[Nasm-bugs] [Bug 3392744] New: argv out-of-bound read in parse_cmdline function in asm/nasm.c

[noreply-nasm at dev.nasm.us]

https://bugzilla.nasm.us/show_bug.cgi?id=3392744

            Bug ID: 3392744
           Summary: argv out-of-bound read in parse_cmdline function in
                    asm/nasm.c
           Product: NASM
           Version: 2.15.xx
          Hardware: All
                OS: All
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: fengjianxinghun at gmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

os: Ubuntu 18.04.5 LTS
version: https://www.nasm.us/pub/nasm/releasebuilds/2.15.05/nasm-2.15.05.tar.gz
build: ./configure --enable-gdb


 We've found a crash issue when we pass command line parameters as below.This
issue is caused by argv out-of-bound read in parse_cmdline function in
asm/nasm.c


poc
```
./nasm -f elf -o myfile.o -MD

```


gdb-peda$ r
Starting program: /home/user/nasm-2.15.05/nasm -f elf -o myfile.o -MD
nasm: error: option `-MD' requires a parameter

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x0
RDX: 0x1
RSI: 0x0
RDI: 0x7fffffffefad ("LESSOPEN=| /usr/bin/lesspipe %s")
RBP: 0x7fffffffe380 --> 0x7fffffffe3e0 --> 0x5555555fc7c0 (<__libc_csu_init>:  
push   r15)
RSP: 0x7fffffffe340 --> 0x7fffffffe5b8 --> 0x0
RIP: 0x5555555af509 (<parse_cmdline+212>:       movzx  eax,BYTE PTR [rax])
R8 : 0x7fffffffe0f0 --> 0x5555555ac500 (<gmtime at plt>:   jmp    QWORD PTR
[rip+0x356a62]        # 0x555555902f68)
R9 : 0x5555555d0e57 (<list_error>:      push   rbp)
R10: 0x0
R11: 0x246
R12: 0x5555555ac5c0 (<_start>:  xor    ebp,ebp)
R13: 0x7fffffffe4c0 --> 0x6
R14: 0x0
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x5555555af4fd <parse_cmdline+200>:  add    QWORD PTR [rbp-0x40],0x8
   0x5555555af502 <parse_cmdline+205>:  mov    rax,QWORD PTR [rbp-0x40]
   0x5555555af506 <parse_cmdline+209>:  mov    rax,QWORD PTR [rax]
=> 0x5555555af509 <parse_cmdline+212>:  movzx  eax,BYTE PTR [rax]
   0x5555555af50c <parse_cmdline+215>:  cmp    al,0x40
   0x5555555af50e <parse_cmdline+217>:  jne    0x5555555af531
<parse_cmdline+252>
   0x5555555af510 <parse_cmdline+219>:  mov    rax,QWORD PTR [rbp-0x40]
   0x5555555af514 <parse_cmdline+223>:  mov    rax,QWORD PTR [rax]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe340 --> 0x7fffffffe5b8 --> 0x0
0008| 0x7fffffffe348 --> 0xffffffe800000001
0016| 0x7fffffffe350 --> 0x7fffffffe380 --> 0x7fffffffe3e0 --> 0x5555555fc7c0
(<__libc_csu_init>:       push   r15)
0024| 0x7fffffffe358 --> 0x0
0032| 0x7fffffffe360 --> 0x0
0040| 0x7fffffffe368 --> 0x8
0048| 0x7fffffffe370 --> 0x555555918560 --> 0x8
0056| 0x7fffffffe378 --> 0x8f5ac1861230da00
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555af509 in parse_cmdline (argc=0xffffffe8, argv=0x7fffffffe5b8,
pass=0x1) at asm/nasm.c:1494
1494            if (argv[0][0] == '@') {
gdb-peda$ quit

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.