[Nasm-bugs] [Bug 3392672] New: heap-use-after-free in asm/preproc.c:5454
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Wed May 27 01:44:33 PDT 2020
https://bugzilla.nasm.us/show_bug.cgi?id=3392672
Bug ID: 3392672
Summary: heap-use-after-free in asm/preproc.c:5454
Product: NASM
Version: 2.14.xx
Hardware: PC
OS: Linux
Status: OPEN
Severity: major
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: puppet at zju.edu.cn
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411777
--> https://bugzilla.nasm.us/attachment.cgi?id=411777&action=edit
POC_7_000608
version: nasm 2.14.03rc2
OS: Ubuntu 16.04 LTS
cmd: ./nasm -i bin ./POC -o /dev/null
ASAN log:
=================================================================
==41670==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000001ad8
at pc 0x00000044b745 bp 0x7fffffffd370 sp 0x7fffffffd360
READ of size 8 at 0x60f000001ad8 thread T0
#0 0x44b744 in pp_list_one_macro asm/preproc.c:5454
#1 0x44b759 in pp_list_one_macro asm/preproc.c:5454
#2 0x44b9f3 in pp_error_list_macros asm/preproc.c:5471
#3 0x4098b4 in nasm_verror_asm asm/nasm.c:1914
#4 0x4106b0 in nasm_error asm/error.c:95
#5 0x4247e8 in define_label asm/labels.c:506
#6 0x427934 in parse_line asm/parser.c:489
#7 0x4082c0 in assemble_file asm/nasm.c:1502
#8 0x404a72 in main asm/nasm.c:617
#9 0x7ffff6ac082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x4022a8 in _start (/data3/ASAN/nasm-2.14.03rc2/ASAN/nasm+0x4022a8)
0x60f000001ad8 is located 88 bytes inside of 176-byte region
[0x60f000001a80,0x60f000001b30)
freed by thread T0 here:
#0 0x7ffff6f022ca in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x40a03d in nasm_free nasmlib/malloc.c:96
#2 0x42c1e5 in free_mmacro asm/preproc.c:630
#3 0x43bdf1 in do_directive asm/preproc.c:2956
#4 0x44a6bf in pp_getline asm/preproc.c:5216
#5 0x408b57 in assemble_file asm/nasm.c:1488
#6 0x404a72 in main asm/nasm.c:617
#7 0x7ffff6ac082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T0 here:
#0 0x7ffff6f0279a in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x409fd2 in nasm_zalloc nasmlib/malloc.c:85
#2 0x43b25b in do_directive asm/preproc.c:2869
#3 0x44a6bf in pp_getline asm/preproc.c:5216
#4 0x408b57 in assemble_file asm/nasm.c:1488
#5 0x404a72 in main asm/nasm.c:617
#6 0x7ffff6ac082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-use-after-free asm/preproc.c:5454
pp_list_one_macro
Shadow bytes around the buggy address:
0x0c1e7fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1e7fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1e7fff8350: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
0x0c1e7fff8360: fd fd fd fd fd fd fa fa fa fa fa fa fa fa 00 00
0x0c1e7fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e7fff8380: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd fd
0x0c1e7fff8390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fff83a0: fd fd fa fa fa fa fa fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==41670==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list