[Nasm-bugs] [Bug 3392799] New: Netwide Assembler (NASM) before 2.15.05 has a Heap Buffer Overflow in quote_for_pmake asm/nasm.c
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Sun Jun 19 17:55:25 PDT 2022
https://bugzilla.nasm.us/show_bug.cgi?id=3392799
Bug ID: 3392799
Summary: Netwide Assembler (NASM) before 2.15.05 has a Heap
Buffer Overflow in quote_for_pmake asm/nasm.c
Product: NASM
Version: 2.15.xx
Hardware: PC
OS: Linux
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: gmk472874 at gmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Binary from nasm.us
Created attachment 411846
--> https://bugzilla.nasm.us/attachment.cgi?id=411846&action=edit
nasm_PoC
I downloaded the latest version of Nasm software in nasm.us website for my
fuzzer research.
And then I found a crash with my fuzzer.
I tried to reproduce the vulnerability, so I compiled the Nasm source code with
gcc sanitizer options.
And the Address sanitizer show there is a Heap Buffer Overflow with the PoC
produce by fuzzer.
Here is the link of this PoC and reproduction :
https://gist.github.com/naihsin/b96e2c5c2c81621b46557fd7aacd165f
The command is: ./nasm -t -Z/dev/null -g -O0 -o /dev/null -M -f bin ./poc
==28921==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000c396 at pc 0x0000004058d2 bp 0x7ffe3751baf0 sp 0x7ffe3751bae0
WRITE of size 1 at 0x60200000c396 thread T0
#0 0x4058d1 in quote_for_pmake asm/nasm.c:853
#1 0x4036d0 in emit_dependencies asm/nasm.c:398
#2 0x404fd3 in main asm/nasm.c:735
#3 0x7f4dc7a5e83f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#4 0x402228 in _start (/home/hsin/tmp/nasm-2.15.05/nasm+0x402228)
0x60200000c396 is located 0 bytes to the right of 6-byte region
[0x60200000c390,0x60200000c396)
allocated by thread T0 here:
#0 0x7f4dc7ea0602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x40b43a in nasm_malloc nasmlib/alloc.c:55
#2 0x4053dd in quote_for_pmake asm/nasm.c:820
#3 0x4036d0 in emit_dependencies asm/nasm.c:398
#4 0x404fd3 in main asm/nasm.c:735
#5 0x7f4dc7a5e83f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: heap-buffer-overflow asm/nasm.c:853 quote_for_pmake
Shadow bytes around the buggy address:
0x0c047fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9870: fa fa[06]fa fa fa fd fa fa fa fd fd fa fa 05 fa
0x0c047fff9880: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff9890: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fff98a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff98b0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff98c0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==28921==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list