[Nasm-bugs] [Bug 3392725] New: In NASM 2.15.05, there is a heap-buffer-overflow vulnerability in asm/preproc.c, line 6352.
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Mon Dec 7 19:18:22 PST 2020
https://bugzilla.nasm.us/show_bug.cgi?id=3392725
Bug ID: 3392725
Summary: In NASM 2.15.05, there is a heap-buffer-overflow
vulnerability in asm/preproc.c, line 6352.
Product: NASM
Version: 2.15.xx
Hardware: PC
OS: Linux
Status: OPEN
Severity: major
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: 734222792 at qq.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
CMD: ./nasm -f bin poc -o tmp
==14363==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000040f8 at pc 0x00000055fffc bp 0x7ffe562192d0 sp 0x7ffe562192c8
READ of size 4 at 0x6020000040f8 thread T0
#0 0x55fffb (/home/fstark/nasm/nasm-2.15.05/nasm+0x55fffb)
#1 0x4ea689 (/home/fstark/nasm/nasm-2.15.05/nasm+0x4ea689)
#2 0x7efc0fbea83f (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#3 0x418fb8 (/home/fstark/nasm/nasm-2.15.05/nasm+0x418fb8)
0x6020000040f8 is located 0 bytes to the right of 8-byte region
[0x6020000040f0,0x6020000040f8)
allocated by thread T0 here:
#0 0x4b90e0 (/home/fstark/nasm/nasm-2.15.05/nasm+0x4b90e0)
#1 0x4f87e9 (/home/fstark/nasm/nasm-2.15.05/nasm+0x4f87e9)
#2 0x4ea689 (/home/fstark/nasm/nasm-2.15.05/nasm+0x4ea689)
#3 0x7efc0fbea83f (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/fstark/nasm/nasm-2.15.05/nasm+0x55fffb)
Shadow bytes around the buggy address:
0x0c047fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff8810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[fa]
0x0c047fff8820: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff8830: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff8840: fa fa 06 fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8850: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8860: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14363==ABORTING
fstark at fstark-virtual-machine:~/nasm/nasm-2.15.05$ gdb ./nasm
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./nasm...done.
gdb-peda$ b *0x55fffb
Breakpoint 1 at 0x55fffb: file asm/preproc.c, line 6352.
506 oct->have_gm = true;
507 if (!oct->have_local)
508 oct->local = oct->gm;
509 } else {
510 oct->gm = oct->local;
511 }
512
513 if (best_gm) {
514 oct->posix = make_posix_time(best_gm);
515 oct->have_posix = true;
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list