[Nasm-bugs] [Bug 3392646] New: heap-buffer-overflow in obj_write_file at output/outobj.c:436
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Sun Jan 12 02:31:52 PST 2020
https://bugzilla.nasm.us/show_bug.cgi?id=3392646
Bug ID: 3392646
Summary: heap-buffer-overflow in obj_write_file at
output/outobj.c:436
Product: NASM
Version: 2.15 (development)
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: prada960808 at gmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
Created attachment 411757
--> https://bugzilla.nasm.us/attachment.cgi?id=411757&action=edit
poc
Hi,
I found a heap-buffer-overflow in obj_write_file at output/outobj.c:436
It is triggered in nasm version 2.15.
NASM version 2.15rc0-20191023 compiled on Dec 9 2019
Please run following command
$ nasm -o /dev/null -f obj $PoC
ASAN LOG
=================================================================
==15840==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61900000b3c0 at pc 0x0000004d75ec bp 0x7ffe75221d50 sp 0x7ffe75221500
WRITE of size 1150 at 0x61900000b3c0 thread T0
#0 0x4d75eb in __asan_memcpy (/home/tmp/ezxml_fuzzing/nasm+0x4d75eb)
#1 0x80b6b5 in obj_write_file
/home/tmp/nasm-2.15rc0-20191023/output/outobj.c:436:9
#2 0x7cb454 in obj_cleanup
/home/tmp/nasm-2.15rc0-20191023/output/outobj.c:669:5
#3 0x50d5f1 in main /home/tmp/nasm-2.15rc0-20191023/asm/nasm.c:640:13
#4 0x7f2dc2c44b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#5 0x41a4a9 in _start (/home/tmp/ezxml_fuzzing/nasm+0x41a4a9)
0x61900000b3c0 is located 0 bytes to the right of 1088-byte region
[0x61900000af80,0x61900000b3c0)
allocated by thread T0 here:
#0 0x4d8720 in malloc (/home/tmp/ezxml_fuzzing/nasm+0x4d8720)
#1 0x526d10 in nasm_malloc
/home/tmp/nasm-2.15rc0-20191023/nasmlib/alloc.c:55:9
#2 0x7cb454 in obj_cleanup
/home/tmp/nasm-2.15rc0-20191023/output/outobj.c:669:5
#3 0x7f2dc2c44b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/tmp/ezxml_fuzzing/nasm+0x4d75eb) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c327fff9620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9670: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0c327fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15840==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list