[Nasm-bugs] [Bug 3392802] New: stack-use-after-scope asm/preproc.c:5373 in expand_mmac_params
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Mon Jul 4 09:40:50 PDT 2022
https://bugzilla.nasm.us/show_bug.cgi?id=3392802
Bug ID: 3392802
Summary: stack-use-after-scope asm/preproc.c:5373 in
expand_mmac_params
Product: NASM
Version: 2.16 (development)
Hardware: PC
OS: Linux
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: 13579and24680 at gmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
Created attachment 411848
--> https://bugzilla.nasm.us/attachment.cgi?id=411848&action=edit
A crashed file find by AFL and minimized by AFL-tmin
compile it with asan :
$ sh autogen.sh;
$ AFL_USE_ASAN=1 ./configure CC=afl-gcc CXX=afl-g++
$ AFL_USE_ASAN=1 make;
execute :
$ ./nasm poc -o /dev/null
=================================================================
==3116641==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7ffc904d1730 at pc 0x55c6554a5251 bp 0x7ffc904d1610 sp 0x7ffc904d1600
WRITE of size 8 at 0x7ffc904d1730 thread T0
#0 0x55c6554a5250 in expand_mmac_params asm/preproc.c:5373
#1 0x55c6554b7a5f in pp_tokline asm/preproc.c:7258
#2 0x55c6554b7a5f in pp_getline asm/preproc.c:7328
#3 0x55c655436cc2 in assemble_file asm/nasm.c:1723
#4 0x55c655429c0a in main asm/nasm.c:718
#5 0x7f429bb9f0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#6 0x55c65542d56d in _start (/home/a13579and2468/myfuzz/nasm/nasm+0x11b56d)
Address 0x7ffc904d1730 is located in stack of thread T0 at offset 192 in frame
#0 0x55c6554a30df in expand_mmac_params asm/preproc.c:5188
This frame has 8 object(s):
[32, 36) 'fst' (line 5136)
[48, 52) 'lst' (line 5136)
[64, 72) 'tail' (line 5189)
[96, 104) 'thead' (line 5189)
[128, 136) 'ep' (line 5254)
[160, 168) 'ep' (line 5272)
[192, 200) 'newlist' (line 892) <== Memory access at offset 192 is inside
this variable
[224, 240) 't' (line 5376)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope asm/preproc.c:5373 in
expand_mmac_params
Shadow bytes around the buggy address:
0x100012092290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000120922a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000120922b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000120922c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x1000120922d0: f1 f1 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
=>0x1000120922e0: f2 f2 00 f2 f2 f2[f8]f2 f2 f2 00 00 f3 f3 00 00
0x1000120922f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100012092300: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100012092310: f1 f1 04 f2 00 f2 f2 f2 00 f2 f2 f2 f8 f2 f2 f2
0x100012092320: 00 f2 f2 f2 00 f2 f2 f2 00 06 f3 f3 00 00 00 00
0x100012092330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3116641==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
More information about the Nasm-bugs
mailing list