[Nasm-bugs] [Bug 3392727] New: stack-use-after-scope on preproc.c:5225
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Tue Dec 15 23:49:48 PST 2020
https://bugzilla.nasm.us/show_bug.cgi?id=3392727
Bug ID: 3392727
Summary: stack-use-after-scope on preproc.c:5225
Product: NASM
Version: 2.15.xx
Hardware: PC
OS: Linux
Status: OPEN
Severity: major
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: 734222792 at qq.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
Created attachment 411806
--> https://bugzilla.nasm.us/attachment.cgi?id=411806&action=edit
POC
CMD:
./nasm -f bin POC -o tmp
ASAN:
==18591==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7ffdba9d7890 at pc 0x5595d168d51e bp 0x7ffdba9d7680 sp 0x7ffdba9d7670
WRITE of size 8 at 0x7ffdba9d7890 thread T0
#0 0x5595d168d51d in expand_mmac_params asm/preproc.c:5225
#1 0x5595d16a2e0b in pp_tokline asm/preproc.c:6854
#2 0x5595d16a2e0b in pp_getline asm/preproc.c:6923
#3 0x5595d1627b5b in assemble_file asm/nasm.c:1723
#4 0x5595d161ba0d in main asm/nasm.c:714
#5 0x7fb858db9bf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#6 0x5595d161de49 in _start (/home/fstark/nasm-nasm-2.15.05/nasm+0x11be49)
Address 0x7ffdba9d7890 is located in stack of thread T0 at offset 416 in frame
#0 0x5595d168b15f in expand_mmac_params asm/preproc.c:5040
This frame has 8 object(s):
[32, 36) 'fst'
[96, 100) 'lst'
[160, 168) 'tail'
[224, 232) 'thead'
[288, 296) 'ep'
[352, 360) 'ep'
[416, 424) 'newlist' <== Memory access at offset 416 is inside this
variable
[480, 496) 't'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope asm/preproc.c:5225 in
expand_mmac_params
Shadow bytes around the buggy address:
0x100037532ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100037532ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x100037532ee0: f1 f1 04 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2
0x100037532ef0: f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
0x100037532f00: f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
=>0x100037532f10: f2 f2[f8]f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 00 00
0x100037532f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100037532f30: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100037532f40: 04 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2
0x100037532f50: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2
0x100037532f60: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18591==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list