[Nasm-bugs] [Bug 3392556] New: Use after free in paste_tokens

noreply-nasm at gorcunov.org noreply-nasm at gorcunov.org
Thu Feb 14 03:09:38 PST 2019


https://bugzilla.nasm.us/show_bug.cgi?id=3392556

            Bug ID: 3392556
           Summary: Use after free in paste_tokens
           Product: NASM
           Version: 2.14.xx
          Hardware: PC
                OS: Linux
            Status: OPEN
          Severity: major
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: bugs-syssec at rub.de
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411714
  --> https://bugzilla.nasm.us/attachment.cgi?id=411714&action=edit
File leading to crash

While fuzzing nasm, a use after free in paste_tokens was found.

Asan report:

```
=================================================================
==20174==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000089f0
at pc 0x000000447aa4 bp 0x7ffe6f45bd30 sp 0x7ffe6f45b4e0
READ of size 2 at 0x6020000089f0 thread T0
    #0 0x447aa3 in __interceptor_strlen.part.24 (nasm-asan+0x447aa3)
    #1 0x535f62 in paste_tokens
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:3820:20
    #2 0x532cfd in expand_smacro
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:4509:13
    #3 0x5252bd in pp_getline
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:5254:21
    #4 0x505c91 in assemble_file
fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:1488:24
    #5 0x504645 in main fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:617:9
    #6 0x7f425df2d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #7 0x41c269 in _start (nasm-asan+0x41c269)

0x6020000089f0 is located 0 bytes inside of 3-byte region
[0x6020000089f0,0x6020000089f3)
freed by thread T0 here:
    #0 0x4cb688 in __interceptor_free.localalias.0 (nasm-asan+0x4cb688)
    #1 0x526cdd in delete_Token
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:1232:5
    #2 0x5359b7 in paste_tokens
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:3780:20
    #3 0x532cfd in expand_smacro
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:4509:13
    #4 0x5252bd in pp_getline
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:5254:21
    #5 0x505c91 in assemble_file
fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:1488:24
    #6 0x504645 in main fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:617:9
    #7 0x7f425df2d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

previously allocated by thread T0 here:
    #0 0x4cb840 in malloc (nasm-asan+0x4cb840)
    #1 0x509eb8 in nasm_malloc
fuzz/target/nasm/nasm-2.14.02/nasmlib/malloc.c:75:25
    #2 0x5271cb in new_Token
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:1222:19
    #3 0x528e32 in tokenize fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:1144:25
    #4 0x535ff1 in paste_tokens
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:3830:19
    #5 0x532cfd in expand_smacro
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:4509:13
    #6 0x5252bd in pp_getline
fuzz/target/nasm/nasm-2.14.02/asm/preproc.c:5254:21
    #7 0x505c91 in assemble_file
fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:1488:24
    #8 0x504645 in main fuzz/target/nasm/nasm-2.14.02/asm/nasm.c:617:9
    #9 0x7f425df2d222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)

SUMMARY: AddressSanitizer: heap-use-after-free (nasm-asan+0x447aa3) in
__interceptor_strlen.part.24
Shadow bytes around the buggy address:
  0x0c047fff90e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff90f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9130: fa fa fa fa fa fa fa fa fa fa 02 fa fa fa[fd]fa
  0x0c047fff9140: fa fa fd fa fa fa fd fa fa fa 03 fa fa fa 02 fa
  0x0c047fff9150: fa fa 02 fa fa fa 02 fa fa fa fd fd fa fa fd fa
  0x0c047fff9160: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff9170: fa fa 00 07 fa fa 00 07 fa fa 00 05 fa fa 00 05
  0x0c047fff9180: fa fa 00 05 fa fa 00 05 fa fa 00 05 fa fa 00 05
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20174==ABORTING
```


Valgrind report:

```
==21280== Memcheck, a memory error detector
==21280== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==21280== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==21280== Command: ./nasm-plain paste_tokens.asm
==21280== 
paste_tokens.asm:1: warning: unterminated string [-w+other]
paste_tokens.asm:1: error: unterminated %[ construct
paste_tokens.asm:1: warning: unterminated string [-w+other]
==21280== Invalid read of size 1
==21280==    at 0x483AC62: strlen (vg_replace_strmem.c:460)
==21280==    by 0x170B49: paste_tokens (preproc.c:3820)
==21280==    by 0x170B49: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280==  Address 0x4ae8510 is 0 bytes inside a block of size 3 free'd
==21280==    at 0x48389AB: free (vg_replace_malloc.c:530)
==21280==    by 0x17017A: delete_Token (preproc.c:1232)
==21280==    by 0x17017A: paste_tokens (preproc.c:3780)
==21280==    by 0x17017A: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280==  Block was alloc'd at
==21280==    at 0x483777F: malloc (vg_replace_malloc.c:299)
==21280==    by 0x15EB88: nasm_malloc (malloc.c:75)
==21280==    by 0x16D949: new_Token.constprop.11 (preproc.c:1222)
==21280==    by 0x16DBA5: tokenize (preproc.c:1144)
==21280==    by 0x170B9F: paste_tokens (preproc.c:3830)
==21280==    by 0x170B9F: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280== 
==21280== Invalid read of size 1
==21280==    at 0x483AC74: strlen (vg_replace_strmem.c:460)
==21280==    by 0x170B49: paste_tokens (preproc.c:3820)
==21280==    by 0x170B49: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280==  Address 0x4ae8511 is 1 bytes inside a block of size 3 free'd
==21280==    at 0x48389AB: free (vg_replace_malloc.c:530)
==21280==    by 0x17017A: delete_Token (preproc.c:1232)
==21280==    by 0x17017A: paste_tokens (preproc.c:3780)
==21280==    by 0x17017A: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280==  Block was alloc'd at
==21280==    at 0x483777F: malloc (vg_replace_malloc.c:299)
==21280==    by 0x15EB88: nasm_malloc (malloc.c:75)
==21280==    by 0x16D949: new_Token.constprop.11 (preproc.c:1222)
==21280==    by 0x16DBA5: tokenize (preproc.c:1144)
==21280==    by 0x170B9F: paste_tokens (preproc.c:3830)
==21280==    by 0x170B9F: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280== 
==21280== Invalid read of size 1
==21280==    at 0x49CC420: __stpcpy_ssse3 (in /usr/lib/libc-2.28.so)
==21280==    by 0x170B6F: strcpy (string_fortified.h:90)
==21280==    by 0x170B6F: paste_tokens (preproc.c:3824)
==21280==    by 0x170B6F: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280==  Address 0x4ae8510 is 0 bytes inside a block of size 3 free'd
==21280==    at 0x48389AB: free (vg_replace_malloc.c:530)
==21280==    by 0x17017A: delete_Token (preproc.c:1232)
==21280==    by 0x17017A: paste_tokens (preproc.c:3780)
==21280==    by 0x17017A: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280==  Block was alloc'd at
==21280==    at 0x483777F: malloc (vg_replace_malloc.c:299)
==21280==    by 0x15EB88: nasm_malloc (malloc.c:75)
==21280==    by 0x16D949: new_Token.constprop.11 (preproc.c:1222)
==21280==    by 0x16DBA5: tokenize (preproc.c:1144)
==21280==    by 0x170B9F: paste_tokens (preproc.c:3830)
==21280==    by 0x170B9F: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280== 
==21280== Invalid read of size 1
==21280==    at 0x483E19B: stpcpy (vg_replace_strmem.c:1156)
==21280==    by 0x170B6F: strcpy (string_fortified.h:90)
==21280==    by 0x170B6F: paste_tokens (preproc.c:3824)
==21280==    by 0x170B6F: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280==  Address 0x4ae8511 is 1 bytes inside a block of size 3 free'd
==21280==    at 0x48389AB: free (vg_replace_malloc.c:530)
==21280==    by 0x17017A: delete_Token (preproc.c:1232)
==21280==    by 0x17017A: paste_tokens (preproc.c:3780)
==21280==    by 0x17017A: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280==  Block was alloc'd at
==21280==    at 0x483777F: malloc (vg_replace_malloc.c:299)
==21280==    by 0x15EB88: nasm_malloc (malloc.c:75)
==21280==    by 0x16D949: new_Token.constprop.11 (preproc.c:1222)
==21280==    by 0x16DBA5: tokenize (preproc.c:1144)
==21280==    by 0x170B9F: paste_tokens (preproc.c:3830)
==21280==    by 0x170B9F: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280== 
==21280== Invalid free() / delete / delete[] / realloc()
==21280==    at 0x48389AB: free (vg_replace_malloc.c:530)
==21280==    by 0x170B85: delete_Token (preproc.c:1232)
==21280==    by 0x170B85: paste_tokens (preproc.c:3828)
==21280==    by 0x170B85: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280==  Address 0x4ae8510 is 0 bytes inside a block of size 3 free'd
==21280==    at 0x48389AB: free (vg_replace_malloc.c:530)
==21280==    by 0x17017A: delete_Token (preproc.c:1232)
==21280==    by 0x17017A: paste_tokens (preproc.c:3780)
==21280==    by 0x17017A: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280==  Block was alloc'd at
==21280==    at 0x483777F: malloc (vg_replace_malloc.c:299)
==21280==    by 0x15EB88: nasm_malloc (malloc.c:75)
==21280==    by 0x16D949: new_Token.constprop.11 (preproc.c:1222)
==21280==    by 0x16DBA5: tokenize (preproc.c:1144)
==21280==    by 0x170B9F: paste_tokens (preproc.c:3830)
==21280==    by 0x170B9F: expand_smacro (preproc.c:4509)
==21280==    by 0x17611E: pp_getline (preproc.c:5254)
==21280==    by 0x15B541: assemble_file (nasm.c:1488)
==21280==    by 0x15A902: main (nasm.c:617)
==21280== 
paste_tokens.asm:1: warning: unterminated string [-w+other]
paste_tokens.asm:1: error: parser: instruction expected
==21280== 
==21280== HEAP SUMMARY:
==21280==     in use at exit: 99,032 bytes in 14 blocks
==21280==   total heap usage: 1,130 allocs, 1,117 frees, 598,327 bytes
allocated
==21280== 
==21280== LEAK SUMMARY:
==21280==    definitely lost: 32 bytes in 1 blocks
==21280==    indirectly lost: 0 bytes in 0 blocks
==21280==      possibly lost: 0 bytes in 0 blocks
==21280==    still reachable: 99,000 bytes in 13 blocks
==21280==         suppressed: 0 bytes in 0 blocks
==21280== Rerun with --leak-check=full to see details of leaked memory
==21280== 
==21280== For counts of detected and suppressed errors, rerun with: -v
==21280== ERROR SUMMARY: 7 errors from 5 contexts (suppressed: 0 from 0)
```

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.


More information about the Nasm-bugs mailing list