[Nasm-bugs] [Bug 3392725] New: In NASM 2.15.05, there is a heap-buffer-overflow vulnerability in asm/preproc.c, line 6352.

noreply-nasm at dev.nasm.us noreply-nasm at dev.nasm.us
Mon Dec 7 19:18:22 PST 2020

Previous message (by thread): [Nasm-bugs] [Bug 3392723] Wrong error line showed
Next message (by thread): [Nasm-bugs] [Bug 3392725] In NASM 2.15.05, there is a heap-buffer-overflow vulnerability in asm/preproc.c, line 6352.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

https://bugzilla.nasm.us/show_bug.cgi?id=3392725

            Bug ID: 3392725
           Summary: In NASM 2.15.05, there is a heap-buffer-overflow
                    vulnerability in asm/preproc.c, line 6352.
           Product: NASM
           Version: 2.15.xx
          Hardware: PC
                OS: Linux
            Status: OPEN
          Severity: major
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: 734222792 at qq.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

CMD: ./nasm -f bin poc -o tmp

==14363==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000040f8 at pc 0x00000055fffc bp 0x7ffe562192d0 sp 0x7ffe562192c8
READ of size 4 at 0x6020000040f8 thread T0
    #0 0x55fffb  (/home/fstark/nasm/nasm-2.15.05/nasm+0x55fffb)
    #1 0x4ea689  (/home/fstark/nasm/nasm-2.15.05/nasm+0x4ea689)
    #2 0x7efc0fbea83f  (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #3 0x418fb8  (/home/fstark/nasm/nasm-2.15.05/nasm+0x418fb8)

0x6020000040f8 is located 0 bytes to the right of 8-byte region
[0x6020000040f0,0x6020000040f8)
allocated by thread T0 here:
    #0 0x4b90e0  (/home/fstark/nasm/nasm-2.15.05/nasm+0x4b90e0)
    #1 0x4f87e9  (/home/fstark/nasm/nasm-2.15.05/nasm+0x4f87e9)
    #2 0x4ea689  (/home/fstark/nasm/nasm-2.15.05/nasm+0x4ea689)
    #3 0x7efc0fbea83f  (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/fstark/nasm/nasm-2.15.05/nasm+0x55fffb) 
Shadow bytes around the buggy address:
  0x0c047fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff8810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[fa]
  0x0c047fff8820: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff8830: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff8840: fa fa 06 fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8850: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8860: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14363==ABORTING
fstark at fstark-virtual-machine:~/nasm/nasm-2.15.05$ gdb ./nasm
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./nasm...done.
gdb-peda$ b *0x55fffb
Breakpoint 1 at 0x55fffb: file asm/preproc.c, line 6352.


506             oct->have_gm = true;
507             if (!oct->have_local)
508                 oct->local = oct->gm;
509         } else {
510             oct->gm = oct->local;
511         }
512     
513         if (best_gm) {
514             oct->posix = make_posix_time(best_gm);
515             oct->have_posix = true;

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

Previous message (by thread): [Nasm-bugs] [Bug 3392723] Wrong error line showed
Next message (by thread): [Nasm-bugs] [Bug 3392725] In NASM 2.15.05, there is a heap-buffer-overflow vulnerability in asm/preproc.c, line 6352.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Nasm-bugs mailing list