[Nasm-bugs] [Bug 3392795] New: Heap use-after-free on set_text

[noreply-nasm at dev.nasm.us]

https://bugzilla.nasm.us/show_bug.cgi?id=3392795

            Bug ID: 3392795
           Summary: Heap use-after-free on set_text
           Product: NASM
           Version: 2.16 (development)
          Hardware: All
                OS: Linux
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: mvanotti at protonmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Built from git using configure

The following input cuses a heap use-after-free (read) in the set_text
function.

```
%macro cp 1
%-0000000000000000000000000000000000000000000001
%endmacro
cp cxz
```

Address Sanitizer log:

```
mvanotti at tc1:~/nasm/fuzzer$ ASAN_OPTIONS=detect_leaks=0 ../nasm -f elf64 -g
-FDWARF -o /tmp/a.o --pragma "preproc sane_empty_expansion" ~/mi
nimizer/manual                                                                  
/home/mvanotti/minimizer/manual:4: error: condition code `cxz' is not
invertible                                                            
/home/mvanotti/minimizer/manual:2: ... from macro `cp' defined here             
=================================================================               
==1873733==ERROR: AddressSanitizer: heap-use-after-free on address
0x606000003320 at pc 0x55e507878874 bp 0x7ffca4ed4a70 sp 0x7ffca4ed4238
READ of size 48 at 0x606000003320 thread T0                                     
    #0 0x55e507878873 in __interceptor_memcpy
(/home/mvanotti/nasm/nasm+0x22b873) (BuildId:
92cbed7b21cd5e8fe697ba986570fe18716faec2)       
    #1 0x55e5079d9ed5 in set_text /home/mvanotti/nasm/asm/preproc.c:386:5       
    #2 0x55e5079bd7a7 in expand_mmac_params
/home/mvanotti/nasm/asm/preproc.c:5414:3                                        
    #3 0x55e50798c53b in pp_tokline /home/mvanotti/nasm/asm/preproc.c:7309:21   
    #4 0x55e507989a94 in pp_getline /home/mvanotti/nasm/asm/preproc.c:7379:17   
    #5 0x55e507913ef4 in assemble_file /home/mvanotti/nasm/asm/nasm.c:1722:24   
    #6 0x55e507913ef4 in main /home/mvanotti/nasm/asm/nasm.c:717:9              
    #7 0x7ff0e93530b2 in __libc_start_main
/build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16                   
    #8 0x55e50786030d in _start (/home/mvanotti/nasm/nasm+0x21330d) (BuildId:
92cbed7b21cd5e8fe697ba986570fe18716faec2)

0x606000003320 is located 0 bytes inside of 49-byte region
[0x606000003320,0x606000003351)                                                 
freed by thread T0 here:                                                        
    #0 0x55e5078e0922 in free (/home/mvanotti/nasm/nasm+0x293922) (BuildId:
92cbed7b21cd5e8fe697ba986570fe18716faec2)
    #1 0x55e5079d9d34 in set_text /home/mvanotti/nasm/asm/preproc.c:379:2       
    #2 0x55e5079bd7a7 in expand_mmac_params
/home/mvanotti/nasm/asm/preproc.c:5414:3                                        
    #3 0x55e50798c53b in pp_tokline /home/mvanotti/nasm/asm/preproc.c:7309:21   
    #4 0x55e507989a94 in pp_getline /home/mvanotti/nasm/asm/preproc.c:7379:17   
    #5 0x55e507913ef4 in assemble_file /home/mvanotti/nasm/asm/nasm.c:1722:24
    #6 0x55e507913ef4 in main /home/mvanotti/nasm/asm/nasm.c:717:9
    #7 0x7ff0e93530b2 in __libc_start_main
/build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x55e5078e0bce in __interceptor_malloc
(/home/mvanotti/nasm/nasm+0x293bce) (BuildId:
92cbed7b21cd5e8fe697ba986570fe18716faec2)
    #1 0x55e5079200e7 in nasm_malloc /home/mvanotti/nasm/nasmlib/alloc.c:55:9
    #2 0x55e5079abdfe in dup_Token /home/mvanotti/nasm/asm/preproc.c:1860:25
    #3 0x55e5079d5159 in dup_tlist /home/mvanotti/nasm/asm/preproc.c:898:24
    #4 0x55e5079d5159 in expand_mmacro
/home/mvanotti/nasm/asm/preproc.c:6737:21
    #5 0x55e50798d31e in pp_tokline /home/mvanotti/nasm/asm/preproc.c:7367:18
    #6 0x55e507989a94 in pp_getline /home/mvanotti/nasm/asm/preproc.c:7379:17
    #7 0x55e507913ef4 in assemble_file /home/mvanotti/nasm/asm/nasm.c:1722:24
    #8 0x55e507913ef4 in main /home/mvanotti/nasm/asm/nasm.c:717:9
    #9 0x7ff0e93530b2 in __libc_start_main
/build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free
(/home/mvanotti/nasm/nasm+0x22b873) (BuildId:
92cbed7b21cd5e8fe697ba986570fe18716faec2) in __
interceptor_memcpy
Shadow bytes around the buggy address:

  0x0c0c7fff8610: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8620: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c7fff8630: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8640: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8650: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 01 fa
=>0x0c0c7fff8660: fa fa fa fa[fd]fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff8670: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8680: 00 00 01 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff86a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff86b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1873733==ABORTING
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.