[Nasm-bugs] [Bug 3392638] New: An StackOverflow was discovered in the function expr3 in asm/eval.c through nasm-2.14.02

noreply-nasm at dev.nasm.us noreply-nasm at dev.nasm.us
Sun Dec 8 22:38:43 PST 2019


https://bugzilla.nasm.us/show_bug.cgi?id=3392638

            Bug ID: 3392638
           Summary: An StackOverflow was discovered in the function expr3
                    in asm/eval.c through nasm-2.14.02
           Product: NASM
           Version: 2.14.xx
          Hardware: All
                OS: All
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: binbinli.bit at gmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411752
  --> https://bugzilla.nasm.us/attachment.cgi?id=411752&action=edit
PoC to trigger the Segmentation fault

This stackoverflow was discovered in asm/eval.c when we were fuzzing nasm
(releasebuilds 2.14.02).

(gdb) file nasm
Reading symbols from nasm...done.
(gdb) run -felf ./input/seed1
Starting program: /home/lbb/afl-experient/Tests/ASAN/nasm-2.14.02/nasm -felf
./input/seed1
Program received signal SIGSEGV, Segmentation fault.
expr2 (critical=critical at entry=0) at asm/eval.c:482
482     e = expr3(critical);

(gdb) info stack
#0  expr2 (critical=critical at entry=0) at asm/eval.c:482
#1  0x0000000000422941 in expr1 (critical=critical at entry=0) at asm/eval.c:456
#2  0x0000000000422cc1 in expr0 (critical=0) at asm/eval.c:430
#3  0x0000000000420233 in expr6 (critical=critical at entry=0) at asm/eval.c:857
#4  0x0000000000421139 in expr5 (critical=critical at entry=0) at asm/eval.c:567
#5  0x000000000042201c in expr4 (critical=critical at entry=0) at asm/eval.c:542
#6  0x0000000000422101 in expr3 (critical=critical at entry=0) at asm/eval.c:508
#7  0x00000000004225c1 in expr2 (critical=critical at entry=0) at asm/eval.c:482
#8  0x0000000000422941 in expr1 (critical=critical at entry=0) at asm/eval.c:456
#9  0x0000000000422cc1 in expr0 (critical=0) at asm/eval.c:430
...


In addtion, we use Address Sanitizer print the stack information. ASAN dumps
the stack trace as follows:

@root ./nasm -felf ./input/seed1
ASAN:SIGSEGV
=================================================================
==25297==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd73117f78 (pc
0x000000453306 bp 0x0fffae622ff2 sp 0x7ffd73117f70 T0)
    #0 0x453305 in stdscan asm/stdscan.c:130
    #1 0x44c993 in expr6 asm/eval.c:856
    #2 0x44e39e in expr5 asm/eval.c:567
    #3 0x44fa8a in expr4 asm/eval.c:542
    #4 0x44fbd0 in expr3 asm/eval.c:508
    #5 0x45027a in expr2 asm/eval.c:482
    #6 0x45072a in expr1 asm/eval.c:456
    #7 0x450bda in expr0 asm/eval.c:430
    #8 0x44c9a2 in expr6 asm/eval.c:857
    #9 0x44e39e in expr5 asm/eval.c:567
    #10 0x44fa8a in expr4 asm/eval.c:542
    #11 0x44fbd0 in expr3 asm/eval.c:508
    #12 0x45027a in expr2 asm/eval.c:482
    #13 0x45072a in expr1 asm/eval.c:456
    #14 0x450bda in expr0 asm/eval.c:430
    #15 0x44c9a2 in expr6 asm/eval.c:857
    #16 0x44e39e in expr5 asm/eval.c:567
    ...
    #249 0x44fbd0 in expr3 asm/eval.c:508
    #250 0x45027a in expr2 asm/eval.c:482
    #251 0x45072a in expr1 asm/eval.c:456

SUMMARY: AddressSanitizer: stack-overflow asm/stdscan.c:130 stdscan
==25297==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.


More information about the Nasm-bugs mailing list