[Nasm-bugs] [Bug 3392779] New: Use-after-free in nasm at preproc:7257
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Tue Aug 31 05:41:09 PDT 2021
https://bugzilla.nasm.us/show_bug.cgi?id=3392779
Bug ID: 3392779
Summary: Use-after-free in nasm at preproc:7257
Product: NASM
Version: unspecified
Hardware: All
OS: Linux
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: irfanariqzaki at gmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
Created attachment 411825
--> https://bugzilla.nasm.us/attachment.cgi?id=411825&action=edit
poc and full stack trace
Hello,
We are currently working on fuzz testing feature, and we found an
use-after-free error on nasm.
The stack traces are as follow:
==621==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000006a60
at pc 0x557f31948dc5 bp 0x7ffe9d3c7a90 sp 0x7ffe9d3c7a80
READ of size 4 at 0x610000006a60 thread T0
#0 0x557f31948dc4 in pp_tokline asm/preproc.c:7257
#1 0x557f319493a4 in pp_getline asm/preproc.c:7328
#2 0x557f318ffb77 in assemble_file asm/nasm.c:1722
#3 0x557f318fb0e6 in main asm/nasm.c:717
#4 0x7fa7169afbf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#5 0x557f318f8699 in _start (.../nasm-git/install_asan/bin/nasm+0x111699)
0x610000006a60 is located 32 bytes inside of 192-byte region
[0x610000006a40,0x610000006b00)
freed by thread T0 here:
#0 0x7fa716e5d7a8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
#1 0x557f31901f82 in nasm_free nasmlib/alloc.c:108
#2 0x557f3192a93a in free_mmacro asm/preproc.c:958
#3 0x557f3193a92e in do_directive asm/preproc.c:4354
#4 0x557f31948df7 in pp_tokline asm/preproc.c:7264
#5 0x557f319493a4 in pp_getline asm/preproc.c:7328
#6 0x557f318ffb77 in assemble_file asm/nasm.c:1722
#7 0x557f318fb0e6 in main asm/nasm.c:717
#8 0x7fa7169afbf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
previously allocated by thread T0 here:
#0 0x7fa716e5dd28 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
#1 0x557f31901e9e in nasm_calloc nasmlib/alloc.c:72
#2 0x557f31901eff in nasm_zalloc nasmlib/alloc.c:87
#3 0x557f31939b41 in do_directive asm/preproc.c:4246
#4 0x557f31948df7 in pp_tokline asm/preproc.c:7264
#5 0x557f319493a4 in pp_getline asm/preproc.c:7328
#6 0x557f318ffb77 in assemble_file asm/nasm.c:1722
#7 0x557f318fb0e6 in main asm/nasm.c:717
#8 0x7fa7169afbf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
The full stack trace and output are attached.
**Step to reproduce**
We configured nasm using
$ CFLAGS="-g -O0 -fsanitize=address" ./configure
and built it using
$ make -j10; make install
and run it with:
$ ./nasm <attached file> -o /dev/null
The poc is attached.
**Environment**
- OS: Ubuntu 18.04.5 LTS
- GCC version: gcc 7.5.0
- nasm version: latest commmit of master branch on github
(https://github.com/netwide-assembler/nasm/tree/e2ed7b7e125e03646d3be537b11d1b46b9c3f506)
Thank you.
--
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
More information about the Nasm-bugs
mailing list