[Nasm-bugs] [Bug 3392501] New: stack buffer overflow in disasm/disasm.c, line 571
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Wed Jul 25 02:20:17 PDT 2018
https://bugzilla.nasm.us/show_bug.cgi?id=3392501
Bug ID: 3392501
Summary: stack buffer overflow in disasm/disasm.c, line 571
Product: NASM
Version: 2.14 (development)
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Disassembler
Assignee: nobody at nasm.us
Reporter: bugs at feusi.co
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
Created attachment 411656
--> https://bugzilla.nasm.us/attachment.cgi?id=411656&action=edit
file which causes overflow
Hi, when fuzzing the disassembler with honggfuzz, I discovered a stack buffer
overflow in disasm.c, on line 571. Following is a detailed backtrace as
supplied by the address sanitizer:
=================================================================
==640==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcc6090bc0
at pc 0x5596a2d6cffd bp 0x7ffcc60902f0 sp 0x7ffcc60902e8
READ of size 2 at 0x7ffcc6090bc0 thread T0
#0 0x5596a2d6cffc in matches disasm/disasm.c:571
#1 0x5596a2d6cffc in disasm disasm/disasm.c:1303
#2 0x5596a2d52e54 in main disasm/ndisasm.c:319
#3 0x7f67f86bca86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
#4 0x5596a2d55209 in _start (/home/jfe/nasm/ndisasm+0xb9209)
Address 0x7ffcc6090bc0 is located in stack of thread T0 at offset 352 in frame
#0 0x5596a2d5156f in main disasm/ndisasm.c:81
This frame has 6 object(s):
[32, 33) 'rn_error'
[96, 100) 'synclen'
[160, 168) 'ep'
[224, 240) 'prefer'
[288, 352) 'buffer' <== Memory access at offset 352 overflows this variable
[384, 640) 'outbuf'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow disasm/disasm.c:571 in matches
Shadow bytes around the buggy address:
0x100018c0a120: 00 00 00 00 00 00 f2 f2 f3 f3 f3 f3 00 00 00 00
0x100018c0a130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100018c0a140: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100018c0a150: 01 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2
0x100018c0a160: 00 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2
=>0x100018c0a170: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00
0x100018c0a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100018c0a190: 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3
0x100018c0a1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100018c0a1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100018c0a1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==640==ABORTING
This bug can be reproduced by running "ndisasm /dev/stdin < min" where min is
the attached file. However it is only visible when ndisasm is compiled with the
address sanitizer.
--
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
More information about the Nasm-bugs
mailing list