[Nasm-bugs] [Bug 3392636] New: Heap-buffer-overflow in preproc.c
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Sun Dec 8 19:16:26 PST 2019
https://bugzilla.nasm.us/show_bug.cgi?id=3392636
Bug ID: 3392636
Summary: Heap-buffer-overflow in preproc.c
Product: NASM
Version: 2.15 (development)
Hardware: PC
OS: Linux
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: bit.mejeff at gmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411750
--> https://bugzilla.nasm.us/attachment.cgi?id=411750&action=edit
File leading to crash
While fuzzing nasm using commond "nasm -felf64 poc.asm", a heap-buffer-overflow
in preproc.c was found.
Asan report:
```
=================================================================
==14820==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000b7bb at pc 0x7fd761747935 bp 0x7ffde5b49bf0 sp 0x7ffde5b49398
READ of size 11 at 0x60200000b7bb thread T0
#0 0x7fd761747934 in __asan_memcpy
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
#1 0x423729 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 0x423729 in set_text_free asm/preproc.c:387
#3 0x429df8 in expand_one_smacro asm/preproc.c:5338
#4 0x42a4f2 in expand_smacro_noreset asm/preproc.c:5474
#5 0x42a6c0 in expand_smacro asm/preproc.c:5431
#6 0x4344ee in pp_tokline asm/preproc.c:6415
#7 0x4344ee in pp_getline asm/preproc.c:6428
#8 0x405cc6 in assemble_file asm/nasm.c:1630
#9 0x4071c9 in main asm/nasm.c:637
#10 0x7fd76131182f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x4024d8 in _start (nasm+0x4024d8)
0x60200000b7bb is located 0 bytes to the right of 11-byte region
[0x60200000b7b0,0x60200000b7bb)
allocated by thread T0 here:
#0 0x7fd761753602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4082a8 in nasm_malloc nasmlib/alloc.c:55
#2 0x429ccd in expand_one_smacro asm/preproc.c:5334
#3 0x42a4f2 in expand_smacro_noreset asm/preproc.c:5474
#4 0x42a6c0 in expand_smacro asm/preproc.c:5431
#5 0x4344ee in pp_tokline asm/preproc.c:6415
#6 0x4344ee in pp_getline asm/preproc.c:6428
#7 0x405cc6 in assemble_file asm/nasm.c:1630
#8 0x4071c9 in main asm/nasm.c:637
#9 0x7fd76131182f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff96d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff96e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff96f0: fa fa fa fa fa fa 00[03]fa fa fd fd fa fa 00 03
0x0c047fff9700: fa fa fd fd fa fa fd fa fa fa 00 fa fa fa 00 fa
0x0c047fff9710: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff9720: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 fa
0x0c047fff9730: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff9740: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==14820==ABORTING
```
Valgrind report:
```
==2201== Memcheck, a memory error detector
==2201== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2201== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==2201== Command: nasm -felf64 poc.asm
==2201==
poc.asm:3: error: label or instruction expected at start of line
poc.asm:5: error: label or instruction expected at start of line
poc.asm:6: warning: label alone on a line without a colon might be in error
[-w+label-orphan]
poc.asm:7: warning: unterminated string [-w+other]
poc.asm:7: error: parser: instruction expected
poc.asm:9: error: parser: instruction expected
poc.asm:10: error: label or instruction expected at start of line
poc.asm:12: error: label or instruction expected at start of line
poc.asm:13: error: label or instruction expected at start of line
poc.asm:16: warning: label alone on a line without a colon might be in error
[-w+label-orphan]
poc.asm:17: error: label or instruction expected at start of line
poc.asm:18: error: label or instruction expected at start of line
poc.asm:19: warning: label alone on a line without a colon might be in error
[-w+label-orphan]
poc.asm:22: error: parser: instruction expected
poc.asm:24: warning: unterminated string [-w+other]
poc.asm:24: error: label or instruction expected at start of line
poc.asm:25: error: parser: instruction expected
poc.asm:29: error: label or instruction expected at start of line
poc.asm:30: error: parser: instruction expected
poc.asm:31: error: label or instruction expected at start of line
poc.asm:32: error: parser: instruction expected
poc.asm:33: error: label or instruction expected at start of line
poc.asm:34: error: label or instruction expected at start of line
poc.asm:35: error: label or instruction expected at start of line
poc.asm:36: error: parser: instruction expected
poc.asm:38: error: label or instruction expected at start of line
poc.asm:39: error: parser: instruction expected
poc.asm:40: error: label or instruction expected at start of line
poc.asm:41: error: label or instruction expected at start of line
poc.asm:43: error: label or instruction expected at start of line
poc.asm:44: error: label or instruction expected at start of line
poc.asm:45: error: label or instruction expected at start of line
poc.asm:46: error: parser: instruction expected
poc.asm:47: error: parser: instruction expected
poc.asm:49: error: label or instruction expected at start of line
poc.asm:53: error: label or instruction expected at start of line
poc.asm:55: error: label or instruction expected at start of line
poc.asm:56: error: label or instruction expected at start of line
poc.asm:57: error: parser: instruction expected
poc.asm:58: warning: unterminated string [-w+other]
poc.asm:58: error: parser: instruction expected
poc.asm:59: error: parser: instruction expected
poc.asm:61: error: unterminated %! string
poc.asm:61: error: control character in string not allowed here
poc.asm:61: warning: nonexistent environment variable ` ?00^001'
[-w+environment]
poc.asm:61: warning: label alone on a line without a colon might be in error
[-w+label-orphan]
poc.asm:65: error: label or instruction expected at start of line
poc.asm:66: error: label or instruction expected at start of line
poc.asm:68: error: parser: instruction expected
poc.asm:69: error: label or instruction expected at start of line
poc.asm:71: error: label or instruction expected at start of line
poc.asm:72: error: label or instruction expected at start of line
poc.asm:74: error: parser: instruction expected
poc.asm:75: error: parser: instruction expected
poc.asm:76: error: label `' inconsistently redefined
poc.asm:9: info: label `' originally defined here
poc.asm:76: error: parser: instruction expected
poc.asm:78: warning: label alone on a line without a colon might be in error
[-w+label-orphan]
poc.asm:79: warning: label alone on a line without a colon might be in error
[-w+label-orphan]
poc.asm:80: error: parser: instruction expected
poc.asm:83: error: parser: instruction expected
poc.asm:84: error: label or instruction expected at start of line
poc.asm:85: warning: unterminated string [-w+other]
==2201== Invalid read of size 8
==2201== at 0x411330: memcpy (string3.h:53)
==2201== by 0x411330: set_text_free (preproc.c:387)
==2201== by 0x414060: expand_one_smacro (preproc.c:5338)
==2201== by 0x4147A9: expand_smacro_noreset (preproc.c:5474)
==2201== by 0x419015: expand_smacro (preproc.c:5431)
==2201== by 0x419015: pp_tokline (preproc.c:6415)
==2201== by 0x419015: pp_getline (preproc.c:6428)
==2201== by 0x4048F9: assemble_file (nasm.c:1630)
==2201== by 0x4025A4: main (nasm.c:637)
==2201== Address 0x52bafea is 10 bytes inside a block of size 11 alloc'd
==2201== at 0x4C2DE96: malloc (vg_replace_malloc.c:309)
==2201== by 0x4054BB: nasm_malloc (alloc.c:55)
==2201== by 0x41422D: expand_one_smacro (preproc.c:5334)
==2201== by 0x4147A9: expand_smacro_noreset (preproc.c:5474)
==2201== by 0x419015: expand_smacro (preproc.c:5431)
==2201== by 0x419015: pp_tokline (preproc.c:6415)
==2201== by 0x419015: pp_getline (preproc.c:6428)
==2201== by 0x4048F9: assemble_file (nasm.c:1630)
==2201== by 0x4025A4: main (nasm.c:637)
==2201==
==2201== Invalid read of size 8
==2201== at 0x411340: memcpy (string3.h:53)
==2201== by 0x411340: set_text_free (preproc.c:387)
==2201== by 0x414060: expand_one_smacro (preproc.c:5338)
==2201== by 0x4147A9: expand_smacro_noreset (preproc.c:5474)
==2201== by 0x419015: expand_smacro (preproc.c:5431)
==2201== by 0x419015: pp_tokline (preproc.c:6415)
==2201== by 0x419015: pp_getline (preproc.c:6428)
==2201== by 0x4048F9: assemble_file (nasm.c:1630)
==2201== by 0x4025A4: main (nasm.c:637)
==2201== Address 0x52bafed is 2 bytes after a block of size 11 alloc'd
==2201== at 0x4C2DE96: malloc (vg_replace_malloc.c:309)
==2201== by 0x4054BB: nasm_malloc (alloc.c:55)
==2201== by 0x41422D: expand_one_smacro (preproc.c:5334)
==2201== by 0x4147A9: expand_smacro_noreset (preproc.c:5474)
==2201== by 0x419015: expand_smacro (preproc.c:5431)
==2201== by 0x419015: pp_tokline (preproc.c:6415)
==2201== by 0x419015: pp_getline (preproc.c:6428)
==2201== by 0x4048F9: assemble_file (nasm.c:1630)
==2201== by 0x4025A4: main (nasm.c:637)
==2201==
==2201== Invalid free() / delete / delete[] / realloc()
==2201== at 0x4C2EF90: free (vg_replace_malloc.c:540)
==2201== by 0x411303: set_text_free (preproc.c:388)
==2201== by 0x414060: expand_one_smacro (preproc.c:5338)
==2201== by 0x4147A9: expand_smacro_noreset (preproc.c:5474)
==2201== by 0x419015: expand_smacro (preproc.c:5431)
==2201== by 0x419015: pp_tokline (preproc.c:6415)
==2201== by 0x419015: pp_getline (preproc.c:6428)
==2201== by 0x4048F9: assemble_file (nasm.c:1630)
==2201== by 0x4025A4: main (nasm.c:637)
==2201== Address 0x52bafea is 10 bytes inside a block of size 11 alloc'd
==2201== at 0x4C2DE96: malloc (vg_replace_malloc.c:309)
==2201== by 0x4054BB: nasm_malloc (alloc.c:55)
==2201== by 0x41422D: expand_one_smacro (preproc.c:5334)
==2201== by 0x4147A9: expand_smacro_noreset (preproc.c:5474)
==2201== by 0x419015: expand_smacro (preproc.c:5431)
==2201== by 0x419015: pp_tokline (preproc.c:6415)
==2201== by 0x419015: pp_getline (preproc.c:6428)
==2201== by 0x4048F9: assemble_file (nasm.c:1630)
==2201== by 0x4025A4: main (nasm.c:637)
==2201==
poc.asm:85: error: invalid directive line
poc.asm:86: error: label or instruction expected at start of line
poc.asm:88: error: label or instruction expected at start of line
poc.asm:89: error: label or instruction expected at start of line
poc.asm:90: error: label or instruction expected at start of line
poc.asm:91: error: parser: instruction expected
poc.asm:93: error: parser: instruction expected
poc.asm:94: error: label or instruction expected at start of line
poc.asm:95: error: label or instruction expected at start of line
poc.asm:100: error: label or instruction expected at start of line
poc.asm:102: warning: unterminated string [-w+other]
poc.asm:102: error: parser: instruction expected
poc.asm:103: warning: label alone on a line without a colon might be in error
[-w+label-orphan]
poc.asm:104: error: label or instruction expected at start of line
poc.asm:106: error: label or instruction expected at start of line
poc.asm:107: error: comma, colon, decorator or end of line expected after
operand
poc.asm:107: error: comma, colon, decorator or end of line expected after
operand
poc.asm:108: error: label or instruction expected at start of line
poc.asm:109: error: label or instruction expected at start of line
poc.asm:110: error: parser: instruction expected
==2201==
==2201== HEAP SUMMARY:
==2201== in use at exit: 246,343 bytes in 27 blocks
==2201== total heap usage: 1,145 allocs, 1,119 frees, 707,896 bytes allocated
==2201==
==2201== 11 bytes in 1 blocks are definitely lost in loss record 9 of 25
==2201== at 0x4C2DE96: malloc (vg_replace_malloc.c:309)
==2201== by 0x4054BB: nasm_malloc (alloc.c:55)
==2201== by 0x41422D: expand_one_smacro (preproc.c:5334)
==2201== by 0x4147A9: expand_smacro_noreset (preproc.c:5474)
==2201== by 0x419015: expand_smacro (preproc.c:5431)
==2201== by 0x419015: pp_tokline (preproc.c:6415)
==2201== by 0x419015: pp_getline (preproc.c:6428)
==2201== by 0x4048F9: assemble_file (nasm.c:1630)
==2201== by 0x4025A4: main (nasm.c:637)
==2201==
==2201== 24 bytes in 3 blocks are definitely lost in loss record 10 of 25
==2201== at 0x4C2DE96: malloc (vg_replace_malloc.c:309)
==2201== by 0x4054BB: nasm_malloc (alloc.c:55)
==2201== by 0x4055C0: nasm_strdup (alloc.c:117)
==2201== by 0x419205: expand_mmacro (preproc.c:5927)
==2201== by 0x419205: pp_tokline (preproc.c:6416)
==2201== by 0x419205: pp_getline (preproc.c:6428)
==2201== by 0x4048F9: assemble_file (nasm.c:1630)
==2201== by 0x4025A4: main (nasm.c:637)
==2201==
==2201== LEAK SUMMARY:
==2201== definitely lost: 35 bytes in 4 blocks
==2201== indirectly lost: 0 bytes in 0 blocks
==2201== possibly lost: 0 bytes in 0 blocks
==2201== still reachable: 246,308 bytes in 23 blocks
==2201== suppressed: 0 bytes in 0 blocks
==2201== Reachable blocks (those to which a pointer was found) are not shown.
==2201== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==2201==
==2201== For lists of detected and suppressed errors, rerun with: -s
==2201== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)
```
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list