3392435 – There is an illegal address access in function find_cc() of nasm.

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

Bug 3392435 - There is an illegal address access in function find_cc() of nasm.

Summary: There is an illegal address access in function find_cc() of nasm.

Status:	RESOLVED FIXED

Alias:	None

Product:	NASM
Classification:	Unclassified
Component:	Assembler (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	Medium blocker
Assignee:	nobody

URL:

Depends on:
Blocks:

Reported:	2017-08-28 04:24 PDT by owl337
Modified:	2017-10-22 12:01 PDT (History)
CC List:	3 users (show)

Obtained from:	Binary from nasm.us
Generated by:	---
Bug category:
Breaks existing code:	---

Attachments
./nasm -f bin POC14 -o tmp (338 bytes, application/x-rar) 2017-08-28 04:24 PDT, owl337	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description owl337 2017-08-28 04:24:16 PDT

Created attachment 411612 [details]
./nasm -f bin  POC14 -o tmp

Description:

The debugging information is as follows:

$ ./nasm -f bin  POC14 -o tmp
id:000572,sig:11,src:007739,op:flip4,pos:289:15: ... from macro `b_struc' defined here
id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: symbol `ro' redefined
id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: parser: instruction expected
id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: `%-1': not in a macro call
id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: macro params should be enclosed in braces
Segmentation fault


The GDB debugging information is as follows:

(gdb) set args  -f bin  POC14 -o tmp
(gdb) r 
...
id:000572,sig:11,src:007739,op:flip4,pos:289:18: error: parser: instruction expected
id:000572,sig:11,src:007739,op:flip4,pos:289:14: ... from macro `b_struc' defined here
id:000572,sig:11,src:007739,op:flip4,pos:289:18: error: label or instruction expected at start of line
id:000572,sig:11,src:007739,op:flip4,pos:289:15: ... from macro `b_struc' defined here
id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: symbol `ro' redefined
id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: parser: instruction expected
id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: `%-1': not in a macro call
id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: macro params should be enclosed in braces

Program received signal SIGSEGV, Segmentation fault.
0x0000000000535b63 in find_cc (t=0x0) at asm/preproc.c:3709
3709	    if (t->type != TOK_ID)
(gdb) bt 
#0  0x0000000000535b63 in find_cc (t=0x0) at asm/preproc.c:3709
#1  expand_mmac_params (tline=0x0) at asm/preproc.c:4035
#2  0x000000000051bd82 in pp_getline () at asm/preproc.c:5166
#3  0x0000000000483517 in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1233
#4  main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453
(gdb) c 
Continuing.
ASAN:SIGSEGV
=================================================================
==55298==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x000000535b63 sp 0x7fffffffddf0 bp 0x7fffffffdee0 T0)
==55298==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x535b62 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x535b62)
    #1 0x51bd81 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51bd81)
    #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516)
    #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==55298==ABORTING
[Inferior 1 (process 55298) exited with code 01]
(gdb) 


Tirgged in: 
find_cc (t=0x0) at asm/preproc.c:3709
3709	    if (t->type != TOK_ID)
(gdb) list 
3704	
3705	    if (!t)
3706	        return -1;              /* Probably a %+ without a space */
3707	
3708	    skip_white_(t);
3709	    if (t->type != TOK_ID)
3710	        return -1;
3711	    tt = t->next;
3712	    skip_white_(tt);
3713	    if (tt && (tt->type != TOK_OTHER || strcmp(tt->text, ",")))


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Cyrill Gorcunov 2017-10-22 12:01:49 PDT

commit 7524cfd91492e6e3719b959498be584a9ced13af
Author: Cyrill Gorcunov <gorcunov@gmail.com>
Date:   Sun Oct 22 19:01:16 2017 +0300

    preproc: Fix sigsegv in find_cc
    
    For specially formed code we can have skip_white_
    to end up with nil pointer which should be taken
    into account.
    
    https://bugzilla.nasm.us/show_bug.cgi?id=3392435
    
    Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
---

Thanks for report!