[Nasm-bugs] [Bug 3392779] New: Use-after-free in nasm at preproc:7257

noreply-nasm at dev.nasm.us noreply-nasm at dev.nasm.us
Tue Aug 31 05:41:09 PDT 2021


https://bugzilla.nasm.us/show_bug.cgi?id=3392779

            Bug ID: 3392779
           Summary: Use-after-free in nasm at preproc:7257
           Product: NASM
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: irfanariqzaki at gmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Built from git using configure

Created attachment 411825
  --> https://bugzilla.nasm.us/attachment.cgi?id=411825&action=edit
poc and full stack trace

Hello,

We are currently working on fuzz testing feature, and we found an
use-after-free error on nasm.

The stack traces are as follow:
==621==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000006a60
at pc 0x557f31948dc5 bp 0x7ffe9d3c7a90 sp 0x7ffe9d3c7a80
READ of size 4 at 0x610000006a60 thread T0
    #0 0x557f31948dc4 in pp_tokline asm/preproc.c:7257
    #1 0x557f319493a4 in pp_getline asm/preproc.c:7328
    #2 0x557f318ffb77 in assemble_file asm/nasm.c:1722
    #3 0x557f318fb0e6 in main asm/nasm.c:717
    #4 0x7fa7169afbf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #5 0x557f318f8699 in _start (.../nasm-git/install_asan/bin/nasm+0x111699)

0x610000006a60 is located 32 bytes inside of 192-byte region
[0x610000006a40,0x610000006b00)
freed by thread T0 here:
    #0 0x7fa716e5d7a8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x557f31901f82 in nasm_free nasmlib/alloc.c:108
    #2 0x557f3192a93a in free_mmacro asm/preproc.c:958
    #3 0x557f3193a92e in do_directive asm/preproc.c:4354
    #4 0x557f31948df7 in pp_tokline asm/preproc.c:7264
    #5 0x557f319493a4 in pp_getline asm/preproc.c:7328
    #6 0x557f318ffb77 in assemble_file asm/nasm.c:1722
    #7 0x557f318fb0e6 in main asm/nasm.c:717
    #8 0x7fa7169afbf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

previously allocated by thread T0 here:
    #0 0x7fa716e5dd28 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x557f31901e9e in nasm_calloc nasmlib/alloc.c:72
    #2 0x557f31901eff in nasm_zalloc nasmlib/alloc.c:87
    #3 0x557f31939b41 in do_directive asm/preproc.c:4246
    #4 0x557f31948df7 in pp_tokline asm/preproc.c:7264
    #5 0x557f319493a4 in pp_getline asm/preproc.c:7328
    #6 0x557f318ffb77 in assemble_file asm/nasm.c:1722
    #7 0x557f318fb0e6 in main asm/nasm.c:717
    #8 0x7fa7169afbf6 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
The full stack trace and output are attached.

**Step to reproduce**

We configured nasm using

$ CFLAGS="-g -O0 -fsanitize=address" ./configure

and built it using 

$ make -j10; make install

and run it with:

$ ./nasm <attached file> -o /dev/null

The poc is attached.

**Environment**
- OS: Ubuntu 18.04.5 LTS
- GCC version: gcc 7.5.0
- nasm version: latest commmit of master branch on github
(https://github.com/netwide-assembler/nasm/tree/e2ed7b7e125e03646d3be537b11d1b46b9c3f506)

Thank you.

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.


More information about the Nasm-bugs mailing list