[Nasm-bugs] [Bug 3392575] New: global-array out-of-bounds access in do_directive
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Tue Jun 18 09:18:34 PDT 2019
https://bugzilla.nasm.us/show_bug.cgi?id=3392575
Bug ID: 3392575
Summary: global-array out-of-bounds access in do_directive
Product: NASM
Version: 2.15 (development)
Hardware: PC
OS: Linux
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: fulicaachatina6 at googlemail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
The following very small test case crashes nasm-2.15rc0-20190606 under ASAN:
$ xxd min.asm
00000000: 257b %{
(I.e. the test file is simply the string "%{" without quotes.)
The issue occurs in asm/preproc.c:2311.
-> 2311 dname = pp_directives[i]; /* Directive name, for error messages
*/
2312 casesense = true; /* Default to case sensitive */
2313 switch (i) {
2314 case PP_INVALID:
2315 nasm_nonfatal("unknown preprocessor directive `%s'",
tline->text);
2316 return NO_DIRECTIVE_FOUND; /* didn't get it */
i is set to PP_INVALID, which is 0xffffffff. Accessing
pp_directives[0xffffffff] results in an out of bounds access. Without ASAN this
does not crash and dname is set to 0x0.
This is the ASAN report:
==27794==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5671bd5c
at pc 0x565ef449 bp 0xffffc2b8 sp 0xffffc2a8
READ of size 4 at 0x5671bd5c thread T0
#0 0x565ef448 in do_directive asm/preproc.c:2311
#1 0x56606cfc in pp_tokline asm/preproc.c:5298
#2 0x56607227 in pp_getline asm/preproc.c:5346
#3 0x565b34ad in assemble_file asm/nasm.c:1549
#4 0x565ae790 in main asm/nasm.c:609
#5 0xf7812e80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
#6 0x565ab750
(/home/rene/Dokumente/Uni/Bochum/SoSe19/Seminar/cves/nasm-2.15rc0-20190606/nasm+0x56750)
0x5671bd5c is located 4 bytes to the left of global variable 'pp_directives'
defined in 'asm/pptok.c:10:20' (0x5671bd60) of size 452
0x5671bd5c is located 44 bytes to the right of global variable 'ptr_qword'
defined in 'asm/preproc.c:5012:24' (0x5671bd20) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow asm/preproc.c:2311 in
do_directive
Shadow bytes around the buggy address:
0x2ace3750: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x2ace3760: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
0x2ace3770: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x2ace3780: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
0x2ace3790: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9
=>0x2ace37a0: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9[f9]00 00 00 00
0x2ace37b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x2ace37c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x2ace37d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x2ace37e0: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x2ace37f0: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27794==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list