[Nasm-bugs] [Bug 3392812] New: Stack-buffer-overflow in disasm on address 0x7ffd3ffea120 at pc 0x00000041338c bp 0x7ffd3ffe8610 sp 0x7ffd3ffe8608
noreply-nasm at dev.nasm.us
noreply-nasm at dev.nasm.us
Wed Sep 21 01:42:21 PDT 2022
https://bugzilla.nasm.us/show_bug.cgi?id=3392812
Bug ID: 3392812
Summary: Stack-buffer-overflow in disasm on address
0x7ffd3ffea120 at pc 0x00000041338c bp 0x7ffd3ffe8610
sp 0x7ffd3ffe8608
Product: NASM
Version: 2.16 (development)
Hardware: All
OS: All
Status: OPEN
Severity: blocker
Priority: Medium
Component: Disassembler
Assignee: nobody at nasm.us
Reporter: xudong.c at foxmail.com
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Built from git using configure
Created attachment 411852
--> https://bugzilla.nasm.us/attachment.cgi?id=411852&action=edit
the POC file.
Hi, developers of NASM:
I tested the binary ndisasm with my fuzzer, and a crash incurred, i.e.,
Stack-buffer-overflow error. The version of NASM is the latest (the newest
master branch in github (https://github.com/netwide-assembler/nasm.git),
version: NASM version 2.16rc0 compiled on Sep 20 2022) and the operation system
is Ubuntu 18.04.6 LTS (docker). The following is the details.
root at 1312a373d471:/fuzz-nasm/ndisasm# ./ndisasm
../out/crashes/id\:000011\,sig\:06\,src\:000341\,op\:havoc\,rep\:4\,701855
00000000 46 inc si
00000001 53 push bx
00000002 0002 add [bp+si],al
00000004 00B3B3B3 add [bp+di-0x4c4d],dh
00000008 B3B3 mov bl,0xb3
0000000A B3B3 mov bl,0xb3
0000000C B3B3 mov bl,0xb3
0000000E B3B3 mov bl,0xb3
00000010 B3B3 mov bl,0xb3
00000012 B3B3 mov bl,0xb3
00000014 B3B3 mov bl,0xb3
00000016 B3B3 mov bl,0xb3
00000018 B3B3 mov bl,0xb3
0000001A B3B3 mov bl,0xb3
0000001C B3B3 mov bl,0xb3
0000001E B3B3 mov bl,0xb3
00000020 B3B3 mov bl,0xb3
00000022 B300 mov bl,0x0
00000024 3E3E3E3E3E3E3E3E ds pop bx
-3E3E3E3E3E3E3E3E
-3E3E3E3E3E3E3E3E
-3E3E3E3E5B
00000041 5B pop bx
00000042 5C pop sp
00000043 3E3E3E4F ds dec di
=================================================================
==887807==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffd3ffea120 at pc 0x00000041338c bp 0x7ffd3ffe8610 sp 0x7ffd3ffe8608
READ of size 1 at 0x7ffd3ffea120 thread T0
#0 0x41338b in disasm (/fuzz-nasm/ndisasm/ndisasm+0x41338b)
#1 0x40c89c in main (/fuzz-nasm/ndisasm/ndisasm+0x40c89c)
#2 0x7f6308e6ec86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#3 0x406759 in _start (/fuzz-nasm/ndisasm/ndisasm+0x406759)
Address 0x7ffd3ffea120 is located in stack of thread T0 at offset 96 in frame
#0 0x406a8f in main (/fuzz-nasm/ndisasm/ndisasm+0x406a8f)
This frame has 6 object(s):
[32, 96) 'buffer' <== Memory access at offset 96 overflows this variable
[128, 136) 'ep'
[160, 416) 'outbuf'
[480, 484) 'synclen'
[496, 516) 'prefer'
[560, 561) 'rn_error'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/fuzz-nasm/ndisasm/ndisasm+0x41338b) in disasm
Shadow bytes around the buggy address:
0x100027ff53d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100027ff53e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100027ff53f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100027ff5400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100027ff5410: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
=>0x100027ff5420: 00 00 00 00[f2]f2 f2 f2 00 f2 f2 f2 00 00 00 00
0x100027ff5430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100027ff5440: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
0x100027ff5450: f2 f2 f2 f2 04 f2 00 00 04 f2 f2 f2 f2 f2 01 f3
0x100027ff5460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100027ff5470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==887807==ABORTING
I uploaded the POC in the attachment. Thank you for your time!
Credit
Xudong Cao (NCNIPC of China)
Han Zheng (NCNIPC of China, Hexhive)
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list