[Nasm-bugs] [Bug 3392671] New: heap-use-after-free in asm/preproc.c:4025

noreply-nasm at dev.nasm.us noreply-nasm at dev.nasm.us
Wed May 27 01:43:02 PDT 2020


https://bugzilla.nasm.us/show_bug.cgi?id=3392671

            Bug ID: 3392671
           Summary: heap-use-after-free in asm/preproc.c:4025
           Product: NASM
           Version: 2.14.xx
          Hardware: PC
                OS: Linux
            Status: OPEN
          Severity: major
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: puppet at zju.edu.cn
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411776
  --> https://bugzilla.nasm.us/attachment.cgi?id=411776&action=edit
POC_5_000334

version: nasm 2.14.03rc2

OS: Ubuntu 16.04 LTS

cmd: ./nasm -i bin ./POC -o /dev/null


ASAN log:

=================================================================
==5931==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000d160
at pc 0x000000442cae bp 0x7fffffffdcf0 sp 0x7fffffffdce0
READ of size 8 at 0x60f00000d160 thread T0
    #0 0x442cad in expand_mmac_params asm/preproc.c:4025
    #1 0x44a6a2 in pp_getline asm/preproc.c:5210
    #2 0x408b57 in assemble_file asm/nasm.c:1488
    #3 0x404a72 in main asm/nasm.c:617
    #4 0x7ffff6ac082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x4022a8 in _start (/data3/ASAN/nasm-2.14.03rc2/ASAN/nasm+0x4022a8)

0x60f00000d160 is located 16 bytes inside of 176-byte region
[0x60f00000d150,0x60f00000d200)
freed by thread T0 here:
    #0 0x7ffff6f022ca in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x40a03d in nasm_free nasmlib/malloc.c:96
    #2 0x42c1e5 in free_mmacro asm/preproc.c:630
    #3 0x42c5bb in free_mmacro_table asm/preproc.c:663
    #4 0x42c6ef in free_macros asm/preproc.c:671
    #5 0x439303 in do_directive asm/preproc.c:2582
    #6 0x44a6bf in pp_getline asm/preproc.c:5216
    #7 0x408b57 in assemble_file asm/nasm.c:1488
    #8 0x404a72 in main asm/nasm.c:617
    #9 0x7ffff6ac082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7ffff6f0279a in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
    #1 0x409fd2 in nasm_zalloc nasmlib/malloc.c:85
    #2 0x43b25b in do_directive asm/preproc.c:2869
    #3 0x44a6bf in pp_getline asm/preproc.c:5216
    #4 0x408b57 in assemble_file asm/nasm.c:1488
    #5 0x404a72 in main asm/nasm.c:617
    #6 0x7ffff6ac082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free asm/preproc.c:4025
expand_mmac_params
Shadow bytes around the buggy address:
  0x0c1e7fff99d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff99e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff99f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9a00: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1e7fff9a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1e7fff9a20: 00 00 fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd
  0x0c1e7fff9a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff9a40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1e7fff9a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c1e7fff9a60: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff9a70: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==5931==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.


More information about the Nasm-bugs mailing list