[Nasm-bugs] [Bug 3392500] New: stack buffer underflow in asm/float.c, line 612
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Wed Jul 25 01:41:47 PDT 2018
https://bugzilla.nasm.us/show_bug.cgi?id=3392500
Bug ID: 3392500
Summary: stack buffer underflow in asm/float.c, line 612
Product: NASM
Version: 2.14 (development)
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: bugs at feusi.co
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
Created attachment 411655
--> https://bugzilla.nasm.us/attachment.cgi?id=411655&action=edit
file which causes underflow
Hi, I am working on a project in which I use the honggfuzz fuzzer to find bugs
in opensource software and I decided to fuzz nasm. In doing so, I descovered a
stack buffer underflow in asm/float.c, line 612. Although I have not runn any
tests, I believe it is caused by accessing a negative index in the array on
that line. Following is a backtrace as supplied by the address sanitizer:
=================================================================
==19767==ERROR: AddressSanitizer: stack-buffer-underflow on address
0x7ffda004bef4 at pc 0x0000005d9134 bp 0x7ffda004be50 sp 0x7ffda004be48
READ of size 4 at 0x7ffda004bef4 thread T0
#0 0x5d9133 in ieee_shr /home/jfe/nasm/asm/float.c:612:13
#1 0x5d58cd in to_float /home/jfe/nasm/asm/float.c:832:9
#2 0x542304 in parse_line /home/jfe/nasm/asm/parser.c:689:22
#3 0x51908a in assemble_file /home/jfe/nasm/asm/nasm.c:1447:13
#4 0x516f45 in main /home/jfe/nasm/asm/nasm.c:566:9
#5 0x7fb805b3ca86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
#6 0x41dab9 in _start (/home/jfe/nasm/nasm+0x41dab9)
Address 0x7ffda004bef4 is located in stack of thread T0 at offset 20 in frame
#0 0x5d4dff in to_float /home/jfe/nasm/asm/float.c:720
This frame has 2 object(s):
[32, 56) 'mant' (line 721) <== Memory access at offset 20 underflows this
variable
[96, 100) 'exponent' (line 722)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow
/home/jfe/nasm/asm/float.c:612:13 in ieee_shr
Shadow bytes around the buggy address:
0x100034001780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034001790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000340017a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000340017b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000340017c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000340017d0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1[f1]f1
0x1000340017e0: 00 00 00 f2 f2 f2 f2 f2 04 f3 f3 f3 00 00 00 00
0x1000340017f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034001800: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100034001810: 00 00 f2 f2 f8 f2 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2
0x100034001820: f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19767==ABORTING
This bug can be reproduced by calling "nasm /dev/stdin -o /dev/null<min" where
min is the attached file. However, it is only visible when compiled with the
address sanitizer.
cheers
project-repo
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list