[Nasm-bugs] [Bug 3392842] New: heap overflow in nasm (macho_no_dead_strip)

noreply-nasm at dev.nasm.us noreply-nasm at dev.nasm.us
Thu Mar 16 00:35:20 PDT 2023


https://bugzilla.nasm.us/show_bug.cgi?id=3392842

            Bug ID: 3392842
           Summary: heap overflow in nasm (macho_no_dead_strip)
           Product: NASM
           Version: 2.17 (development)
          Hardware: All
                OS: All
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: youngseok.main at gmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Built from git using configure

Created attachment 411869
  --> https://bugzilla.nasm.us/attachment.cgi?id=411869&action=edit
poc_file

Hello,

Our fuzzer found a heap overflow bug in nasm.

Command Input:
nasm poc_file -fmacho64

poc_file is attached.

Output:
poc_file:1: error: label or instruction expected at start of line
poc_file:2: warning: label alone on a line without a colon might be in error
[-w+label-orphan]
poc_file:5: error: label or instruction expected at start of line
poc_file:6: warning: label alone on a line without a colon might be in error
[-w+label-orphan]
poc_file:7: error: label or instruction expected at start of line
poc_file:8: error: parser: instruction expected
poc_file:9: warning: label alone on a line without a colon might be in error
[-w+label-orphan]
poc_file:11: error: parser: instruction expected
poc_file:12: error: parser: instruction expected
poc_file:13: warning: unterminated string (missing `'') [-w+pp-open-string]
poc_file:13: error: label or instruction expected at start of line
poc_file:15: error: parser: instruction expected
poc_file:16: warning: label alone on a line without a colon might be in error
[-w+label-orphan]
poc_file:16: error: label `b' inconsistently redefined
poc_file:9: info: label `b' originally defined here
poc_file:18: error: parser: instruction expected
poc_file:19: error: invalid symbol in NO_DEAD_STRIP

Sanitizer Dump:
==30307==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6040000037fe at pc 0x55555572c88c bp 0x7fffffffd8b0 sp 0x7fffffffd8a0
READ of size 1 at 0x6040000037fe thread T0
    #0 0x55555572c88b in macho_no_dead_strip output/outmacho.c:1774
    #1 0x55555572cb9c in macho_pragma output/outmacho.c:1817
    #2 0x5555556938d4 in call_pragma asm/pragma.c:114
    #3 0x555555693c7c in search_pragma_list asm/pragma.c:167
    #4 0x55555569435f in output_pragma asm/pragma.c:327
    #5 0x5555556941fb in process_pragma asm/pragma.c:290
    #6 0x555555693680 in process_directives asm/directiv.c:556
    #7 0x55555568690f in assemble_file asm/nasm.c:1728
    #8 0x555555681f50 in main asm/nasm.c:716
    #9 0x7ffff6a48c86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #10 0x55555567f699 in _start
(/home/youngseok/latest-subjects/nasm/nasm+0x12b699)

0x6040000037fe is located 0 bytes to the right of 46-byte region
[0x6040000037d0,0x6040000037fe)
allocated by thread T0 here:
    #0 0x7ffff6ef6b40 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x555555688c3f in nasm_malloc nasmlib/alloc.c:55
    #2 0x555555688db5 in nasm_strdup nasmlib/alloc.c:117
    #3 0x55555572c814 in macho_no_dead_strip output/outmacho.c:1767
    #4 0x55555572cb9c in macho_pragma output/outmacho.c:1817
    #5 0x5555556938d4 in call_pragma asm/pragma.c:114
    #6 0x555555693c7c in search_pragma_list asm/pragma.c:167
    #7 0x55555569435f in output_pragma asm/pragma.c:327
    #8 0x5555556941fb in process_pragma asm/pragma.c:290
    #9 0x555555693680 in process_directives asm/directiv.c:556
    #10 0x55555568690f in assemble_file asm/nasm.c:1728
    #11 0x555555681f50 in main asm/nasm.c:716
    #12 0x7ffff6a48c86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

Environment:
OS: Ubuntu 18.04
gcc: 7.5.0
nasm: 2.17rc0 (Git master branch, a916e4127b2eaa3bf40bddf3de9b0ceefc0d98a)

Note that we built nasm with sanitizers.

Any comments related to the crash are welcome. Since we are developing a new
fuzzing technique, it would be very helpful for our work.

Thank you.

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.


More information about the Nasm-bugs mailing list