[Nasm-bugs] [Bug 3392575] New: global-array out-of-bounds access in do_directive

[noreply-nasm at gorcunov.org]

https://bugzilla.nasm.us/show_bug.cgi?id=3392575

            Bug ID: 3392575
           Summary: global-array out-of-bounds access in do_directive
           Product: NASM
           Version: 2.15 (development)
          Hardware: PC
                OS: Linux
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: fulicaachatina6 at googlemail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

The following very small test case crashes nasm-2.15rc0-20190606 under ASAN:

$ xxd min.asm 
00000000: 257b                                     %{

(I.e. the test file is simply the string "%{" without quotes.)

The issue occurs in asm/preproc.c:2311.

-> 2311      dname = pp_directives[i];   /* Directive name, for error messages
*/
   2312      casesense = true;           /* Default to case sensitive */
   2313      switch (i) {
   2314      case PP_INVALID:
   2315          nasm_nonfatal("unknown preprocessor directive `%s'",
tline->text);
   2316          return NO_DIRECTIVE_FOUND;      /* didn't get it */

i is set to PP_INVALID, which is 0xffffffff. Accessing
pp_directives[0xffffffff] results in an out of bounds access. Without ASAN this
does not crash and dname is set to 0x0.

This is the ASAN report:
==27794==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5671bd5c
at pc 0x565ef449 bp 0xffffc2b8 sp 0xffffc2a8
READ of size 4 at 0x5671bd5c thread T0
    #0 0x565ef448 in do_directive asm/preproc.c:2311
    #1 0x56606cfc in pp_tokline asm/preproc.c:5298
    #2 0x56607227 in pp_getline asm/preproc.c:5346
    #3 0x565b34ad in assemble_file asm/nasm.c:1549
    #4 0x565ae790 in main asm/nasm.c:609
    #5 0xf7812e80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
    #6 0x565ab750 
(/home/rene/Dokumente/Uni/Bochum/SoSe19/Seminar/cves/nasm-2.15rc0-20190606/nasm+0x56750)

0x5671bd5c is located 4 bytes to the left of global variable 'pp_directives'
defined in 'asm/pptok.c:10:20' (0x5671bd60) of size 452
0x5671bd5c is located 44 bytes to the right of global variable 'ptr_qword'
defined in 'asm/preproc.c:5012:24' (0x5671bd20) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow asm/preproc.c:2311 in
do_directive
Shadow bytes around the buggy address:
  0x2ace3750: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x2ace3760: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
  0x2ace3770: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x2ace3780: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
  0x2ace3790: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9
=>0x2ace37a0: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9[f9]00 00 00 00
  0x2ace37b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x2ace37c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x2ace37d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x2ace37e0: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x2ace37f0: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27794==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.