[Nasm-bugs] [Bug 3392555] New: Use after free in pp_getline
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Thu Feb 14 02:49:00 PST 2019
https://bugzilla.nasm.us/show_bug.cgi?id=3392555
Bug ID: 3392555
Summary: Use after free in pp_getline
Product: NASM
Version: 2.14.xx
Hardware: PC
OS: Linux
Status: OPEN
Severity: major
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: bugs-syssec at rub.de
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411713
--> https://bugzilla.nasm.us/attachment.cgi?id=411713&action=edit
File leading to crash
While fuzzing nasm, a use after free was discovered. It can be triggered by
running ./nasm pp_getline.asm
Asan report:
```
=================================================================
==15953==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000d430
at pc 0x00000052545a bp 0x7ffe112986b0 sp 0x7ffe112986a8
READ of size 8 at 0x60f00000d430 thread T0
#0 0x525459 in pp_getline
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:5058:31
#1 0x505c91 in assemble_file
fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:1488:24
#2 0x504645 in main fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:617:9
#3 0x7f4d6ff5d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
#4 0x41c269 in _start (nasm-asan+0x41c269)
0x60f00000d430 is located 16 bytes inside of 176-byte region
[0x60f00000d420,0x60f00000d4d0)
freed by thread T0 here:
#0 0x4cb688 in __interceptor_free.localalias.0 (nasm-asan+0x4cb688)
#1 0x53a26c in free_mmacro_table
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:663:13
#2 0x52c056 in do_directive
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:2582:9
#3 0x52513d in pp_getline
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:5216:13
#4 0x505c91 in assemble_file
fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:1488:24
#5 0x504645 in main fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:617:9
#6 0x7f4d6ff5d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
previously allocated by thread T0 here:
#0 0x4cba48 in calloc (nasm-asan+0x4cba48)
#1 0x509f23 in nasm_zalloc
fuzz/target/nasm/nasm-2.14.02/nasmlib/malloc.c:85:25
#2 0x52b6de in do_directive
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:2869:20
#3 0x52513d in pp_getline
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:5216:13
#4 0x505c91 in assemble_file
fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:1488:24
#5 0x504645 in main fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:617:9
#6 0x7f4d6ff5d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
SUMMARY: AddressSanitizer: heap-use-after-free
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:5058:31 in pp_getline
Shadow bytes around the buggy address:
0x0c1e7fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1e7fff9a80: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c1e7fff9a90: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c1e7fff9aa0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fff9ab0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1e7fff9ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fff9ad0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15953==ABORTING
```
Valgrind report:
```
==16044== Memcheck, a memory error detector
==16044== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==16044== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==16044== Command: ./nasm-plain pp_getline.asm
==16044==
pp_getline.asm:1: error: `%macro' expects a parameter count
pp_getline.asm:5: error: (foo:1) `%substr' expects a macro identifier as first
parameter
pp_getline.asm:2: ... from macro `foo' defined here
==16044== Invalid read of size 8
==16044== at 0x175AFC: pp_getline (preproc.c:5058)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Address 0x4ae81e0 is 16 bytes inside a block of size 176 free'd
==16044== at 0x48389AB: free (vg_replace_malloc.c:530)
==16044== by 0x16E47F: free_mmacro (preproc.c:630)
==16044== by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044== by 0x17365E: free_macros (preproc.c:671)
==16044== by 0x17365E: do_directive (preproc.c:2582)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Block was alloc'd at
==16044== at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044== by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044== by 0x1739A1: do_directive (preproc.c:2869)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044==
==16044== Invalid read of size 8
==16044== at 0x175DB4: pp_getline (preproc.c:5117)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Address 0x4ae81e0 is 16 bytes inside a block of size 176 free'd
==16044== at 0x48389AB: free (vg_replace_malloc.c:530)
==16044== by 0x16E47F: free_mmacro (preproc.c:630)
==16044== by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044== by 0x17365E: free_macros (preproc.c:671)
==16044== by 0x17365E: do_directive (preproc.c:2582)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Block was alloc'd at
==16044== at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044== by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044== by 0x1739A1: do_directive (preproc.c:2869)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044==
==16044== Invalid read of size 8
==16044== at 0x175DB9: pp_getline (preproc.c:5116)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Address 0x4ae8228 is 88 bytes inside a block of size 176 free'd
==16044== at 0x48389AB: free (vg_replace_malloc.c:530)
==16044== by 0x16E47F: free_mmacro (preproc.c:630)
==16044== by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044== by 0x17365E: free_macros (preproc.c:671)
==16044== by 0x17365E: do_directive (preproc.c:2582)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Block was alloc'd at
==16044== at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044== by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044== by 0x1739A1: do_directive (preproc.c:2869)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044==
==16044== Invalid read of size 8
==16044== at 0x175DC7: pp_getline (preproc.c:5123)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Address 0x4ae81d8 is 8 bytes inside a block of size 176 free'd
==16044== at 0x48389AB: free (vg_replace_malloc.c:530)
==16044== by 0x16E47F: free_mmacro (preproc.c:630)
==16044== by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044== by 0x17365E: free_macros (preproc.c:671)
==16044== by 0x17365E: do_directive (preproc.c:2582)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Block was alloc'd at
==16044== at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044== by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044== by 0x1739A1: do_directive (preproc.c:2869)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044==
==16044== Invalid read of size 8
==16044== at 0x1762B0: pp_getline (preproc.c:5127)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Address 0x4ae8238 is 104 bytes inside a block of size 176 free'd
==16044== at 0x48389AB: free (vg_replace_malloc.c:530)
==16044== by 0x16E47F: free_mmacro (preproc.c:630)
==16044== by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044== by 0x17365E: free_macros (preproc.c:671)
==16044== by 0x17365E: do_directive (preproc.c:2582)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Block was alloc'd at
==16044== at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044== by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044== by 0x1739A1: do_directive (preproc.c:2869)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044==
==16044== Invalid read of size 8
==16044== at 0x1762B9: pp_getline (preproc.c:5128)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Address 0x4ae8240 is 112 bytes inside a block of size 176 free'd
==16044== at 0x48389AB: free (vg_replace_malloc.c:530)
==16044== by 0x16E47F: free_mmacro (preproc.c:630)
==16044== by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044== by 0x17365E: free_macros (preproc.c:671)
==16044== by 0x17365E: do_directive (preproc.c:2582)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Block was alloc'd at
==16044== at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044== by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044== by 0x1739A1: do_directive (preproc.c:2869)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044==
==16044== Invalid read of size 8
==16044== at 0x1762F0: pp_getline (preproc.c:5129)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Address 0x4ae8250 is 128 bytes inside a block of size 176 free'd
==16044== at 0x48389AB: free (vg_replace_malloc.c:530)
==16044== by 0x16E47F: free_mmacro (preproc.c:630)
==16044== by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044== by 0x17365E: free_macros (preproc.c:671)
==16044== by 0x17365E: do_directive (preproc.c:2582)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Block was alloc'd at
==16044== at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044== by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044== by 0x1739A1: do_directive (preproc.c:2869)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044==
==16044== Invalid write of size 8
==16044== at 0x176300: pp_getline (preproc.c:5130)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Address 0x4ae81f8 is 40 bytes inside a block of size 176 free'd
==16044== at 0x48389AB: free (vg_replace_malloc.c:530)
==16044== by 0x16E47F: free_mmacro (preproc.c:630)
==16044== by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044== by 0x17365E: free_macros (preproc.c:671)
==16044== by 0x17365E: do_directive (preproc.c:2582)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044== Block was alloc'd at
==16044== at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044== by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044== by 0x1739A1: do_directive (preproc.c:2869)
==16044== by 0x1760CE: pp_getline (preproc.c:5216)
==16044== by 0x15B541: assemble_file (nasm.c:1488)
==16044== by 0x15A902: main (nasm.c:617)
==16044==
==16044==
==16044== HEAP SUMMARY:
==16044== in use at exit: 99,024 bytes in 14 blocks
==16044== total heap usage: 1,136 allocs, 1,122 frees, 610,912 bytes
allocated
==16044==
==16044== LEAK SUMMARY:
==16044== definitely lost: 32 bytes in 1 blocks
==16044== indirectly lost: 0 bytes in 0 blocks
==16044== possibly lost: 0 bytes in 0 blocks
==16044== still reachable: 98,992 bytes in 13 blocks
==16044== suppressed: 0 bytes in 0 blocks
==16044== Rerun with --leak-check=full to see details of leaked memory
==16044==
==16044== For counts of detected and suppressed errors, rerun with: -v
==16044== ERROR SUMMARY: 8 errors from 8 contexts (suppressed: 0 from 0)
```
--
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
More information about the Nasm-bugs
mailing list