[Nasm-bugs] [Bug 3392634] New: heap-use-after-free in new_Token asm/preproc.c

noreply-nasm at dev.nasm.us noreply-nasm at dev.nasm.us
Wed Nov 27 05:41:55 PST 2019

Previous message (by thread): [Nasm-bugs] [Bug 3392633] New: nasm.us links to abandoned sf.net mailing lists
Next message (by thread): [Nasm-bugs] [Bug 3392634] heap-use-after-free in new_Token asm/preproc.c
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

https://bugzilla.nasm.us/show_bug.cgi?id=3392634

            Bug ID: 3392634
           Summary: heap-use-after-free in new_Token asm/preproc.c
           Product: NASM
           Version: 2.14.xx
          Hardware: PC
                OS: Linux
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: 92wyunchao at gmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411746
  --> https://bugzilla.nasm.us/attachment.cgi?id=411746&action=edit
poc

one use after free in new_Token asm/preproc.c could cause denial-of-service
which can be triggered by executing the nasm cmd.

$uname -a
Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC
2019 x86_64 GNU/Linux

$./nasm -f bin ~/poc1 -o tmp

asan:
==56765==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000005450
at pc 0x7f1f9fa4f20b bp 0x7fff8cb2c230 sp 0x7fff8cb2b9d8
READ of size 2 at 0x602000005450 thread T0
    #0 0x7f1f9fa4f20a in __interceptor_strlen
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a)
    #1 0x4308aa in new_Token asm/preproc.c:1221
    #2 0x44572b in expand_smacro asm/preproc.c:4437
    #3 0x44a999 in pp_getline asm/preproc.c:5254
    #4 0x408b57 in assemble_file asm/nasm.c:1488
    #5 0x404a72 in main asm/nasm.c:617
    #6 0x7f1f9f63582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x4022a8 in _start (/home/s2e/asan/nasm-2.14.02/tmp/bin/nasm+0x4022a8)

0x602000005450 is located 0 bytes inside of 3-byte region
[0x602000005450,0x602000005453)
freed by thread T0 here:
    #0 0x7f1f9fa772ca in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x40a021 in nasm_free nasmlib/malloc.c:96
    #2 0x4309c5 in delete_Token asm/preproc.c:1232
    #3 0x42bfeb in free_tlist asm/preproc.c:606
    #4 0x445b03 in expand_smacro asm/preproc.c:4471
    #5 0x44a999 in pp_getline asm/preproc.c:5254
    #6 0x408b57 in assemble_file asm/nasm.c:1488
    #7 0x404a72 in main asm/nasm.c:617
    #8 0x7f1f9f63582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f1f9fa77602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x409f62 in nasm_malloc nasmlib/malloc.c:75
    #2 0x4308bd in new_Token asm/preproc.c:1222
    #3 0x445a7e in expand_smacro asm/preproc.c:4460
    #4 0x44a999 in pp_getline asm/preproc.c:5254
    #5 0x408b57 in assemble_file asm/nasm.c:1488
    #6 0x404a72 in main asm/nasm.c:617
    #7 0x7f1f9f63582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c047fff8a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 02 fa
  0x0c047fff8a50: fa fa 02 fa fa fa 00 04 fa fa 02 fa fa fa 00 04
  0x0c047fff8a60: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
  0x0c047fff8a70: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
=>0x0c047fff8a80: fa fa 02 fa fa fa 02 fa fa fa[fd]fa fa fa 02 fa
  0x0c047fff8a90: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 04 fa
  0x0c047fff8aa0: fa fa 02 fa fa fa 07 fa fa fa 02 fa fa fa 06 fa
  0x0c047fff8ab0: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
  0x0c047fff8ac0: fa fa 00 04 fa fa 02 fa fa fa 02 fa fa fa 05 fa
  0x0c047fff8ad0: fa fa 03 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==56765==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

Previous message (by thread): [Nasm-bugs] [Bug 3392633] New: nasm.us links to abandoned sf.net mailing lists
Next message (by thread): [Nasm-bugs] [Bug 3392634] heap-use-after-free in new_Token asm/preproc.c
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Nasm-bugs mailing list