[Nasm-bugs] [Bug 3392744] New: argv out-of-bound read in parse_cmdline function in asm/nasm.c
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Wed Feb 24 21:59:49 PST 2021
https://bugzilla.nasm.us/show_bug.cgi?id=3392744
Bug ID: 3392744
Summary: argv out-of-bound read in parse_cmdline function in
asm/nasm.c
Product: NASM
Version: 2.15.xx
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: fengjianxinghun at gmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
os: Ubuntu 18.04.5 LTS
version: https://www.nasm.us/pub/nasm/releasebuilds/2.15.05/nasm-2.15.05.tar.gz
build: ./configure --enable-gdb
We've found a crash issue when we pass command line parameters as below.This
issue is caused by argv out-of-bound read in parse_cmdline function in
asm/nasm.c
poc
```
./nasm -f elf -o myfile.o -MD
```
gdb-peda$ r
Starting program: /home/user/nasm-2.15.05/nasm -f elf -o myfile.o -MD
nasm: error: option `-MD' requires a parameter
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x0
RDX: 0x1
RSI: 0x0
RDI: 0x7fffffffefad ("LESSOPEN=| /usr/bin/lesspipe %s")
RBP: 0x7fffffffe380 --> 0x7fffffffe3e0 --> 0x5555555fc7c0 (<__libc_csu_init>:
push r15)
RSP: 0x7fffffffe340 --> 0x7fffffffe5b8 --> 0x0
RIP: 0x5555555af509 (<parse_cmdline+212>: movzx eax,BYTE PTR [rax])
R8 : 0x7fffffffe0f0 --> 0x5555555ac500 (<gmtime at plt>: jmp QWORD PTR
[rip+0x356a62] # 0x555555902f68)
R9 : 0x5555555d0e57 (<list_error>: push rbp)
R10: 0x0
R11: 0x246
R12: 0x5555555ac5c0 (<_start>: xor ebp,ebp)
R13: 0x7fffffffe4c0 --> 0x6
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x5555555af4fd <parse_cmdline+200>: add QWORD PTR [rbp-0x40],0x8
0x5555555af502 <parse_cmdline+205>: mov rax,QWORD PTR [rbp-0x40]
0x5555555af506 <parse_cmdline+209>: mov rax,QWORD PTR [rax]
=> 0x5555555af509 <parse_cmdline+212>: movzx eax,BYTE PTR [rax]
0x5555555af50c <parse_cmdline+215>: cmp al,0x40
0x5555555af50e <parse_cmdline+217>: jne 0x5555555af531
<parse_cmdline+252>
0x5555555af510 <parse_cmdline+219>: mov rax,QWORD PTR [rbp-0x40]
0x5555555af514 <parse_cmdline+223>: mov rax,QWORD PTR [rax]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe340 --> 0x7fffffffe5b8 --> 0x0
0008| 0x7fffffffe348 --> 0xffffffe800000001
0016| 0x7fffffffe350 --> 0x7fffffffe380 --> 0x7fffffffe3e0 --> 0x5555555fc7c0
(<__libc_csu_init>: push r15)
0024| 0x7fffffffe358 --> 0x0
0032| 0x7fffffffe360 --> 0x0
0040| 0x7fffffffe368 --> 0x8
0048| 0x7fffffffe370 --> 0x555555918560 --> 0x8
0056| 0x7fffffffe378 --> 0x8f5ac1861230da00
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555af509 in parse_cmdline (argc=0xffffffe8, argv=0x7fffffffe5b8,
pass=0x1) at asm/nasm.c:1494
1494 if (argv[0][0] == '@') {
gdb-peda$ quit
--
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
More information about the Nasm-bugs
mailing list