[Nasm-bugs] [Bug 3392525] New: There is a heap-buffer-overflow expand_mmac_params in nasm2.14rc16.

noreply-nasm at gorcunov.org noreply-nasm at gorcunov.org
Mon Oct 29 04:17:25 PDT 2018 

https://bugzilla.nasm.us/show_bug.cgi?id=3392525

            Bug ID: 3392525
           Summary: There is a heap-buffer-overflow expand_mmac_params in
                    nasm2.14rc16.
           Product: NASM
           Version: 2.14 (development)
          Hardware: All
                OS: All
            Status: OPEN
          Severity: critical
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: ganshuitao at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411685
  --> https://bugzilla.nasm.us/attachment.cgi?id=411685&action=edit
Trigger by"./nasm_asan -f bin POC4 -o xxx"

version:nasm2.14rc16
Summary: 

There is a heap-buffer-overflow expand_mmac_params in nasm2.14rc16. 

Description:

The asan debug is as follows:

$./nasm -f bin POC4 -o xxx

=================================================================
==65197==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000005e91 at pc 0x000000439142 bp 0x7fff4a4665a0 sp 0x7fff4a466590
READ of size 1 at 0x602000005e91 thread T0
    #0 0x439141 in expand_mmac_params asm/preproc.c:4008
    #1 0x444fba in pp_getline asm/preproc.c:5207
    #2 0x40d791 in assemble_file asm/nasm.c:1442
    #3 0x40640d in main asm/nasm.c:573
    #4 0x7f15db016a3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #5 0x4072f8 in _start
(/home/company/real_sanitize/poc_check/nasm/nasm_new_addr+0x4072f8)

0x602000005e91 is located 0 bytes to the right of 1-byte region
[0x602000005e90,0x602000005e91)
allocated by thread T0 here:
    #0 0x7f15db4589aa in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
    #1 0x40e478 in nasm_malloc nasmlib/malloc.c:59

SUMMARY: AddressSanitizer: heap-buffer-overflow asm/preproc.c:4008
expand_mmac_params
Shadow bytes around the buggy address:
  0x0c047fff8b80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8b90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8ba0: fa fa 02 fa fa fa 02 fa fa fa 00 fa fa fa 02 fa
  0x0c047fff8bb0: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa 03 fa
  0x0c047fff8bc0: fa fa 03 fa fa fa 03 fa fa fa 03 fa fa fa 07 fa
=>0x0c047fff8bd0: fa fa[01]fa fa fa fd fd fa fa 02 fa fa fa fd fa
  0x0c047fff8be0: fa fa fd fa fa fa 06 fa fa fa 06 fa fa fa 02 fa
  0x0c047fff8bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8c00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 fa
  0x0c047fff8c10: fa fa 00 fa fa fa 06 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8c20: fa fa 06 fa fa fa 02 fa fa fa 04 fa fa fa 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.

More information about the Nasm-bugs mailing list