[Nasm-bugs] [Bug 3392638] New: An StackOverflow was discovered in the function expr3 in asm/eval.c through nasm-2.14.02
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Sun Dec 8 22:38:43 PST 2019
https://bugzilla.nasm.us/show_bug.cgi?id=3392638
Bug ID: 3392638
Summary: An StackOverflow was discovered in the function expr3
in asm/eval.c through nasm-2.14.02
Product: NASM
Version: 2.14.xx
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: binbinli.bit at gmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411752
--> https://bugzilla.nasm.us/attachment.cgi?id=411752&action=edit
PoC to trigger the Segmentation fault
This stackoverflow was discovered in asm/eval.c when we were fuzzing nasm
(releasebuilds 2.14.02).
(gdb) file nasm
Reading symbols from nasm...done.
(gdb) run -felf ./input/seed1
Starting program: /home/lbb/afl-experient/Tests/ASAN/nasm-2.14.02/nasm -felf
./input/seed1
Program received signal SIGSEGV, Segmentation fault.
expr2 (critical=critical at entry=0) at asm/eval.c:482
482 e = expr3(critical);
(gdb) info stack
#0 expr2 (critical=critical at entry=0) at asm/eval.c:482
#1 0x0000000000422941 in expr1 (critical=critical at entry=0) at asm/eval.c:456
#2 0x0000000000422cc1 in expr0 (critical=0) at asm/eval.c:430
#3 0x0000000000420233 in expr6 (critical=critical at entry=0) at asm/eval.c:857
#4 0x0000000000421139 in expr5 (critical=critical at entry=0) at asm/eval.c:567
#5 0x000000000042201c in expr4 (critical=critical at entry=0) at asm/eval.c:542
#6 0x0000000000422101 in expr3 (critical=critical at entry=0) at asm/eval.c:508
#7 0x00000000004225c1 in expr2 (critical=critical at entry=0) at asm/eval.c:482
#8 0x0000000000422941 in expr1 (critical=critical at entry=0) at asm/eval.c:456
#9 0x0000000000422cc1 in expr0 (critical=0) at asm/eval.c:430
...
In addtion, we use Address Sanitizer print the stack information. ASAN dumps
the stack trace as follows:
@root ./nasm -felf ./input/seed1
ASAN:SIGSEGV
=================================================================
==25297==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd73117f78 (pc
0x000000453306 bp 0x0fffae622ff2 sp 0x7ffd73117f70 T0)
#0 0x453305 in stdscan asm/stdscan.c:130
#1 0x44c993 in expr6 asm/eval.c:856
#2 0x44e39e in expr5 asm/eval.c:567
#3 0x44fa8a in expr4 asm/eval.c:542
#4 0x44fbd0 in expr3 asm/eval.c:508
#5 0x45027a in expr2 asm/eval.c:482
#6 0x45072a in expr1 asm/eval.c:456
#7 0x450bda in expr0 asm/eval.c:430
#8 0x44c9a2 in expr6 asm/eval.c:857
#9 0x44e39e in expr5 asm/eval.c:567
#10 0x44fa8a in expr4 asm/eval.c:542
#11 0x44fbd0 in expr3 asm/eval.c:508
#12 0x45027a in expr2 asm/eval.c:482
#13 0x45072a in expr1 asm/eval.c:456
#14 0x450bda in expr0 asm/eval.c:430
#15 0x44c9a2 in expr6 asm/eval.c:857
#16 0x44e39e in expr5 asm/eval.c:567
...
#249 0x44fbd0 in expr3 asm/eval.c:508
#250 0x45027a in expr2 asm/eval.c:482
#251 0x45072a in expr1 asm/eval.c:456
SUMMARY: AddressSanitizer: stack-overflow asm/stdscan.c:130 stdscan
==25297==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
More information about the Nasm-bugs
mailing list