[Nasm-bugs] [Bug 3392795] New: Heap use-after-free on set_text
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Sun Mar 27 16:18:28 PDT 2022
https://bugzilla.nasm.us/show_bug.cgi?id=3392795
Bug ID: 3392795
Summary: Heap use-after-free on set_text
Product: NASM
Version: 2.16 (development)
Hardware: All
OS: Linux
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: mvanotti at protonmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
The following input cuses a heap use-after-free (read) in the set_text
function.
```
%macro cp 1
%-0000000000000000000000000000000000000000000001
%endmacro
cp cxz
```
Address Sanitizer log:
```
mvanotti at tc1:~/nasm/fuzzer$ ASAN_OPTIONS=detect_leaks=0 ../nasm -f elf64 -g
-FDWARF -o /tmp/a.o --pragma "preproc sane_empty_expansion" ~/mi
nimizer/manual
/home/mvanotti/minimizer/manual:4: error: condition code `cxz' is not
invertible
/home/mvanotti/minimizer/manual:2: ... from macro `cp' defined here
=================================================================
==1873733==ERROR: AddressSanitizer: heap-use-after-free on address
0x606000003320 at pc 0x55e507878874 bp 0x7ffca4ed4a70 sp 0x7ffca4ed4238
READ of size 48 at 0x606000003320 thread T0
#0 0x55e507878873 in __interceptor_memcpy
(/home/mvanotti/nasm/nasm+0x22b873) (BuildId:
92cbed7b21cd5e8fe697ba986570fe18716faec2)
#1 0x55e5079d9ed5 in set_text /home/mvanotti/nasm/asm/preproc.c:386:5
#2 0x55e5079bd7a7 in expand_mmac_params
/home/mvanotti/nasm/asm/preproc.c:5414:3
#3 0x55e50798c53b in pp_tokline /home/mvanotti/nasm/asm/preproc.c:7309:21
#4 0x55e507989a94 in pp_getline /home/mvanotti/nasm/asm/preproc.c:7379:17
#5 0x55e507913ef4 in assemble_file /home/mvanotti/nasm/asm/nasm.c:1722:24
#6 0x55e507913ef4 in main /home/mvanotti/nasm/asm/nasm.c:717:9
#7 0x7ff0e93530b2 in __libc_start_main
/build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#8 0x55e50786030d in _start (/home/mvanotti/nasm/nasm+0x21330d) (BuildId:
92cbed7b21cd5e8fe697ba986570fe18716faec2)
0x606000003320 is located 0 bytes inside of 49-byte region
[0x606000003320,0x606000003351)
freed by thread T0 here:
#0 0x55e5078e0922 in free (/home/mvanotti/nasm/nasm+0x293922) (BuildId:
92cbed7b21cd5e8fe697ba986570fe18716faec2)
#1 0x55e5079d9d34 in set_text /home/mvanotti/nasm/asm/preproc.c:379:2
#2 0x55e5079bd7a7 in expand_mmac_params
/home/mvanotti/nasm/asm/preproc.c:5414:3
#3 0x55e50798c53b in pp_tokline /home/mvanotti/nasm/asm/preproc.c:7309:21
#4 0x55e507989a94 in pp_getline /home/mvanotti/nasm/asm/preproc.c:7379:17
#5 0x55e507913ef4 in assemble_file /home/mvanotti/nasm/asm/nasm.c:1722:24
#6 0x55e507913ef4 in main /home/mvanotti/nasm/asm/nasm.c:717:9
#7 0x7ff0e93530b2 in __libc_start_main
/build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x55e5078e0bce in __interceptor_malloc
(/home/mvanotti/nasm/nasm+0x293bce) (BuildId:
92cbed7b21cd5e8fe697ba986570fe18716faec2)
#1 0x55e5079200e7 in nasm_malloc /home/mvanotti/nasm/nasmlib/alloc.c:55:9
#2 0x55e5079abdfe in dup_Token /home/mvanotti/nasm/asm/preproc.c:1860:25
#3 0x55e5079d5159 in dup_tlist /home/mvanotti/nasm/asm/preproc.c:898:24
#4 0x55e5079d5159 in expand_mmacro
/home/mvanotti/nasm/asm/preproc.c:6737:21
#5 0x55e50798d31e in pp_tokline /home/mvanotti/nasm/asm/preproc.c:7367:18
#6 0x55e507989a94 in pp_getline /home/mvanotti/nasm/asm/preproc.c:7379:17
#7 0x55e507913ef4 in assemble_file /home/mvanotti/nasm/asm/nasm.c:1722:24
#8 0x55e507913ef4 in main /home/mvanotti/nasm/asm/nasm.c:717:9
#9 0x7ff0e93530b2 in __libc_start_main
/build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free
(/home/mvanotti/nasm/nasm+0x22b873) (BuildId:
92cbed7b21cd5e8fe697ba986570fe18716faec2) in __
interceptor_memcpy
Shadow bytes around the buggy address:
0x0c0c7fff8610: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7fff8620: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff8630: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff8640: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7fff8650: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 01 fa
=>0x0c0c7fff8660: fa fa fa fa[fd]fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff8670: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
0x0c0c7fff8680: 00 00 01 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff86a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff86b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1873733==ABORTING
```
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list