[Nasm-bugs] [Bug 3392812] New: Stack-buffer-overflow in disasm on address 0x7ffd3ffea120 at pc 0x00000041338c bp 0x7ffd3ffe8610 sp 0x7ffd3ffe8608

[noreply-nasm at dev.nasm.us]

https://bugzilla.nasm.us/show_bug.cgi?id=3392812

            Bug ID: 3392812
           Summary: Stack-buffer-overflow in disasm on address
                    0x7ffd3ffea120 at pc 0x00000041338c bp 0x7ffd3ffe8610
                    sp 0x7ffd3ffe8608
           Product: NASM
           Version: 2.16 (development)
          Hardware: All
                OS: All
            Status: OPEN
          Severity: blocker
          Priority: Medium
         Component: Disassembler
          Assignee: nobody at nasm.us
          Reporter: xudong.c at foxmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Built from git using configure

Created attachment 411852
  --> https://bugzilla.nasm.us/attachment.cgi?id=411852&action=edit
the POC file.

Hi, developers of NASM:
I tested the binary ndisasm with my fuzzer, and a crash incurred, i.e.,
Stack-buffer-overflow error. The version of NASM is the latest (the newest
master branch in github (https://github.com/netwide-assembler/nasm.git),
version: NASM version 2.16rc0 compiled on Sep 20 2022) and the operation system
is Ubuntu 18.04.6 LTS (docker). The following is the details.


root at 1312a373d471:/fuzz-nasm/ndisasm# ./ndisasm
../out/crashes/id\:000011\,sig\:06\,src\:000341\,op\:havoc\,rep\:4\,701855
00000000  46                inc si
00000001  53                push bx
00000002  0002              add [bp+si],al
00000004  00B3B3B3          add [bp+di-0x4c4d],dh
00000008  B3B3              mov bl,0xb3
0000000A  B3B3              mov bl,0xb3
0000000C  B3B3              mov bl,0xb3
0000000E  B3B3              mov bl,0xb3
00000010  B3B3              mov bl,0xb3
00000012  B3B3              mov bl,0xb3
00000014  B3B3              mov bl,0xb3
00000016  B3B3              mov bl,0xb3
00000018  B3B3              mov bl,0xb3
0000001A  B3B3              mov bl,0xb3
0000001C  B3B3              mov bl,0xb3
0000001E  B3B3              mov bl,0xb3
00000020  B3B3              mov bl,0xb3
00000022  B300              mov bl,0x0
00000024  3E3E3E3E3E3E3E3E  ds pop bx
         -3E3E3E3E3E3E3E3E
         -3E3E3E3E3E3E3E3E
         -3E3E3E3E5B
00000041  5B                pop bx
00000042  5C                pop sp
00000043  3E3E3E4F          ds dec di
=================================================================
==887807==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffd3ffea120 at pc 0x00000041338c bp 0x7ffd3ffe8610 sp 0x7ffd3ffe8608
READ of size 1 at 0x7ffd3ffea120 thread T0
    #0 0x41338b in disasm (/fuzz-nasm/ndisasm/ndisasm+0x41338b)
    #1 0x40c89c in main (/fuzz-nasm/ndisasm/ndisasm+0x40c89c)
    #2 0x7f6308e6ec86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #3 0x406759 in _start (/fuzz-nasm/ndisasm/ndisasm+0x406759)

Address 0x7ffd3ffea120 is located in stack of thread T0 at offset 96 in frame
    #0 0x406a8f in main (/fuzz-nasm/ndisasm/ndisasm+0x406a8f)

  This frame has 6 object(s):
    [32, 96) 'buffer' <== Memory access at offset 96 overflows this variable
    [128, 136) 'ep'
    [160, 416) 'outbuf'
    [480, 484) 'synclen'
    [496, 516) 'prefer'
    [560, 561) 'rn_error'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/fuzz-nasm/ndisasm/ndisasm+0x41338b) in disasm
Shadow bytes around the buggy address:
  0x100027ff53d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff53e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff53f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff5400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff5410: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
=>0x100027ff5420: 00 00 00 00[f2]f2 f2 f2 00 f2 f2 f2 00 00 00 00
  0x100027ff5430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff5440: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x100027ff5450: f2 f2 f2 f2 04 f2 00 00 04 f2 f2 f2 f2 f2 01 f3
  0x100027ff5460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027ff5470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==887807==ABORTING



I uploaded the POC in the attachment. Thank you for your time!

Credit
Xudong Cao (NCNIPC of China)
Han Zheng (NCNIPC of China, Hexhive)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.