[Nasm-bugs] [Bug 3392716] New: A heap-use-after-free in preproc.c:6853:52 can cause Segmentation fault

noreply-nasm at dev.nasm.us noreply-nasm at dev.nasm.us
Sun Aug 30 19:41:45 PDT 2020

Previous message (by thread): [Nasm-bugs] [Bug 3392635] Output is not reproducible because it encodes file paths
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

https://bugzilla.nasm.us/show_bug.cgi?id=3392716

            Bug ID: 3392716
           Summary: A heap-use-after-free in preproc.c:6853:52 can cause
                    Segmentation fault
           Product: NASM
           Version: 2.15.xx
          Hardware: All
                OS: All
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: seviezhou at 163.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411801
  --> https://bugzilla.nasm.us/attachment.cgi?id=411801&action=edit
use-after-free-pp_tokline-preproc-6853

## System info

Ubuntu x86_64, clang 6.0, nasm (latest nasm-2.15.05)

## Command line

./nasm -fmacho64 -g -o /dev/null @@

## Output

```
Segmentation fault
```

## AddressSanitizer output

```
=================================================================
==69621==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000001e60
at pc 0x00000056d3af bp 0x7ffc30a73c50 sp 0x7ffc30a73c48
READ of size 4 at 0x60f000001e60 thread T0
    #0 0x56d3ae in pp_tokline /home/seviezhou/nasm/asm/preproc.c:6853:52
    #1 0x55f924 in pp_getline /home/seviezhou/nasm/asm/preproc.c:6923:17
    #2 0x517b02 in assemble_file /home/seviezhou/nasm/asm/nasm.c:1723:24
    #3 0x517b02 in main /home/seviezhou/nasm/asm/nasm.c:714
    #4 0x7fae5b74583f in __libc_start_main
/build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x41a878 in _start (/home/seviezhou/nasm/nasm+0x41a878)

0x60f000001e60 is located 32 bytes inside of 176-byte region
[0x60f000001e40,0x60f000001ef0)
freed by thread T0 here:
    #0 0x4de748 in __interceptor_cfree.localalias.0
/home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:76
    #1 0x5229a2 in nasm_free /home/seviezhou/nasm/nasmlib/alloc.c:108:9
    #2 0x5689cc in pp_tokline /home/seviezhou/nasm/asm/preproc.c:6860:13
    #3 0x55f924 in pp_getline /home/seviezhou/nasm/asm/preproc.c:6923:17
    #4 0x7fae5b74583f in __libc_start_main
/build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x4deb20 in calloc
/home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97
    #1 0x522646 in nasm_calloc /home/seviezhou/nasm/nasmlib/alloc.c:72:9
    #2 0x5689cc in pp_tokline /home/seviezhou/nasm/asm/preproc.c:6860:13
    #3 0x55f924 in pp_getline /home/seviezhou/nasm/asm/preproc.c:6923:17
    #4 0x7fae5b74583f in __libc_start_main
/build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free
/home/seviezhou/nasm/asm/preproc.c:6853:52 in pp_tokline
Shadow bytes around the buggy address:
  0x0c1e7fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff8380: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1e7fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff83a0: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c1e7fff83b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1e7fff83c0: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
  0x0c1e7fff83d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1e7fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==69621==ABORTING
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

Previous message (by thread): [Nasm-bugs] [Bug 3392635] Output is not reproducible because it encodes file paths
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Nasm-bugs mailing list