Created attachment 411612 [details] ./nasm -f bin POC14 -o tmp Description: The debugging information is as follows: $ ./nasm -f bin POC14 -o tmp id:000572,sig:11,src:007739,op:flip4,pos:289:15: ... from macro `b_struc' defined here id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: symbol `ro' redefined id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: parser: instruction expected id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: `%-1': not in a macro call id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: macro params should be enclosed in braces Segmentation fault The GDB debugging information is as follows: (gdb) set args -f bin POC14 -o tmp (gdb) r ... id:000572,sig:11,src:007739,op:flip4,pos:289:18: error: parser: instruction expected id:000572,sig:11,src:007739,op:flip4,pos:289:14: ... from macro `b_struc' defined here id:000572,sig:11,src:007739,op:flip4,pos:289:18: error: label or instruction expected at start of line id:000572,sig:11,src:007739,op:flip4,pos:289:15: ... from macro `b_struc' defined here id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: symbol `ro' redefined id:000572,sig:11,src:007739,op:flip4,pos:289:19: error: parser: instruction expected id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: `%-1': not in a macro call id:000572,sig:11,src:007739,op:flip4,pos:289:21: error: macro params should be enclosed in braces Program received signal SIGSEGV, Segmentation fault. 0x0000000000535b63 in find_cc (t=0x0) at asm/preproc.c:3709 3709 if (t->type != TOK_ID) (gdb) bt #0 0x0000000000535b63 in find_cc (t=0x0) at asm/preproc.c:3709 #1 expand_mmac_params (tline=0x0) at asm/preproc.c:4035 #2 0x000000000051bd82 in pp_getline () at asm/preproc.c:5166 #3 0x0000000000483517 in assemble_file (fname=<optimized out>, depend_ptr=<optimized out>) at asm/nasm.c:1233 #4 main (argc=<optimized out>, argv=<optimized out>) at asm/nasm.c:453 (gdb) c Continuing. ASAN:SIGSEGV ================================================================= ==55298==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x000000535b63 sp 0x7fffffffddf0 bp 0x7fffffffdee0 T0) ==55298==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x535b62 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x535b62) #1 0x51bd81 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x51bd81) #2 0x483516 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x483516) #3 0x7ffff6ee6a3f (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #4 0x47e7e8 (/home/company/check_nasm/nasm-2.14rc0/install_asan/bin/nasm+0x47e7e8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==55298==ABORTING [Inferior 1 (process 55298) exited with code 01] (gdb) Tirgged in: find_cc (t=0x0) at asm/preproc.c:3709 3709 if (t->type != TOK_ID) (gdb) list 3704 3705 if (!t) 3706 return -1; /* Probably a %+ without a space */ 3707 3708 skip_white_(t); 3709 if (t->type != TOK_ID) 3710 return -1; 3711 tt = t->next; 3712 skip_white_(tt); 3713 if (tt && (tt->type != TOK_OTHER || strcmp(tt->text, ","))) Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
commit 7524cfd91492e6e3719b959498be584a9ced13af Author: Cyrill Gorcunov <gorcunov@gmail.com> Date: Sun Oct 22 19:01:16 2017 +0300 preproc: Fix sigsegv in find_cc For specially formed code we can have skip_white_ to end up with nil pointer which should be taken into account. https://bugzilla.nasm.us/show_bug.cgi?id=3392435 Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> --- Thanks for report!