 0x4ed8ce in assemble_file /home/s2e/nasm-2.14rc15/asm/nasm.c:1435
    #3 0x4ed8ce in main /home/s2e/nasm-2.14rc15/asm/nasm.c:566
    #4 0x7fdf10c1a82f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x4190f8 in _start (/home/s2e/nasm-2.14rc15/tmp/bin/nasm+0x4190f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/s2e/nasm-2.14rc15/asm/preproc.c:4475 in
expand_smacro
==51827==ABORTING

gdb output:
RAX: 0x0 
RBX: 0x7ffff7f79730 --> 0x7ffff7f79710 --> 0x7ffff7f796f0 --> 0x7ffff7f796d0
--> 0x7ffff7f796b0 --> 0x7ffff7f79690 (--> ...)
RCX: 0x79add0 --> 0x0 
RDX: 0x79add0 --> 0x0 
RSI: 0x0 
RDI: 0xff 
RBP: 0x7ffff7f79630 --> 0x7ffff7f79650 --> 0x7ffff7f79610 --> 0x7ffff7f795f0
--> 0x7ffff7f795d0 --> 0x7ffff7f795b0 (--> ...)
RSP: 0x7fffffffd940 --> 0x4bd920 --> 0x2c800000088 
RIP: 0x43c191 (<expand_smacro+5713>:    mov    BYTE PTR [rax+0x11],0x0)
R8 : 0x79add0 --> 0x0 
R9 : 0xfffffffffffffffc 
R10: 0x22 ('"')
R11: 0x246 
R12: 0x0 
R13: 0x0 
R14: 0xf41dc 
R15: 0xfffffffffffffffc
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x43c182 <expand_smacro+5698>:       inc    BYTE PTR [rcx+rax*1]
   0x43c185 <expand_smacro+5701>:       mov    DWORD PTR fs:[r15],0x6bd0
   0x43c18d <expand_smacro+5709>:       mov    rax,QWORD PTR [rbp+0x10]
=> 0x43c191 <expand_smacro+5713>:       mov    BYTE PTR [rax+0x11],0x0
   0x43c195 <expand_smacro+5717>:       mov    rbx,QWORD PTR [rbp+0x0]
   0x43c199 <expand_smacro+5721>:       mov    rdi,QWORD PTR [rbp+0x8]
   0x43c19d <expand_smacro+5725>:       call   0x409510 <nasm_free>
   0x43c1a2 <expand_smacro+5730>:       mov    rax,QWORD PTR [rip+0x35a797]    
   # 0x796940 <freeTokens>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd940 --> 0x4bd920 --> 0x2c800000088 
0008| 0x7fffffffd948 --> 0x7de160 --> 0x31 ('1')
0016| 0x7fffffffd950 --> 0x0 
0024| 0x7fffffffd958 --> 0x10 
0032| 0x7fffffffd960 --> 0x100000000 
0040| 0x7fffffffd968 --> 0x7de9a0 --> 0x7ffff7dd1b78 --> 0x7dece0 --> 0x0 
0048| 0x7fffffffd970 --> 0xf41e4 
0056| 0x7fffffffd978 --> 0x7de240 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000043c191 in expand_smacro (tline=<optimized out>) at
asm/preproc.c:4475
4475                tline->a.mac->in_progress = false;
gdb-peda$ bt
#0  0x000000000043c191 in expand_smacro (tline=<optimized out>) at
asm/preproc.c:4475
#1  0x0000000000426667 in pp_getline () at asm/preproc.c:5248
#2  0x0000000000404269 in assemble_file (fname=<optimized out>,
depend_ptr=<optimized out>) at asm/nasm.c:1435
#3  main (argc=<optimized out>, argv=<optimized out>,
argv at entry=0x7fffffffdd78) at asm/nasm.c:566
#4  0x00007ffff7a2d830 in __libc_start_main (main=0x4021b0 <main>, argc=0x6,
argv=0x7fffffffdd78, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffdd68) at ../csu/libc-start.c:291
#5  0x0000000000401d49 in _start ()

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.


More information about the Nasm-bugs mailing list