[Nasm-bugs] [Bug 3392643] New: stack-use-after-scope in expand_mmac_params at asm/preproc.c:4931
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Mon Jan 6 01:20:23 PST 2020
https://bugzilla.nasm.us/show_bug.cgi?id=3392643
Bug ID: 3392643
Summary: stack-use-after-scope in expand_mmac_params at
asm/preproc.c:4931
Product: NASM
Version: 2.15 (development)
Hardware: PC
OS: Linux
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: prada960808 at gmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
Created attachment 411754
--> https://bugzilla.nasm.us/attachment.cgi?id=411754&action=edit
poc
Hi,
I found a stack-use-after-scope in expand_mmac_params at asm/preproc.c:4931
It is triggered in nasm version 2.15.
Please run following command
nasm -o /dev/null -f bin $PoC
Here's ASAN LOG
==30308==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7ffc324707c0 at pc 0x00000062e905 bp 0x7ffc32470790 sp 0x7ffc32470788
WRITE of size 8 at 0x7ffc324707c0 thread T0
#0 0x62e904 in expand_mmac_params
/home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:4931:11
#1 0x5e8123 in pp_tokline
/home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:6361:21
#2 0x5e8123 in pp_getline
/home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:6428
#3 0x50a7f9 in assemble_file
/home/suhwan/project/program/nasm-2.15rc0-20191023/asm/nasm.c:1630:24
#4 0x50a7f9 in main
/home/suhwan/project/program/nasm-2.15rc0-20191023/asm/nasm.c:637
#5 0x7f2ca11a5b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#6 0x41a4a9 in _start
(/mnt/hda2/suhwan/BUG_AFL/ezxml_fuzzing/nasm+0x41a4a9)
Address 0x7ffc324707c0 is located in stack of thread T0 at offset 32 in frame
#0 0x61fc6f in expand_mmac_params
/home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:4749
This frame has 5 object(s):
[32, 40) 'newlist.i249' (line 979) <== Memory access at offset 32 is inside
this variable
[64, 72) 'newlist.i' (line 1002)
[96, 104) 'thead' (line 4750)
[128, 136) 'ep' (line 4816)
[160, 168) 'ep36' (line 4834)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
/home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:4931:11 in
expand_mmac_params
Shadow bytes around the buggy address:
0x1000064860a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000064860b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000064860c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000064860d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000064860e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000064860f0: 00 00 00 00 f1 f1 f1 f1[f8]f2 f2 f2 f8 f2 f2 f2
0x100006486100: 00 f2 f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 00 00 00 00
0x100006486110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100006486120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100006486130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100006486140: f1 f1 f1 f1 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30308==ABORTING
NASM version 2.15rc0-20191023 compiled on Dec 9 2019
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list