[Nasm-bugs] [Bug 3392811] New: Stack-buffer-overflow in disasm on address 0x7ffe8026e8a0 at pc 0x0000004286f6 bp 0x7ffe8026bc90 sp 0x7ffe8026bc88
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Wed Sep 21 01:35:51 PDT 2022
https://bugzilla.nasm.us/show_bug.cgi?id=3392811
Bug ID: 3392811
Summary: Stack-buffer-overflow in disasm on address
0x7ffe8026e8a0 at pc 0x0000004286f6 bp 0x7ffe8026bc90
sp 0x7ffe8026bc88
Product: NASM
Version: 2.16 (development)
Hardware: All
OS: All
Status: OPEN
Severity: blocker
Priority: Medium
Component: Disassembler
Assignee: nobody at nasm.us
Reporter: xudong.c at foxmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
Created attachment 411851
--> https://bugzilla.nasm.us/attachment.cgi?id=411851&action=edit
the POC file.
Hi, developers of NASM:
I tested the binary ndisasm with my fuzzer, and a crash incurred, i.e.,
Stack-buffer-overflow error. The version of NASM is the latest (the newest
master branch in github (https://github.com/netwide-assembler/nasm.git),
version: NASM version 2.16rc0 compiled on Sep 20 2022) and the operation system
is Ubuntu 18.04.6 LTS (docker). The following is the details.
root at 1312a373d471:/fuzz-nasm/ndisasm# ./ndisasm
../out/crashes/id\:000001\,sig\:06\,src\:000003\,op\:havoc\,rep\:128\,354194
00000000 46 inc si
00000001 53 push bx
00000002 48 dec ax
00000003 B80011 mov ax,0x1100
00000006 FB sti
00000007 FA cli
00000008 0000 add [bx+si],al
0000000A 000A add [bp+si],cl
0000000C 1000 adc [bx+si],al
0000000E 53 push bx
0000000F 1F pop ds
00000010 FF db 0xff
00000011 7F06 jg 0x19
00000013 8B19 mov bx,[bx+di]
00000015 CB retf
00000016 76F7 jna 0xf
00000018 76B2 jna 0xffcc
0000001A 93 xchg ax,bx
0000001B C9 leave
0000001C E0EB loopne 0x9
0000001E DE db 0xde
0000001F DE db 0xde
00000020 DE db 0xde
00000021 DE db 0xde
00000022 DEC0 faddp st0
00000024 DE db 0xde
00000025 DE db 0xde
00000026 DE db 0xde
00000027 DE db 0xde
00000028 DE db 0xde
00000029 DE db 0xde
0000002A DE db 0xde
0000002B DE db 0xde
0000002C DE db 0xde
0000002D DE db 0xde
0000002E DE db 0xde
0000002F DE db 0xde
00000030 DE db 0xde
00000031 DE db 0xde
00000032 DE db 0xde
00000033 DE db 0xde
00000034 DE db 0xde
00000035 DE db 0xde
00000036 DE db 0xde
00000037 DE db 0xde
00000038 DE db 0xde
00000039 DE db 0xde
0000003A DE db 0xde
0000003B DE4B53 fimul word [bp+di+0x53]
0000003E 6D insw
0000003F 02611F add ah,[bx+di+0x1f]
00000042 5F pop di
00000043 0009 add [bx+di],cl
00000045 00940000 add [si+0x0],dl
00000049 FB sti
0000004A FB sti
0000004B FB sti
0000004C FB sti
0000004D FB sti
0000004E FB sti
0000004F 0031 add [bx+di],dh
00000051 53 push bx
00000052 47 inc di
00000053 E25F loop 0xb4
00000055 DE db 0xde
00000056 DE db 0xde
00000057 DE db 0xde
00000058 DE db 0xde
00000059 DE db 0xde
0000005A DE db 0xde
0000005B DE db 0xde
0000005C DE db 0xde
0000005D DE db 0xde
0000005E DE4B53 fimul word [bp+di+0x53]
00000061 6D insw
00000062 02611F add ah,[bx+di+0x1f]
00000065 5F pop di
00000066 0009 add [bx+di],cl
00000068 00940000 add [si+0x0],dl
0000006C FB sti
0000006D FB sti
0000006E FB sti
0000006F FB sti
00000070 FB sti
00000071 FB sti
00000072 0031 add [bx+di],dh
00000074 53 push bx
00000075 0015 add [di],dl
00000077 00D8 add al,bl
00000079 64007F03 add [fs:bx+0x3],bh
0000007D CB retf
0000007E 10 db 0x10
=================================================================
==837963==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe8026e8a0 at pc 0x0000004286f6 bp 0x7ffe8026bc90 sp 0x7ffe8026bc88
READ of size 1 at 0x7ffe8026e8a0 thread T0
#0 0x4286f5 in matches (/fuzz-nasm/ndisasm/ndisasm+0x4286f5)
#1 0x41cf50 in disasm (/fuzz-nasm/ndisasm/ndisasm+0x41cf50)
#2 0x40c89c in main (/fuzz-nasm/ndisasm/ndisasm+0x40c89c)
#3 0x7efc81801c86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#4 0x406759 in _start (/fuzz-nasm/ndisasm/ndisasm+0x406759)
Address 0x7ffe8026e8a0 is located in stack of thread T0 at offset 96 in frame
#0 0x406a8f in main (/fuzz-nasm/ndisasm/ndisasm+0x406a8f)
This frame has 6 object(s):
[32, 96) 'buffer' <== Memory access at offset 96 overflows this variable
[128, 136) 'ep'
[160, 416) 'outbuf'
[480, 484) 'synclen'
[496, 516) 'prefer'
[560, 561) 'rn_error'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/fuzz-nasm/ndisasm/ndisasm+0x4286f5) in matches
Shadow bytes around the buggy address:
0x100050045cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100050045cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100050045ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100050045cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100050045d00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
=>0x100050045d10: 00 00 00 00[f2]f2 f2 f2 00 f2 f2 f2 00 00 00 00
0x100050045d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100050045d30: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
0x100050045d40: f2 f2 f2 f2 04 f2 00 00 04 f2 f2 f2 f2 f2 01 f3
0x100050045d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100050045d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==837963==ABORTING
I uploaded the POC in the attachment. Thank you for your time!
Credit
Xudong Cao (NCNIPC of China)
Han Zheng (NCNIPC of China, Hexhive)
--
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
More information about the Nasm-bugs
mailing list