[Nasm-bugs] [Bug 3392634] New: heap-use-after-free in new_Token asm/preproc.c
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Wed Nov 27 05:41:55 PST 2019
https://bugzilla.nasm.us/show_bug.cgi?id=3392634
Bug ID: 3392634
Summary: heap-use-after-free in new_Token asm/preproc.c
Product: NASM
Version: 2.14.xx
Hardware: PC
OS: Linux
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: 92wyunchao at gmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411746
--> https://bugzilla.nasm.us/attachment.cgi?id=411746&action=edit
poc
one use after free in new_Token asm/preproc.c could cause denial-of-service
which can be triggered by executing the nasm cmd.
$uname -a
Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC
2019 x86_64 GNU/Linux
$./nasm -f bin ~/poc1 -o tmp
asan:
==56765==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000005450
at pc 0x7f1f9fa4f20b bp 0x7fff8cb2c230 sp 0x7fff8cb2b9d8
READ of size 2 at 0x602000005450 thread T0
#0 0x7f1f9fa4f20a in __interceptor_strlen
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a)
#1 0x4308aa in new_Token asm/preproc.c:1221
#2 0x44572b in expand_smacro asm/preproc.c:4437
#3 0x44a999 in pp_getline asm/preproc.c:5254
#4 0x408b57 in assemble_file asm/nasm.c:1488
#5 0x404a72 in main asm/nasm.c:617
#6 0x7f1f9f63582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x4022a8 in _start (/home/s2e/asan/nasm-2.14.02/tmp/bin/nasm+0x4022a8)
0x602000005450 is located 0 bytes inside of 3-byte region
[0x602000005450,0x602000005453)
freed by thread T0 here:
#0 0x7f1f9fa772ca in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x40a021 in nasm_free nasmlib/malloc.c:96
#2 0x4309c5 in delete_Token asm/preproc.c:1232
#3 0x42bfeb in free_tlist asm/preproc.c:606
#4 0x445b03 in expand_smacro asm/preproc.c:4471
#5 0x44a999 in pp_getline asm/preproc.c:5254
#6 0x408b57 in assemble_file asm/nasm.c:1488
#7 0x404a72 in main asm/nasm.c:617
#8 0x7f1f9f63582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7f1f9fa77602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x409f62 in nasm_malloc nasmlib/malloc.c:75
#2 0x4308bd in new_Token asm/preproc.c:1222
#3 0x445a7e in expand_smacro asm/preproc.c:4460
#4 0x44a999 in pp_getline asm/preproc.c:5254
#5 0x408b57 in assemble_file asm/nasm.c:1488
#6 0x404a72 in main asm/nasm.c:617
#7 0x7f1f9f63582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
0x0c047fff8a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 02 fa
0x0c047fff8a50: fa fa 02 fa fa fa 00 04 fa fa 02 fa fa fa 00 04
0x0c047fff8a60: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
0x0c047fff8a70: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
=>0x0c047fff8a80: fa fa 02 fa fa fa 02 fa fa fa[fd]fa fa fa 02 fa
0x0c047fff8a90: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 04 fa
0x0c047fff8aa0: fa fa 02 fa fa fa 07 fa fa fa 02 fa fa fa 06 fa
0x0c047fff8ab0: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
0x0c047fff8ac0: fa fa 00 04 fa fa 02 fa fa fa 02 fa fa fa 05 fa
0x0c047fff8ad0: fa fa 03 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==56765==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list