From noreply-nasm at dev.nasm.us Sun Jun 19 17:55:25 2022 From: noreply-nasm at dev.nasm.us (noreply-nasm at dev.nasm.us) Date: Mon, 20 Jun 2022 00:55:25 +0000 Subject: [Nasm-bugs] [Bug 3392799] New: Netwide Assembler (NASM) before 2.15.05 has a Heap Buffer Overflow in quote_for_pmake asm/nasm.c Message-ID: https://bugzilla.nasm.us/show_bug.cgi?id=3392799 Bug ID: 3392799 Summary: Netwide Assembler (NASM) before 2.15.05 has a Heap Buffer Overflow in quote_for_pmake asm/nasm.c Product: NASM Version: 2.15.xx Hardware: PC OS: Linux Status: OPEN Severity: normal Priority: Medium Component: Assembler Assignee: nobody at nasm.us Reporter: gmk472874 at gmail.com CC: chang.seok.bae at intel.com, gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us Obtained from: Binary from nasm.us Created attachment 411846 --> https://bugzilla.nasm.us/attachment.cgi?id=411846&action=edit nasm_PoC I downloaded the latest version of Nasm software in nasm.us website for my fuzzer research. And then I found a crash with my fuzzer. I tried to reproduce the vulnerability, so I compiled the Nasm source code with gcc sanitizer options. And the Address sanitizer show there is a Heap Buffer Overflow with the PoC produce by fuzzer. Here is the link of this PoC and reproduction : https://gist.github.com/naihsin/b96e2c5c2c81621b46557fd7aacd165f The command is: ./nasm -t -Z/dev/null -g -O0 -o /dev/null -M -f bin ./poc ==28921==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000c396 at pc 0x0000004058d2 bp 0x7ffe3751baf0 sp 0x7ffe3751bae0 WRITE of size 1 at 0x60200000c396 thread T0 #0 0x4058d1 in quote_for_pmake asm/nasm.c:853 #1 0x4036d0 in emit_dependencies asm/nasm.c:398 #2 0x404fd3 in main asm/nasm.c:735 #3 0x7f4dc7a5e83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) #4 0x402228 in _start (/home/hsin/tmp/nasm-2.15.05/nasm+0x402228) 0x60200000c396 is located 0 bytes to the right of 6-byte region [0x60200000c390,0x60200000c396) allocated by thread T0 here: #0 0x7f4dc7ea0602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x40b43a in nasm_malloc nasmlib/alloc.c:55 #2 0x4053dd in quote_for_pmake asm/nasm.c:820 #3 0x4036d0 in emit_dependencies asm/nasm.c:398 #4 0x404fd3 in main asm/nasm.c:735 #5 0x7f4dc7a5e83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) SUMMARY: AddressSanitizer: heap-buffer-overflow asm/nasm.c:853 quote_for_pmake Shadow bytes around the buggy address: 0x0c047fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9870: fa fa[06]fa fa fa fd fa fa fa fd fd fa fa 05 fa 0x0c047fff9880: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff9890: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa 0x0c047fff98a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff98b0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff98c0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==28921==ABORTING -- You are receiving this mail because: You are on the CC list for the bug. You are watching all bug changes.