[Nasm-bugs] [Bug 3392666] New: heap-buffer-overflow in asm/preproc.c:4893
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Wed May 27 00:38:05 PDT 2020
https://bugzilla.nasm.us/show_bug.cgi?id=3392666
Bug ID: 3392666
Summary: heap-buffer-overflow in asm/preproc.c:4893
Product: NASM
Version: 2.14.xx
Hardware: PC
OS: Linux
Status: OPEN
Severity: major
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: puppet at zju.edu.cn
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411763
--> https://bugzilla.nasm.us/attachment.cgi?id=411763&action=edit
POC_1_000346
version: nasm 2.14.03rc2
OS: Ubuntu 16.04 LTS
cmd: ./nasm -i bin ./POC -o /dev/null
ASAN log:
=================================================================
==18805==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000fa71 at pc 0x0000004487ff bp 0x7fffffffdda0 sp 0x7fffffffdd90
READ of size 1 at 0x60200000fa71 thread T0
#0 0x4487fe in expand_mmacro asm/preproc.c:4893
#1 0x44a9cb in pp_getline asm/preproc.c:5255
#2 0x408b57 in assemble_file asm/nasm.c:1488
#3 0x404a72 in main asm/nasm.c:617
#4 0x7ffff6ac082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x4022a8 in _start (/data3/ASAN/nasm-2.14.03rc2/ASAN/nasm+0x4022a8)
0x60200000fa71 is located 0 bytes to the right of 1-byte region
[0x60200000fa70,0x60200000fa71)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x409f7e in nasm_malloc nasmlib/malloc.c:75
#2 0x4308d9 in new_Token asm/preproc.c:1222
#3 0x4488fa in expand_mmacro asm/preproc.c:4901
#4 0x44a9cb in pp_getline asm/preproc.c:5255
#5 0x408b57 in assemble_file asm/nasm.c:1488
#6 0x404a72 in main asm/nasm.c:617
#7 0x7ffff6ac082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow asm/preproc.c:4893
expand_mmacro
Shadow bytes around the buggy address:
0x0c047fff9ef0: fa fa 02 fa fa fa 04 fa fa fa 02 fa fa fa 00 01
0x0c047fff9f00: fa fa 00 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
0x0c047fff9f10: fa fa 02 fa fa fa 04 fa fa fa 02 fa fa fa 02 fa
0x0c047fff9f20: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa 03 fa
0x0c047fff9f30: fa fa 02 fa fa fa 03 fa fa fa 02 fa fa fa 04 fa
=>0x0c047fff9f40: fa fa 02 fa fa fa 02 fa fa fa 02 fa fa fa[01]fa
0x0c047fff9f50: fa fa 04 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
0x0c047fff9f60: fa fa 02 fa fa fa 02 fa fa fa 06 fa fa fa 02 fa
0x0c047fff9f70: fa fa 03 fa fa fa 00 fa fa fa 04 fa fa fa 02 fa
0x0c047fff9f80: fa fa 03 fa fa fa 04 fa fa fa 03 fa fa fa 00 01
0x0c047fff9f90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==18805==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list