[Nasm-bugs] [Bug 3392609] New: Stack buffer overflow found when specifying addresses and offset

noreply-nasm at gorcunov.org noreply-nasm at gorcunov.org
Mon Sep 16 05:36:04 PDT 2019

Previous message (by thread): [Nasm-bugs] [Bug 3392599] git nasm: nondeterministic errors when building lDebug assembler tables
Next message (by thread): [Nasm-bugs] [Bug 3392609] Stack buffer overflow found when specifying addresses and offset
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

https://bugzilla.nasm.us/show_bug.cgi?id=3392609

            Bug ID: 3392609
           Summary: Stack buffer overflow found when specifying addresses
                    and offset
           Product: NASM
           Version: 2.15 (development)
          Hardware: PC
                OS: Linux
            Status: OPEN
          Severity: major
          Priority: Medium
         Component: Disassembler
          Assignee: nobody at nasm.us
          Reporter: tureqsec at gmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Built from git using configure

Hi,

I've observed that in the latest commit
a6358096202e1b3bec58decabaad007f4957392c there is a possibility of a buffer
overflow on Ubuntu 19.04. I've managed to get the stack smash warning with the
following:

```
$ ./ndisasm -v
NDISASM version 2.15rc0 compiled on Sep 16 2019
$ python3 -c 'fp = open("test.bin", "wb"); fp.write(b"A" * 0x149); fp.close()'
$ ./ndisasm -u -o148h -s23eh -k 0,149h ./test.bin
```

output:
```
...
0000028F  41                db 0x41
00000290  41                db 0x41
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)
```

I've tried to move this further by recompiling with -fno-stack-protector flag
and observed the following after executing the following commands:

```
$ python3 -c 'fp = open("test.bin", "wb"); fp.write(b"A" * 0x17c); fp.close()'
$ ./ndisasm -u -o166h -s2e0h -k 0,17ah test.bin
```

output:
```
...
000002E0  41                db 0x41
000002E1  41                db 0x41
Segmentation fault (core dumped)

$ dmesg
...
[29737.611225] ndisasm[32299]: segfault at 7f1e41414141 ip 00007f1e41414141 sp
00007ffdcfd8a130 error 14 in libc-2.29.so[7f1e59a82000+25000]
[29737.611237] Code: Bad RIP value.
...
$ gdb -q ./ndisasm ./core
Reading symbols from ./ndisasm...
[New LWP 3345]
Core was generated by `./ndisasm -u -o166h -s2e0h -k 0 17ah test.bin'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f5041414141 in ?? ()
```

I've also observed the same behaviour on ndisasm binary 2.14 that is shipped
with Ubuntu 19.04.

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.

Previous message (by thread): [Nasm-bugs] [Bug 3392599] git nasm: nondeterministic errors when building lDebug assembler tables
Next message (by thread): [Nasm-bugs] [Bug 3392609] Stack buffer overflow found when specifying addresses and offset
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Nasm-bugs mailing list