[Nasm-bugs] [Bug 3392555] New: Use after free in pp_getline

noreply-nasm at gorcunov.org noreply-nasm at gorcunov.org
Thu Feb 14 02:49:00 PST 2019
Previous message (by thread): [Nasm-bugs] [Bug 3392554] MOVDDUP cannot accept operand size specifier
Next message (by thread): [Nasm-bugs] [Bug 3392555] Use after free in pp_getline
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
https://bugzilla.nasm.us/show_bug.cgi?id=3392555

            Bug ID: 3392555
           Summary: Use after free in pp_getline
           Product: NASM
           Version: 2.14.xx
          Hardware: PC
                OS: Linux
            Status: OPEN
          Severity: major
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: bugs-syssec at rub.de
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411713
  --> https://bugzilla.nasm.us/attachment.cgi?id=411713&action=edit
File leading to crash

While fuzzing nasm, a use after free was discovered. It can be triggered by
running ./nasm pp_getline.asm

Asan report:

```
=================================================================
==15953==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000d430
at pc 0x00000052545a bp 0x7ffe112986b0 sp 0x7ffe112986a8
READ of size 8 at 0x60f00000d430 thread T0
    #0 0x525459 in pp_getline
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:5058:31
    #1 0x505c91 in assemble_file
fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:1488:24
    #2 0x504645 in main fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:617:9
    #3 0x7f4d6ff5d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #4 0x41c269 in _start (nasm-asan+0x41c269)

0x60f00000d430 is located 16 bytes inside of 176-byte region
[0x60f00000d420,0x60f00000d4d0)
freed by thread T0 here:
    #0 0x4cb688 in __interceptor_free.localalias.0 (nasm-asan+0x4cb688)
    #1 0x53a26c in free_mmacro_table
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:663:13
    #2 0x52c056 in do_directive
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:2582:9
    #3 0x52513d in pp_getline
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:5216:13
    #4 0x505c91 in assemble_file
fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:1488:24
    #5 0x504645 in main fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:617:9
    #6 0x7f4d6ff5d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

previously allocated by thread T0 here:
    #0 0x4cba48 in calloc (nasm-asan+0x4cba48)
    #1 0x509f23 in nasm_zalloc
fuzz/target/nasm/nasm-2.14.02/nasmlib/malloc.c:85:25
    #2 0x52b6de in do_directive
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:2869:20
    #3 0x52513d in pp_getline
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:5216:13
    #4 0x505c91 in assemble_file
fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:1488:24
    #5 0x504645 in main fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:617:9
    #6 0x7f4d6ff5d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

SUMMARY: AddressSanitizer: heap-use-after-free
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:5058:31 in pp_getline
Shadow bytes around the buggy address:
  0x0c1e7fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1e7fff9a80: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c1e7fff9a90: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c1e7fff9aa0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff9ab0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1e7fff9ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff9ad0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15953==ABORTING
```

Valgrind report:

```
==16044== Memcheck, a memory error detector
==16044== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==16044== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==16044== Command: ./nasm-plain pp_getline.asm
==16044== 
pp_getline.asm:1: error: `%macro' expects a parameter count
pp_getline.asm:5: error: (foo:1) `%substr' expects a macro identifier as first
parameter
pp_getline.asm:2: ... from macro `foo' defined here
==16044== Invalid read of size 8
==16044==    at 0x175AFC: pp_getline (preproc.c:5058)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Address 0x4ae81e0 is 16 bytes inside a block of size 176 free'd
==16044==    at 0x48389AB: free (vg_replace_malloc.c:530)
==16044==    by 0x16E47F: free_mmacro (preproc.c:630)
==16044==    by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044==    by 0x17365E: free_macros (preproc.c:671)
==16044==    by 0x17365E: do_directive (preproc.c:2582)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Block was alloc'd at
==16044==    at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044==    by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044==    by 0x1739A1: do_directive (preproc.c:2869)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044== 
==16044== Invalid read of size 8
==16044==    at 0x175DB4: pp_getline (preproc.c:5117)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Address 0x4ae81e0 is 16 bytes inside a block of size 176 free'd
==16044==    at 0x48389AB: free (vg_replace_malloc.c:530)
==16044==    by 0x16E47F: free_mmacro (preproc.c:630)
==16044==    by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044==    by 0x17365E: free_macros (preproc.c:671)
==16044==    by 0x17365E: do_directive (preproc.c:2582)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Block was alloc'd at
==16044==    at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044==    by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044==    by 0x1739A1: do_directive (preproc.c:2869)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044== 
==16044== Invalid read of size 8
==16044==    at 0x175DB9: pp_getline (preproc.c:5116)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Address 0x4ae8228 is 88 bytes inside a block of size 176 free'd
==16044==    at 0x48389AB: free (vg_replace_malloc.c:530)
==16044==    by 0x16E47F: free_mmacro (preproc.c:630)
==16044==    by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044==    by 0x17365E: free_macros (preproc.c:671)
==16044==    by 0x17365E: do_directive (preproc.c:2582)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Block was alloc'd at
==16044==    at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044==    by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044==    by 0x1739A1: do_directive (preproc.c:2869)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044== 
==16044== Invalid read of size 8
==16044==    at 0x175DC7: pp_getline (preproc.c:5123)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Address 0x4ae81d8 is 8 bytes inside a block of size 176 free'd
==16044==    at 0x48389AB: free (vg_replace_malloc.c:530)
==16044==    by 0x16E47F: free_mmacro (preproc.c:630)
==16044==    by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044==    by 0x17365E: free_macros (preproc.c:671)
==16044==    by 0x17365E: do_directive (preproc.c:2582)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Block was alloc'd at
==16044==    at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044==    by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044==    by 0x1739A1: do_directive (preproc.c:2869)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044== 
==16044== Invalid read of size 8
==16044==    at 0x1762B0: pp_getline (preproc.c:5127)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Address 0x4ae8238 is 104 bytes inside a block of size 176 free'd
==16044==    at 0x48389AB: free (vg_replace_malloc.c:530)
==16044==    by 0x16E47F: free_mmacro (preproc.c:630)
==16044==    by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044==    by 0x17365E: free_macros (preproc.c:671)
==16044==    by 0x17365E: do_directive (preproc.c:2582)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Block was alloc'd at
==16044==    at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044==    by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044==    by 0x1739A1: do_directive (preproc.c:2869)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044== 
==16044== Invalid read of size 8
==16044==    at 0x1762B9: pp_getline (preproc.c:5128)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Address 0x4ae8240 is 112 bytes inside a block of size 176 free'd
==16044==    at 0x48389AB: free (vg_replace_malloc.c:530)
==16044==    by 0x16E47F: free_mmacro (preproc.c:630)
==16044==    by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044==    by 0x17365E: free_macros (preproc.c:671)
==16044==    by 0x17365E: do_directive (preproc.c:2582)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Block was alloc'd at
==16044==    at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044==    by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044==    by 0x1739A1: do_directive (preproc.c:2869)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044== 
==16044== Invalid read of size 8
==16044==    at 0x1762F0: pp_getline (preproc.c:5129)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Address 0x4ae8250 is 128 bytes inside a block of size 176 free'd
==16044==    at 0x48389AB: free (vg_replace_malloc.c:530)
==16044==    by 0x16E47F: free_mmacro (preproc.c:630)
==16044==    by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044==    by 0x17365E: free_macros (preproc.c:671)
==16044==    by 0x17365E: do_directive (preproc.c:2582)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Block was alloc'd at
==16044==    at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044==    by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044==    by 0x1739A1: do_directive (preproc.c:2869)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044== 
==16044== Invalid write of size 8
==16044==    at 0x176300: pp_getline (preproc.c:5130)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Address 0x4ae81f8 is 40 bytes inside a block of size 176 free'd
==16044==    at 0x48389AB: free (vg_replace_malloc.c:530)
==16044==    by 0x16E47F: free_mmacro (preproc.c:630)
==16044==    by 0x16E47F: free_mmacro_table.constprop.10 (preproc.c:663)
==16044==    by 0x17365E: free_macros (preproc.c:671)
==16044==    by 0x17365E: do_directive (preproc.c:2582)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044==  Block was alloc'd at
==16044==    at 0x4839B65: calloc (vg_replace_malloc.c:752)
==16044==    by 0x15EBD0: nasm_zalloc (malloc.c:85)
==16044==    by 0x1739A1: do_directive (preproc.c:2869)
==16044==    by 0x1760CE: pp_getline (preproc.c:5216)
==16044==    by 0x15B541: assemble_file (nasm.c:1488)
==16044==    by 0x15A902: main (nasm.c:617)
==16044== 
==16044== 
==16044== HEAP SUMMARY:
==16044==     in use at exit: 99,024 bytes in 14 blocks
==16044==   total heap usage: 1,136 allocs, 1,122 frees, 610,912 bytes
allocated
==16044== 
==16044== LEAK SUMMARY:
==16044==    definitely lost: 32 bytes in 1 blocks
==16044==    indirectly lost: 0 bytes in 0 blocks
==16044==      possibly lost: 0 bytes in 0 blocks
==16044==    still reachable: 98,992 bytes in 13 blocks
==16044==         suppressed: 0 bytes in 0 blocks
==16044== Rerun with --leak-check=full to see details of leaked memory
==16044== 
==16044== For counts of detected and suppressed errors, rerun with: -v
==16044== ERROR SUMMARY: 8 errors from 8 contexts (suppressed: 0 from 0)
```

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
Previous message (by thread): [Nasm-bugs] [Bug 3392554] MOVDDUP cannot accept operand size specifier
Next message (by thread): [Nasm-bugs] [Bug 3392555] Use after free in pp_getline
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Nasm-bugs mailing list