[Nasm-bugs] [Bug 3392531] New: There is a heap-use-after-free at asm/preproc.c:5055(function:pp_getline) in nasm2.14rc16 that will cause dos attack.
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Sun Nov 18 17:29:45 PST 2018
https://bugzilla.nasm.us/show_bug.cgi?id=3392531
Bug ID: 3392531
Summary: There is a heap-use-after-free at
asm/preproc.c:5055(function:pp_getline) in
nasm2.14rc16 that will cause dos attack.
Product: NASM
Version: 2.14 (development)
Hardware: All
OS: All
Status: OPEN
Severity: blocker
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: ganshuitao at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
Created attachment 411690
--> https://bugzilla.nasm.us/attachment.cgi?id=411690&action=edit
Trigger by"./nasm -f bin POC8 -o xxx"
version:nasm2.14rc16
Summary:
There is a heap-use-after-free at asm/preproc.c:5055(function:pp_getline) in
nasm2.14rc16 that will cause dos attack.
Description:
The ubsan debug is as follows:
$./nasm -f bin POC8 -o xxx
=================================================================
=================================================================
==113343==ERROR: AddressSanitizer: heap-use-after-free on address
0x60f00000d430 at pc 0x00000044769e bp 0x7ffe333a6c90 sp 0x7ffe333a6c80
READ of size 8 at 0x60f00000d430 thread T0
#0 0x44769d in pp_getline asm/preproc.c:5055
#1 0x40d791 in assemble_file asm/nasm.c:1442
#2 0x40640d in main asm/nasm.c:573
#3 0x7feb98dbea3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#4 0x4072f8 in _start
(/home/company/real_sanitize/poc_check/nasm/nasm_new_addr+0x4072f8)
0x60f00000d430 is located 16 bytes inside of 176-byte region
[0x60f00000d420,0x60f00000d4d0)
freed by thread T0 here:
#0 0x7feb992006aa in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x986aa)
#1 0x443fa0 in free_mmacro asm/preproc.c:630
#2 0x443fa0 in do_directive asm/preproc.c:2957
previously allocated by thread T0 here:
#0 0x7feb99200b49 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98b49)
#1 0x40e4e0 in nasm_zalloc nasmlib/malloc.c:69
#2 0x4bd707
(/home/company/real_sanitize/poc_check/nasm/nasm_new_addr+0x4bd707)
SUMMARY: AddressSanitizer: heap-use-after-free asm/preproc.c:5055 pp_getline
Shadow bytes around the buggy address:
0x0c1e7fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1e7fff9a80: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c1e7fff9a90: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c1e7fff9aa0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff9ab0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c1e7fff9ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff9ad0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==113343==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list