[Nasm-bugs] [Bug 3392577] New: Use after free in pp_tokline
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Tue Jun 18 19:39:48 PDT 2019
https://bugzilla.nasm.us/show_bug.cgi?id=3392577
Bug ID: 3392577
Summary: Use after free in pp_tokline
Product: NASM
Version: 2.14.xx
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: rkx1209dev at gmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
Created attachment 411721
--> https://bugzilla.nasm.us/attachment.cgi?id=411721&action=edit
Proof of Concept ASM file
An use after free has been still discovered in pp_tokline even if latest
development version (built from git).
This bug is triggered by a quite simple asm code "struc %clear istruc"
Version:
NASM version 2.15rc0 compiled on Jun 18 2019
PoC Execution:
./nasm -felf64 ~/memcorrupt_nasm-2.14.02_pragma_clear
=================================================================
==31804==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000000670
at pc 0x558f1a4ef6c7 bp 0x7ffe823533e0 sp 0x7ffe823533d0
READ of size 4 at 0x60f000000670 thread T0
#0 0x558f1a4ef6c6 in pp_tokline asm/preproc.c:5271
#1 0x558f1a4ef6c6 in pp_getline asm/preproc.c:5368
#2 0x558f1a4bbab9 in assemble_file asm/nasm.c:1549
#3 0x558f1a4b6b24 in main asm/nasm.c:609
#4 0x7f890ac01b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#5 0x558f1a4b7a79 in _start
(/home/rkx/Programming/OSS/research/dataset/apps/nasm-dev/nasm+0x104a79)
0x60f000000670 is located 144 bytes inside of 176-byte region
[0x60f0000005e0,0x60f000000690)
freed by thread T0 here:
#0 0x7f890b0af7b8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
#1 0x558f1a4dbab1 in free_mmacro_table asm/preproc.c:696
previously allocated by thread T0 here:
#0 0x7f890b0afd38 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
#1 0x558f1a4bc750 in nasm_zalloc nasmlib/alloc.c:76
#2 0x558f1a55245f
(/home/rkx/Programming/OSS/research/dataset/apps/nasm-dev/nasm+0x19f45f)
SUMMARY: AddressSanitizer: heap-use-after-free asm/preproc.c:5271 in pp_tokline
Shadow bytes around the buggy address:
0x0c1e7fff8070: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1e7fff8080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fff8090: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
0x0c1e7fff80a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fff80b0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
=>0x0c1e7fff80c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c1e7fff80d0: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c1e7fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fff80f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1e7fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c1e7fff8110: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31804==ABORTING
Thanks
Ren
--
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
More information about the Nasm-bugs
mailing list